P2P Netwok Traffic Classification

PEER TO PEER NETWORK TRAFFICCLASSIFICATION

LEKSHMI M NAIR( AM.EN.P2CSE13011)

S4 M.TECH CSE

MAJOR PROJECT

GUIDED BY : Dr. G P SAJEEV

July 2, 2015

LEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 1 / 53

OUTLINE

1 Introduction to P2P networking2 P2P network traffic3 Need for P2P traffic classification4 Existing classification schemes5 System design6 Implementation details7 Results8 References


INTRODUCTION TO ’PEER TO PEER’ (P2P)NETWORKING

P2P NETWORK SYSTEMPeer-to-peer (P2P) is adecentralized communicationsmodel in which each party hasthe same capabilities andeither party can initiate acommunication session unlikein client/server model.

Figure: P2P Network


P2P NETWORK TRAFFIC

P2P traffic constitute the traffic created by various P2Papplications such as BitTorrent, Skype, Napster, Gnutella etc...P2P is generally used to pass large amounts of data, so they canslow down your internet connection.

Figure: P2P Applications


NEED FOR P2P TRAFFIC CLASSIFICATION

Network design andprovisioning / TrafficEngineering.Optimize and control networkutilization to address QoSassignment and trafficshaping.Accounting / Content basedcharging.Security monitoring.Network Forensics.

Figure: Traffic Classification


NEED FOR P2P TRAFFIC CLASSIFICATION


EXISTING CLASSIFICATION SCHEMES

Some of the existing P2P traffic classification techniques are :Port-based classificationSignature-based classificationFlow-based classificationStatistics-based classificationHybrid method

Comparison


A BRIEF COMPARISON OF EXISTINGTECHNIQUES

Name Method Merits De-Merits Remarks

Port-based.

Classificationbased onport number.

Simpleand fast.

Inefficient due torandom port allo-cation.

Accuracy ismuch lower.

Signature-based.

Based onrecognitionof spe-cific packetpayloads.

Reducesfalse-positiveand false-negatives

High computa-tional complexitysince each packetneeds to beanalyzed.

Inefficient onencryptedpayloads.

Flow-based.

Based on be-havioral pat-terns.

Speed. Cannot alwaysclassify trafficto its specifiedapplications

Speedup trafficclassification,but cannotclassify alltraffics.


A BRIEF COMPARISON OF EXISTINGTECHNIQUES ( Contd..)

Name Method Merits De-Merits Remarks

Statistics-based.

By means of sta-tistical featuressuch as packetsize, packet inter-arrival time, andflow duration.

Moreunique-ness.

As no. offeaturesincreases,mappingbecomesdifficult.

Inefficient as no.of features in-creases.

Hybridmethod.

By combiningany of the abovemethods.

Moreaccu-rate.

Only 2-classclassifier isimplementedtill date

Scope forUDP needsto be deter-mined.

Table: Survey on P2P classification techniques.

Back


PROJECT THEME

The performance of existing P2P traffic classification schemes arepoor. Also, there is no classification scheme to classify P2P trafficinto malicious-P2P & non-malicious P2P.

PROBLEM DEFINITIONThe problem of classifying P2P traffic into malicious and non-maliciousis not addressed so far.


DEFINITION TO MALICIOUS ACTIVITIES

1 Poisoning2 Polluting3 Insertion of viruses4 Malware5 Denial of Service6 Spam7 Password Stealing8 Advertising


IDENTIFYING P2P TRAFFIC

P2P traffic has bi-directional nature.Eg.- BitTorrent - seeders and leechers.

Notion of a communication more suited to P2P.Who is talking to whom?

Both header and payload information are considered for trafficclassification.


SYSTEM DESIGN

Figure: Network Traffic Classifier

Continue

Aggregation Module


MODULES

1. Filtering.2. Communication Creation Module.3. Automatic Signature Generation Module.4. Aggregation Module.5. Classification Module.


PACKET FILTERING MODULE


PACKET FILTERING ALGORITHM

Packet Filtering Module


COMMUNICATION CREATION ALGORITHM


COMMUNICATION CREATION MODULE

Figure: Communication Creation Module


Classification Criterion

Features Malicious Non-MaliciousVolume Low HighInter-arrival time Large SmallTraffic Automated/Scripted

commandsUser-bursty traffic

Table: Malicious vs Non-Malicious Features

System Design


AUTO-SIGN MODULE

Figure: Automatic Signature Generation Module

Similarity Score

System Design


LCS (Example)


LASER ALGORITHM

The signature refinement process can be simply expressed as follows:

Candidate_Sign_1 = Sign(Flow_1,Flow_2)Candidate_Sign_2 = Sign(Flow_3,Candidate_Sign_1)...Candidate_Sign_n = Sign(Flow_n + 1,Candidate_Sign_n − 1)

If Candidate_Sign_n = Candidate_Sign_n − 1

For the certain iteration counts then Candidate_Sign_n is the finalsignature.

Auto Sign Module


FLOW SIMILARITY OF UNKNOWN PACKETTRACES

Auto Sign Module


AGGREGATION MODULE

In Communication Aggregation Module, we aggregate the results ofcommunication creation module and auto-sign module.

Figure: Aggregation ModuleLEKSHMI M NAIR ( AM.EN.P2CSE13011) S4 M.TECH CSE MAJOR PROJECT (GUIDED BY : Dr. G P SAJEEV)P2P TRAFFIC CLASSIFICATION July 2, 2015 40 / 53

CLASSIFICATION MODULE

In Classification Module, we train the system using the generateddataset, so that for new incoming traces we can predict whether thetraffic flow is malicious p2p or non-malicious p2p.C4.5 decision tree algorithm is employed in classification module.


SUMMARY (MAJOR PROJECT)

Figure: P2P Network Traffic Classifier

A hybrid technique forp2p trafficclassification.Combination ofsignature based andstatistical method byexploting thecommunicationbehaviour of the p2pnodes.P2P traffic is classifiedinto malicious andnon-malicious p2p.


IMPLEMENTATION DETAILS

Figure: Implementation of P2P Network Traffic Classifier


IMPLEMENTATION DETAILS

Figure: P2P Network Traffic Classifier


RESULTS

The signatures of various protocols are extracted using LASERalgorithm. They are listed in the following table.

Application SignatureAzureus "POST/rpc/config", "HTTP/<version>", "User-

Agent:Azureus<version>", "Host :"GigaTribe "GET", "&p=", "&cmd=OpenSession",

"HTTP/1.1", "User-Agent:GigaTribe","HTTP/1.1", "200 OK"

Zultrax "ZEPP 19 29 port"-offset(0) 0x0d0a0d0a,"ZEPP OK number12,28,29my IPaddress:port"-offset(0) 0x0d0a0d0a

Storm .mpg;sizeBitlord "GET", "HTTP", "User-Agent:BitTorrent",

"www.bitlord.com"DC++ "GET", "HTTP", "User-Agent:DC++"AntsP2P "NOTIFY * HTTP" "USN: uuid:ANtsP2P"KCeasy "GET / HTTP/"offset(0) "cookie:Kceasy"

Table: Malicious vs Non-Malicious Signatures


RESULTS

The signatures of various protocols are extracted using LASERalgorithm. They are listed in the following table.

Application SignatureLimewire "GET" "User-Agent: LimeWire/"

"Java/"iMesh "POST"offset(0) "function=login"

"Host: login.imesh.com"Mute "client=MUTE&version="offset(12)Soulseek "GET "offset(0) "User-Agent:

SoulSeek"Skype ""GET "offset(0) "HTTP" "User-

Agent: skype"eDonkey2000 "GET / HTTP/"offset(0)

"cookie:Kceasy"eMule 0xe3 (offset 0)iMesh "POST"offset(0) "function=login"

"Host: login.imesh.com"

Table: Malicious vs Non-Malicious Signatures


RESULTS

The evaluation parameters are estimated for 3 dataset. The results aregiven in the following table.

Dataset Error Rate CCR FP FN DR1. 9.5 85.31 0.095 0.169 0.9042. 4.25 91.42 0.172 0.058 0.8283. 12.9 84.96 0.184 0.140 0.816

Table: P2P traffic classification rates


RESULTS

The error rate decreases as number of records taken for trainingincreases. A graphical representation to substantiate this result is asshown in Figure.

Figure: Accuracy performance of the classifier for different datasets


PERFORMANCE EVALUATION

The validation of the model is done using 3 classification algorithms -namely Bayesian Network, Decision tree and Adaboost with REPtrees. The results are given in the following table.

Decision Tree Bayes Net AdaboostTPR FPR CR TPR FPR CR TPR FPR CR

Storm 0.92 0.12 0.93 0.92 0.21 0.91 0.89 0.19 0.90Waledac 0.93 0.17 0.95 0.96 0.22 0.93 0.90 0.15 0.91BitTorrent 0.94 0.11 0.96 0.92 0.18 0.95 0.92 0.22 0.92eDonkey2000 0.94 0.13 0.95 0.95 0.18 0.96 0.94 0.18 0.94


PUBLICATION

1 Lekshmi M Nair, and G P Sajeev. "Internet Traffic Classification byAggregating Correlated Decision Tree Classifier." ComputationalIntelligence, Modelling and Simulation (CIMSim), 2015 SeventhInternational Conference on IEEE, Kuantan, Malaysia, 27 - 29 July2015.


REFERENCES

Ye, Wujian, and Kyungsan Cho. "Hybrid P2P traffic classification with heuristicrules and machine learning." Soft Computing (2014): 1-13.

Valenti, Silvio, and Dario Rossi. "Identifying key features for P2P trafficclassification." Communications (ICC), 2011 IEEE International Conference on.IEEE, 2011.

Adibi, Sasan. "Traffic Classification-Packet-, Flow-, and Application-basedApproaches." International Journal of Advanced Computer Science andApplications-IJACSA 1 (2010): 6-15.

Nguyen, Thuy TT, and Grenville Armitage. "A survey of techniques for internettraffic classification using machine learning." Communications Surveys &Tutorials, IEEE 10.4 (2008): 56-76.


References

Narang, Pratik, et al. "Peershark: detecting peer-to-peer botnets by trackingconversations. " Security and Privacy Workshops (SPW), 2014 IEEE. IEEE,2014.

F. Gringoli, L. Salgarelli, M. Dusi, N. Cascarano, F. Risso and K.C. Claffy, "GT:picking up the truth from the ground for Internet traffic", ACM SIGCOMMComputer Communication Review, Vol. 39, No. 5, pp. 13-18, Oct. 2009.


P2P Netwok Traffic Classification

Engineering

Transcript of P2P Netwok Traffic Classification