P2P Security

P2P Security Threats P2P Security Threats And Their And Their

CountermeasuresCountermeasures

Chittaranjan Hota, PhDAssociate Professor, Dept. of Computer Science & Engineering

Birla Institute of Technology & Science-Pilani, Hyderabad CampusShameerpet, Hyderabad, AP, India

[email protected]

3rd August 2013Workshop on Cyber Security, Bharti School, IIT, Delhi

[Source: Privacy & Security, Eric Byres, Communications of the ACM, August 2013]

Air gap MythAir gap Myth

GenesisGenesis

P2P apps P2P apps running on running on

BITS BITS campus campus

detected…detected…

Power of InternetPower of Internet

Source: Cisco VNI Global Forecast, 2011-2016 Source: Envisional: Internet bandwidth usage estimation report, 2011

Source: http://www.fbi.gov/scams-safety/peertopeer

Attack examples Attack examples

Tiversa Inc., 2011

SC Magazine, March 2009

"lol is this your new profile pic?"

Times of India, Oct 2012

What is a P2P What is a P2P Network (BYOR)Network (BYOR)

A

D

E F

G

H

FH

GA

EC

C

B

P2P overlay layer

Native IP layer

D

B

AS1

AS2

AS3

AS4

AS5

AS6

DC++

TorrentsTorrents

Threads: 186,123, Posts: 2,383,449, Members: 546,944

Seeders: 56668, Leechers: 8246, Peers: 64914,

Torrents: 19197

[Source: desitorrents.com, 31st July 2013 (3.00pm)]

P2P Traffic ControlP2P Traffic Control

Security Gap in P2PSecurity Gap in P2P

Internet

Peer APeer B

Malicious Peer C

Protected Network

Peer XFirewall

A TCP Port

Effect of NATing on Effect of NATing on P2P P2P

Private IP Addresses Public IP Addresses

Server

P2P Application

Internet

NAT

NAT TraversalNAT Traversal

Private IP Addresses Public IP Addresses

Internet

Private IP Addresses

Application Relay

Possible Attacks on Possible Attacks on P2PP2P

192.168.100.220:80(target)

Query: “star”

QueryHit“star”,” 192.168.100.220:80”

Query: “pop”Query: “star”

QueryHit“pop”, ” 192.168.100.220:80”“star”,” 192.168.100.220:80”

Query: “pop”Query: “star”

MaliciousPeer

192.168.100.40:4442

QueryHit: “star”,” 192.168.100.220:80”QueryHit: “pop”, ” 192.168.100.220:80”

1

2

3 P1

P2

P3

A

GET /index.html HTTP/1.0

File sharing network

Alice


Bob

indextitle locationfile1 120.18.89.100file2 46.100.80.23file3 234.8.98.20file4 111.22.22.22

file sharing network

120.18.89.100

46.100.80.23

234.8.98.20


Poisoning


Attacker

Genuine Blocks

2. F

ake

BitM

ap

4. F

ake

Blo

ck

3. B

lock

Req

uest

Victim Peer

5. Hash Fail

Genuine Blocks

Genuine Blocks

1. T

CP

Con

nect

ion

Victim


Sybil


Tracker

Seeder

Free RiderFree Rider

Testbed at BITS Testbed at BITS HyderabadHyderabad

Botnet traffic generation

InternetInfo. Sec. Lab

Dist. Sys. Lab Multimedia

Lab

HostelsWing

Firewall/Router

Core Switch 6509

Distribution Switch 4500

Access Switch 2500

Content Mgmt.

ApplicationServers

DBCluster

Intrusion Detection Sys.

Ethernet

Data collection for P2P and web traffic

Traffic Anonymization (Anon tool)

Classifier, and IDS for botnet detection

Privacy aware P2P Privacy aware P2P ClassifierClassifier

public Conversation(String sender, String receiver, Int src, int dst, boolean tcp){

sender_ip = sender;receiver_ip = receiver;this.setSender(new Flow(sender, receiver, src, dst, tcp));this.setReceiver(new Flow(receiver,sender, dst, src, tcp));sndr_port = src;rcvr_port = dst;set =false; last = 0;first = 0;timestamps = new TreeSet<Long>();

}for(Packet p : plist){

if(p.isTcp() && !p.getTcp_flag()[7] && !p.getTcp_flag()[6] && !p.getTcp_flag()[5]){

++nonsyn_count;}else if(!p.isTcp()){

++nonsyn_count;}if(p.isTcp()&&p.getTcp_flag()[4]){

++psh_count;}++count;

hdr_size_total = hdr_size_total + p.getHdr_size();pkt_size_total = pkt_size_total + p.getPacket_size(); pktsize.add(p.getPacket_size());}

Categories ApplicationNumber of

Flows

Web mail, http, https, ftp 23,014

p2pBitTorrent, AntsP2P,

Gnutella, Mute, eMule2,76,093

[ Ref: 34]

Experimental ResultsExperimental Results

FNTNFPTP

TNTPAccuracy

Identifying FrostWire Identifying FrostWire traffictraffic

Botnet DetectionBotnet Detection

P2P Botnet TracesP2P Botnet TracesBotnet name

What it does? Size of data

Source of data

Kelihos-Hlux Email spam, DoS, steal Bitcoin wallets

5 MB Generated on testbed + obtained form online sources [35]

Waledac Email spam, password stealing 25 MB ISOT dataset [36]

ZeuS Steals banking information by MITM key logging and form grabbing

5 MB Generated on testbed

TRAINING DATA TEST DATA


25 MB ISOT dataset [36]

Storm Email spam 30 MB ISOT dataset [36]

Conficker Disables important system services and security products

50 GB Obtained from CAIDA [37]

Bayesian Regularized Bayesian Regularized NN NN

• Bayesian Regularized Neural Network based Real-time Peer-to-Peer Botnet Detection, Pratik Narang, Sharat Chandra, Chittaranjan Hota, Accepted in IEEE P2P 2013, Trento, Italy (Sept 2013)

• 23 features extracted from flows.

• Information Gain with ranking used to rank the features .

• Top 16 features chosen.

Output Correct Classification

Incorrect Classification

Malicious samples

25898 276

Percentage 98.9455% 1.0545%

Feature SelectionFeature Selection• 23 features extracted from flows

Large Botnet TracesLarge Botnet TracesBotnet name

What it does? Type of data/Size of data

Source of data

Sality Infects executable files, attempts to disable security software.

Binary (.exe) file Generated on testbed

Storm Email Spam .pcap file/ 4.8 GB Obtained from Uni. of Georgia [34]

Waledac

Email spam, password stealing

.pcap file/ 68 GB Obtained from Uni. of Georgia [34]


.pcap file/ 105 MB

Obtained from Uni. of Georgia [34] + Generated on test bed

Experimental ResultsExperimental Results

Distributed Data Distributed Data collection and processingcollection and processing

Botnet traffic generation

InternetInfo. Sec. Lab

Dist. Sys. Lab Multimedia

Lab

HostelsWing

Firewall/Router

Core Switch 6509

Distribution Switch 4500

Access Switch 2500

Content Mgmt.

ApplicationServers

DBCluster

Intrusion Detection Sys.

Ethernet

Data collection for P2P and web traffic

Classifier, and IDS for botnet detection

Traffic Anonymization (Anon tool)

Hadoop Name node

Hadoop Data nodes

Hadoop setup running at Hadoop setup running at BITS HydBITS Hyd

ReferencesReferences1. http://news.netcraft.com/archives/2007/05/23/p2p_networks_hijacked_for_ddos_attacks.htm2. S Mcbride, and G A Flower, Estimate of Film-piracy cost soars: Hollywood loss is put at $6.1b a year, The Wall Street Journal Europe, may 4th, 2006. 3. Thomas Karagiannis, Andre Broido, Michalis Faloutsos, Kc claffy, Transport Layer Identification of P2P Traffic, in Proc. 4th ACM SIGCOMM conference on Internet measurement, pp. 121-134, 2004. 4. Subhabrata Sen, Oliver Spatscheck, and Dongmei Wang, Accurate, Scalable InNetwork Identification of P2P Traffic Using Application Signatures, WWW 2004, May 2004.5. S Sen, Jia Wang, Analyzing Peer-To-Peer Traffic Across Large Networks, IEEE/ACM Transactions on Networking, Vol. 12, No. 2, April 2004.6. Thuy T T N, and G Armitage, A survey of Techniques for Internet Traffic Classification using Machine Learning, IEEE Communications Surveys & Tutorials, Vol. 10, No. 4, 2008.7. Hassan Khan, S A Khayam, L Golubchik, M. Rajarajan, and Michael Orr, Wirespeed, Privacy-Preserving P2P Traffic Detection on Commodity Switches, Available Online at www.xflowresearch.com 8. Intrusion detection system: At: http://en.wikipedia.org/wiki/Intrusion_detection_system.9. P. Garcia-Teodoroa, J. Diaz-Verdejo, G.Macia-Fernandeza, and E. Vazquezb, Anomaly-based network intrusion detection: Techniques, systems and challenges, Computers and Security, vol. 28, Issue: 1-2, pp. 18-28,

2009.10. Gupta R, and Somani A K, Game theory as a tool to strategize as well as predict node’s behavior in peer-to-peer networks , International conf. on PDS, 2005, pp. 244-249.11. Roberto G Cascella, 2nd ENISA Workshop on Authentication Interoperability Languages held at the ENISA/EEMA European eIdentity conference, Paris, France, June 12-13, 2007.12. C Wang, Li Chen, H Chen, and K Zhou, Incentive Mechanism Based on Game Theory in P2P Networks, ITCS 2010, pp. 190-193.13. Sarraute, C., et al., Simulation of Computer Network Attacks, CoreLabs, Core Security Technologies, 2010.14. http://www.metasploit.com/15. www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray16. www.metasploit.com/modules/auxiliary/dos/windows/rdp/ms12_020_maxchannelids17. http://www.metasploit.com/modules/exploit/windows/smb/ms08_067_netapi18. Quinlan, J. R, C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, 1993. 19. http://www.cs.waikato.ac.nz/ml/weka/20. http://pytbull.sourceforge.net/21. http://www.secdev.org/projects/scapy22. Massicotte, F. and Labiche, Y, An analysis of signature overlaps in Intrusion Detection Systems, Dependable Systems & Networks (DSN) IEEE/IFIP 41st International Conference, pp. 109-120, 2011.23. Cheng-Yuan Ho, Yuan-Cheng Lai, I-Wei Chen, Fu-Yu Wang, and Wei-Hsuan Tai, Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems, Communication

Magazine, IEEE, pp.146-154, 2012.24. Sardar Ali, Hassan Khan, and Syed Ali Khayam, What is the Impact of P2P Traffic on Anomaly Detection?, Proceeding of 13th International symposium, Recent Advances in Intrusion Detection (RAID) 2010, pp. 1-7,

2010. 25. Jeffrey Erman, et al. Identifying and Discriminating Between Web and Peer-to-Peer in the Network Core, WWW 2007, ACM, pp. 883-892.26. Genevieve B, et al., Estimating P2P traffic volume at USC, Technical Report, USC, June 2007.27. Alok Madhukar, Carey W, A Longitudinal Study of P2P Traffic Classification, IEEE International Symposium on Modeling, Analysis, and Simulation, CA, 2006, pp. 179-188.28. Hongwei C, et al., A SVM method for P2P traffic identification based on multiple traffic mode, Journal of Networks, Nov 2010, pp. 1381-1388.29. K Ilgun, et al, State transition analysis: A rule based intrusion detection approach, IEEE transactions on software engineering, Vol 21, 1995.30. F Jemili, et al, A framework for an adaptive intrusion detection system using bayesian network, IEEE Intelligence and Security Informatics, May 2007, pp.66-70.31. Soysal, Murat, and Ece Guran Schmidt. "Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison." Performance Evaluation 67.6 (2010): 451-467.32. Williams, Nigel, Sebastian Zander, and Grenville Armitage. "A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification." ACM SIGCOMM Computer

Communication Review36.5 (2006): 5-16.33. Berg, Peter Ekstrand. "Behavior-based Classification of Botnet Malware." Thesis Report 2011, Gjovik University College, Norway.34. Rahbarinia, Babak, Roberto Perdisci1 Andrea Lanzi, and Kang Li. "PeerRush: Mining for Unwanted P2P Traffic.“ DIMVA 201335. www.contagiodump.blogspot.in36. Saad, Sherif, et al. "Detecting P2P botnets through network behavior analysis and machine learning." Privacy, Security and Trust (PST), 2011 Ninth Annual International Conference on. IEEE, 2011.37. CAIDA, UCSD. "Network Telescope" Three Days Of Conficker“ 21st Nov. 2008."Paul Hick, Emile Aben, Dan Andersen and kcclaffy http://www. caida. org/data/passive/telescope-3days-conficker_dataset. xml.38. Abbes, Tarek, Adel Bouhoula, and Michaël Rusinowitch. "Protocol analysis in intrusion detection using decision tree." Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International

Conference on. Vol. 1. IEEE, 2004.39. S. Chebrolu, A. Abraham, and J. P. Thomas. Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4):295–307, 2005.40. A.H.Sung and S. Mukkamala. The feature selection and intrusion detection problems. In Advances in Computer Science-ASIAN 2004. Higher-Level Decision Making, pages 468–482. Springer, 2005.41. McHugh, John. "Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory." ACM transactions on Information and system

Security 3.4 (2000): 262-294.

Thank You!

QuestionsQuestions