Adaptive traffic sampling for P2P botnet detection

Peer‐to‐peer (P2P) botnets have become one of the major threats to network security. Most existing botnet detection systems detect bots by examining network traffic. Unfortunately, the traffic volumes typical of current high‐speed Internet Service Provider and enterprise networks are challenging for these network‐based systems, which perform computationally complex analyses. In this paper, we propose an adaptive traffic sampling system that aims to effectively reduce the volume of traffic that P2P botnet detectors need to process while not degrading their detection accuracy. Our system first identifies a small number of potential P2P bots in high‐speed networks as soon as possible, and then samples as many botnet‐related packets as possible with a predefined target sampling rate. The sampled traffic then can be delivered to fine‐grained detectors for further in‐depth analysis. We evaluate our system using traffic datasets of real‐world and popular P2P botnets. The experiments demonstrate that our system can identify potential P2P bots quickly and accurately with few false positives and greatly increase the proportion of botnet‐related packets in the sampled packets while maintain the high detection accuracy of the fine‐grained detectors.     

基于流角色检测P2P botnet

提出了一种基于流角色的实时检测P2P botnet的模型,该模型从流本身的特性出发,使其在检测P2P botnet时处于不同的角色,以发现P2P botnet的本质异常和攻击异常,同时考虑到了网络应用程序对检测的影响。为进一步提高检测精度,提出了一种基于滑动窗口的实时估算Hurst指数的方法,并采用Kaufman算法来动态调整阈值。实验表明,该模型能有效检测新型P2P botnet。     

基于行为相似性的P2P僵尸网络检测模型

P2P僵尸网络对Internet构成巨大的安全威胁。在基于主机的P2P流量检测和恶意行为检测的基础上,提出一个P2P僵尸网络的检测模型。构建一个基于CHORD协议由监视节点组成的结构化P2P网络,将同时具有P2P流量和恶意行为的主机信息上报监视节点。通过对P2P僵尸主机行为进行融合分析,具有相似性恶意行为的主机被认为处于一个P2P僵尸网络中。     

隐马尔可夫模型在P2P僵尸网络检测中的应用

针对P2P僵尸网络的特点,将隐马尔可夫模型应用于P2P僵尸网络检测技术中.首先根据当前僵尸网络的发展状况及存在的问题分析了P2P僵尸网络的生命周期和行为特征;然后对僵尸主机的状态划分采用隐马尔可夫模型对P2P僵尸网络进行数学建模,并提出一种P2P僵尸网络的检测方法.通过实验,验证了检测方法的可靠性和合理性.     

P2P业务流量特性及其对Web业务的影响

近年来各种P2P应用不断出现及演进,P2P应用正逐渐成为下一代互联网的杀手级应用。但同时P2P消耗了Internet的大部分带宽,造成了网络技术服务商(ISP)接入网络的拥塞,从而使传统Internet应用性能受到严重影响。从P2P流数量、服务器负载、网络瓶颈点分布、往返时间(RTT)的异构特性等方面可以看出,P2P流量消耗了巨大的网络带宽,影响了传统Internet业务的性能,增加了运营成本。利用P2P流量和Web流量的集成模型,可以量化分析P2P流对Web流的影响,使网络运营商可以在网络瓶颈点对P2P连接数进行优化和调整,从而有效地控制P2P流量。NS2仿真结果较好地验证了该模型的有效性。     

P2P网络聚合流量识别技术研究

对等体网络P2P（Peer-to-Peer）应用系统中对等体主机的行为特征与P2P业务流量特征多样化、复杂化,使得单纯利用一种典型特征的P2P流量分类技术的识别精度不高。文中提出了一种新的P2P流量多阶段识别方法,该方法根据P2P应用流量的一系列固有特征,可以从聚合网络流中识别P2P流量。通过实验表明,丈中所提出的方法P2P流识别精度可达99．7％,同时错误分类精度0．3％。     

CDNPatch: a cost‐effective failover mechanism for hybrid CDN‐P2P live streaming systems

Among the most well‐established live media distribution technologies is content delivery network (CDN), which improves user‐perceived quality of service by delivering content from proxy servers deployed at the Internet's edge. In recent years, CDN providers started to tap into their subscribers' peer‐to‐peer (P2P) capacity to alleviate their server costs. Under the inherent peer dynamics, a major challenge of these hybrid CDN‐P2P systems is to provide efficient failure recovery with good quality of service guarantees at a reduced server cost. In this work we propose a cost‐effective failover solution named CDNPatch to address the aforementioned problem. CDNPatch enables peers to periodically precompute a few backup content suppliers by efficient information exchange and maintenance algorithms, and leverages auxiliary CDN servers and an economic server provisioning algorithm to reduce the chance of playback interruption occurring to peers. Our simulation results show that CDNPatch can mask the impact of peer dynamics of 3 real P2P systems, namely, SOPCast, PPStream, and PPTV, with 100 % failure recovery success rate and a failure recovery time less than 1 second at a cost of small P2P communication overhead of less than 1 kilobits per second, while using only 10%, 21%, and 51%, respectively, of the pure CDN scheme's server consumption.     

基于P2P的僵尸网络及其防御

 僵尸网络作为网络犯罪活动的平台,正朝着P2P等分布式结构发展.研究僵尸网络的发展方向以及构建技术,有助于我们全面地了解僵尸网络活动的特点,从而更好地开展僵尸网络的检测和防范研究.本文分析了攻击者的需求,提出了一种基于层次化P2P网络技术的新型僵尸网络结构,并对这种僵尸网络的可行性和具体的传播、通讯、控制等各个方面进行了深入分析和探讨.在此基础上,我们通过模拟实验对各种防御策略的有效性进行了分析和评估,实验数据表明,在考虑实际可操作性条件下,现有的防御策略难以有效摧毁P2P结构僵尸网络.最后,我们讨论了这种新型僵尸网络可能的防御方法.     

在WLAN网络下构建P2P僵尸网络处理机制的研究

僵尸网络日益猖獗。其危害从终端用户到国家,甚至军方与政府也不断遭受着僵尸网络的攻击。越来越多与僵尸网络密切相关的词汇进入人们的视线：恶意软件、身份财务信息盗取、恶意广告弹窗、垃圾邮件、网络钓鱼。WLAN作为公共使用的网络环境,能够从源头入手处理僵尸网络获得良好效果,因此本文从网络结构开始,对时下最难防护与处理的P2P网络进行分析,并提供在WLAN环境下实际可行的处理机制。     

GPM: A generic and scalable P2P model that optimizes tree depth for multicast communications

Group communications (real‐time and non‐real‐time) refer to one‐to‐many or many‐to‐many communications. On the one hand, multicast is considered as an appropriate solution for supporting group communication‐oriented applications (we distinguish IP network multicast from application layer multicast). On the other hand, peer‐to‐peer model tends to be a good candidate for supporting today Internet applications (e.g. P2P IPTV, P2P VoIP, etc.). In this context, P2P has attracted significant interest in the recent years. This is mainly due to its properties that also make P2P well adapted to today social networks. In this paper, we propose GPM (Generic P2P Multicast): a novel generic and scalable approach, that optimizes multicast tree depth in P2P networks (structured and unstructured), and contributes to control the network overlay latency. For multicast tree construction, the approach we propose is based on a distributed algorithm using a specific data structures (adjacency and forwarding matrixes). GPM model inherits from P2P attributes such as scalability, flexibility and fault tolerance, while taking into consideration the respective characteristics of one‐to‐many and many‐to‐many type of applications. We also give a performance evaluation for validation and comparison purposes while considering some main existing application layer multicast protocols. Copyright © 2011 John Wiley & Sons, Ltd.     

P2P僵尸网络跨域体系结构的构建与评估

针对现有P2P僵尸网络抗追踪性较差的问题,提出了一种P2P僵尸网络跨域体系结构（CRA）.CRA将僵尸主机间的通信严格限制在不同的域之间,并引入IP伪造技术隐藏通信的源IP.考虑到监控全球互联网的不可行性以及IP溯源的困难性,现实中防御者将很难对CRA展开追踪.模拟实验结果表明,较之当前主流的P2P僵尸网络体系结构,CRA具备更好的抗追踪性和鲁棒性.     

基于P2P通用计算平台的安全模型设计与实现

文章通过研究一种P2P通用计算平台（TIPMAN）,发现该平台在安全信任方面的不足,提出了在TIPMAN平台的应用层和P2P网络层之间增加新的P2P服务安全层。通过该层的对等组成员资格认证使一个对等点经认证后加入到一个对等组,安全通信机制实现了对等点之间数据的安全传输,确保了P2P应用的安全性。     

Exploring the accuracy of capturing snapshots in large‐scale P2P IPTV systems

With the growing maturity of peer‐to‐peer (P2P) technology, Internet protocol television (IPTV) applications based on that gained great success commercially and have attracted more and more attentions from both industry and academia. Currently, the active measurement method based on crawler technology is the most popular and effective one to study P2P IPTV systems. Existing measurement results revealed that accuracy of captured overlay snapshots depends on the crawling speed of crawler system. In order to capture more accurate overlay snapshots of P2P IPTV system, we developed a very fast and efficient distributed crawler system using the distributed architecture and peer degree‐rank mechanism. In this paper, we first introduce the architectures of PPTV channel‐list resource distribution and the whole system, which is the most popular and largest instance of P2P IPTV applications nowadays. Subsequently, this paper evaluates the crawling results of two dedicated crawlers capturing from peer‐list servers and ordinary peers, respectively. Finally, we propose a fast and accurate dedicated crawler system based on distributed architecture and peer degree rank for PPTV. The experiment results show that the performance of our distributed crawler system is much better than other existing crawler systems. Specifically, our distributed crawler can track a very popular channel with about 7200 online users in 30 s. It is also reasonable to believe that our distributed crawler system can capture complete overlay snapshots. To the best of our knowledge, our study work is the first to explore capturing accurate overlay snapshots of large‐scale P2P IPTV applications. Our crawler system can provide a good solution for capturing more accurate overlay snapshots of PPTV system and can also be used to help researchers to design crawler systems for other P2P IPTV systems. Copyright © 2015 John Wiley & Sons, Ltd.     

基于决策树的僵尸流量检测方法研究

僵尸网络目前是互联网面临的安全威胁之一,检测网络中潜在的僵尸网络流量对提高互联网安全性具有重要意义。论文重点研究了基于IRC协议的僵尸网络,以僵尸主机与聊天服务器之间的会话特征为基础,提出了一种基于决策树的僵尸网络流量检测方法。实验证明该方法是可行的。     

基于异常行为特征的僵尸网络检测方法研究

基于僵尸网络通信及网络流量的异常行为,可以有效检测出僵尸频道。介绍了通过对主机响应信息的异常分析,进而判断出当前IRC频道是否为一个僵尸频道的检测算法。由此引入了基于异常行为的僵尸频道检测模型,该模型分类提取IRC频道的主机响应信息,结合检测算法分析得出结论。实验结果验证了该模型的有效性。     

P2P技术现状及未来发展

P2P应用软件主要包括文件分发软件、语音服务软件、流媒体软件。目前P2P应用种类多、形式多样,没有统一的网络协议标准,其体系结构和组织形式也在不断发展。P2P应用已占运营商业务总量的60%～80%,P2P应用所产生的流量具有分布非均衡、上下行流量对称、流量隐蔽、数据集中等特性。在P2P技术的发展道路上,有许多尚待解决的问题。版权问题一直是P2P发展的一个不确定因素,如何在技术层面支持合法文件的分发是需要解决的重要问题。安全问题也是P2P领域的重要研究课题,如何在P2P网络中实现数据存取安全、路由安全、用户身份认证和身份管理都需要进一步研究。此外,如果能够实现P2P应用之间的统一资源定位,统一路由,使得P2P技术有一个统一开发标准,那么就能够融合P2P技术,提升P2P应用的整体性能。     

P2P流量检测技术与分析

P2P技术及其应用的快速发展增加了网络的负载,影响了网络的性能,因此,对P2P流量进行分析及控制十分必要。在介绍P2P流量检测技术的基础上,对目前几种主流P2P流量识别技术进行比较和分析,指出了各种技术的优势和不足,阐明了流量检测技术的发展方向,提出了一种将不同检测方法相结合以满足一定准确率和效率的思路。     

A self‐learning stream classifier for flow‐based botnet detection

Botnets have been recently recognized as one of the most formidable threats on the Internet. Different approaches have been designed to detect these types of attacks. However, as botnets evolve their behavior to mislead the signature‐based detection systems, learning‐based methods may be deployed to provide a generalization capacity in identifying unknown botnets. Developing an adaptable botnet detection system, which incrementally evolves with the incoming flow stream, remains as a challenge. In this paper, a self‐learning botnet detection system is proposed, which uses an adaptable classification model. The system uses an ensemble classifier and, in order to enhance its generalization capacity, updates its model continuously on receiving new unlabeled traffic flows. The system is evaluated with a comprehensive data set, which contains a wide variety of botnets. The experiments demonstrate that the proposed system can successfully adapt in a dynamic environment where new botnet types are observed during the system operation. We also compare the system performance with other methods.     

基于多尺度分析和决策树的P2P流量检测模型

P2P流量的检测和管控是随着P2P技术应用变化而不断发展的,传统的P2P流量检测技术的局限性越来越明显,导致各种新的P2P流量检测技术成为当前研究热点.首先介绍了传统的P2P流量检测技术以及其存在的缺陷,然后重点提出了用于检测网络层数据包的多尺度分析模型.多尺度分析模型通过提取疑似P2P流量可以缩小P2P流量的检测范围,提高P2P流量的检测效率,提高P2P流量检测效率,并且结合决策树对疑似P2P流量进行协议分析达到有效识别和分类的目的.最后提出了P2P网络流量监管未来的研究方向.     

使用时空相关性分析检测加密僵尸网络流量

In this paper, we propose a novel method to detect encrypted botnet traffic. During the traffic preprocessing stage, the proposed payload extraction method can identify a large amount of encrypted applications traffic. It can filter out a large amount of non-malicious traffic, greatly improving the detection efficiency. A Sequential Probability Ratio Test (SPRT)-based method can find spatial-temporal correlations in suspicious botnet traffic and make an accurate judgment. Experimental results show that the false positive and false negative rates can be controlled within a certain range.