基于行为相似性的P2P僵尸网络检测模型

P2P僵尸网络对Internet构成巨大的安全威胁。在基于主机的P2P流量检测和恶意行为检测的基础上,提出一个P2P僵尸网络的检测模型。构建一个基于CHORD协议由监视节点组成的结构化P2P网络,将同时具有P2P流量和恶意行为的主机信息上报监视节点。通过对P2P僵尸主机行为进行融合分析,具有相似性恶意行为的主机被认为处于一个P2P僵尸网络中。     

P2P网络聚合流量识别技术研究

对等体网络P2P（Peer-to-Peer）应用系统中对等体主机的行为特征与P2P业务流量特征多样化、复杂化,使得单纯利用一种典型特征的P2P流量分类技术的识别精度不高。文中提出了一种新的P2P流量多阶段识别方法,该方法根据P2P应用流量的一系列固有特征,可以从聚合网络流中识别P2P流量。通过实验表明,丈中所提出的方法P2P流识别精度可达99．7％,同时错误分类精度0．3％。     

Efficient policies for carrying Web traffic over flow-switchednetworks

To efficiently transfer diverse traffic over high-speed links, modern integrated networks require more efficient packet-switching techniques that can capitalize on the advances in switch hardware. Several promising approaches attempt to improve the performance by creating dedicated “shortcut” connections for long-lived traffic flows, at the expense of the network overhead for establishing and maintaining these shortcuts. The network can balance these cost-performance tradeoffs through three tunable parameters: the granularity of flow end-point addresses, the timeout for grouping related packets into flows, and the trigger for migrating a long-lived flow to a shortcut connection. Drawing on a continuous one-week trace of Internet traffic, we evaluate the processor and switch overheads for transferring HTTP server traffic through a flow-switched network. In contrast to previous work, we focus on the full probability distributions of flow sizes and cost-performance metrics to highlight the subtle influence of the HTTP protocol and user behavior on the performance of flow switching. We find that moderate levels of aggregation and triggering yield significant reductions in overhead with a negligible reduction in performance. The traffic characterization results further suggest schemes for limiting shortcut overhead by temporarily delaying the creation of shortcuts during peak load and by aggregating related packets that share a portion of their routes through the network     

Skype协议分析及流量识别

近几年来,P2P网络技术发展迅速,Skype是创建Kazaa的组织开发的一个基于P2P的VoIP客户端,用户可以用Skype通过互联网进行语音通话.本文通过抓取Skype的流量数据进行协议分析,主要关注PC2PC的登录/注销,文字通讯,语音通信,文件传输及PC2Phone等过程,进而总结协议特征,提出了一种基于协议分析的Skype流量识别方法,结果显示识别率达到95％以上.     

P2P network traffic control mechanism based on global evaluation values

Peer-to-peer (P2P) computing technology has been widely used on the Internet to exchange data. However, it occupies much network bandwidth, and thus greatly influences traditional business on the Interact. Besides, problems about free-riders and 'tragedy of the commons' in the P2P environment estrange from it P2P users who constantly contribute to the network with quality resources. This article proposes a new P2P network traffic control mechanism based on global evaluation values. It aims to help individual users to avoid peak traffic time as much as possible, ease network congestion and protect traditional business on the Interact, as well as differentiating priority grades of peers according to their contributions and stimulating them to share their valuable resources actively. This article first analyzes the current state of network traffic, and then elaborates on P2P network traffic control policies and proposes the peer's priority level differentiation mechanism based on global evaluation values. Finally,after the testing results and analysis of the proposed P2P network traffic control mechanism are discussed, conclusions are drawn.     

On the resilience of P2P botnet footprints in the presence of legitimate P2P traffic

Botnet is a distributed platform for illegal activities severely threaten the security of the Internet. Fortunately, although their complicated nature, bots leave some footprints during the C&C communication that have been utilized by security researchers to design detection mechanisms. Nevertheless, botnet designers are always trying to evade detection systems by leveraging the legitimate P2P protocol as C&C channel or even mimicking legitimate peer‐to‐peer (P2P) behavior. Consequently, detecting P2P botnet in the presence of normal P2P traffic is one of the most challenging issues in network security. However, the resilience of P2P botnet detection systems in the presence of normal P2P traffic is not investigated in most proposed schemes. In this paper, we focused on the footprint as the most essential part of a detection system and presented a taxonomy of footprints utilized in behavioral P2P botnet detection systems. Then, the resilience of mentioned footprints is analyzed using three evaluation scenarios. Our experimental and analytical investigations indicated that the most P2P botnet footprints are not resilient to the presence of legitimate P2P traffic and there is a pressing need to introduce more resilient footprints.     

UARA in edge routers: an effective approach to user fairness and traffic shaping

The ever‐increasing share of the peer‐to‐peer (P2P) traffic flowing in the Internet has unleashed new challenges to the quality of service provisioning. Striving to accommodate the rise of P2P traffic or to curb its growth has led to many schemes being proposed: P2P caches, P2P filters, ALTO mechanisms and re‐ECN. In this paper, we propose a scheme named ‘UARA:textbfUser/ A pplication‐aware R ED‐based A QM’ which has a better perspective on the problem: UARA is proposed to be implemented at the edge routers providing real‐time near‐end‐user traffic shaping and congestion avoidance. UARA closes the loopholes exploited by the P2P traffic by bringing under control the P2P users who open and use numerous simultaneous connections. In congestion times, UARA monitors the flows of each user and caps the bandwidth used by ‘power users’ which leads to the fair usage of network resources. While doing so, UARA also prioritizes the real‐time traffic of each user, further enhancing the average user quality of experience (QoE). UARA hence centralizes three important functionalities at the edge routers: (1) congestion avoidance; (2) providing user fairness; (3) prioritizing real‐time traffic. The simulation results indicate that average user QoE is significantly improved in congestion times with UARA at the edge routers. Copyright © 2011 John Wiley & Sons, Ltd.     

基于流量统计特征的端口扫描检测算法

根据网络流量的统计特征提出一种慢速端口扫描行为检测算法，以主机数和端口数的比值及被访问主机端口集合之间的相似度为基础，采用非参数累积和CUSUM算法及小波变换方法对流量统计特征进行分析，进而判断是否存在端口扫描行为。实验结果表明，所提取的网络流量特征及算法可以有效地检测异常行为，该方法和Snort相比较具有低的漏报率和误报率。     

基于UDP流量的P2P流媒体流量识别算法研究

以几款主流的P2P流媒体网络电视作为研究对象,深入分析了其产生的流量在端口使用方面的特点和报文长度分布上的差异。通过对这些特征的总结和提取,获得了基于端口特性“在一次交互过程中,特定主机的特定端口唯一确定一种应用”等结论。在此基础上提出了一种基于带有扩展属性的流记录准确识别P2P应用UDP流量的EXID算法。通过对CERNET江苏省边界10G主干信道上采集的Trace数据中5种P2P流媒体应用进行识别,并与机器学习流量识别算法进行比较,其结果表明提出的方案具有很高的查准率和查全率,时间效率高,且不易受样本比重的影响。     

P2P文件共享系统中基于用户行为的搭便车抑制机制

In order to inhibit Free Riding in Peer-to-Peer (P2P) file-sharing systems, the Free Riding In-hibition Mechanism Based on User Behavior (IM-BUB) is proposed. IMBUB considers the regularity of user behavior and models user behavior by ana-lyzing many definitions and formulas. In IMBUB, Bandwidth Allocated Ratio, Incentive Mechanism Based on User Online Time, Double Reward Mech-anism, Incentive Mechanism of Sharing for Permis-sion and Inhibition Mechanism of White-washing Behavior are put forward to inhibit Free Riding and encourage user sharing. A P2P file system BITShare is designed and realized under the conditions of a campus network environment. The test results show that BITShare's Query Hit Ratio has a significant increase from 22% to 99% , and the sharing process in BITShare is very optimistic. Most users opt to use online time to exchange service quality instead of white-washing behavior, and the real white-ish-ing ratio in BITShare is lower than 1% . We confirm that IMBUB can effectively inhibit Free Riding be-havior in P2P file-sharing systems.     

一种新的基于BPSO和KNN的P2P流量识别算法

Peer-to-Peer technology is one of the most popular techniques nowadays, and it brings some security issues, so the recognition and management of P2P applications on the internet is becoming much more important. The selection of protocol features is significant to the problem of P2P traffic identification. To overcome the shortcomings of current methods, a new P2P traffic identification algorithm is proposed in this paper. First of all, a detailed statistics of traffic flows on internet is calculated. Secondly, the best feature subset is chosen by binary particle swarm optimization. Finally, every feature in the subset is given a proper weight. In this paper, TCP flows and UDP flows each have a respective feature space, for this is advantageous to traffic identification. The experimental results show that this algorithm could choose the best feature subset effectively, and the identification accuracy is improved by the method of feature weighting.     

Timely traffic identification on P2P streaming media

Since the year of 2006,peer-to-peer (P2P) streaming media service has been developing rapidly,the user scale and income scale achieve synchronous growth.However,while people enjoying the benefits of th...     

P2P技术现状及未来发展

P2P应用软件主要包括文件分发软件、语音服务软件、流媒体软件。目前P2P应用种类多、形式多样,没有统一的网络协议标准,其体系结构和组织形式也在不断发展。P2P应用已占运营商业务总量的60%～80%,P2P应用所产生的流量具有分布非均衡、上下行流量对称、流量隐蔽、数据集中等特性。在P2P技术的发展道路上,有许多尚待解决的问题。版权问题一直是P2P发展的一个不确定因素,如何在技术层面支持合法文件的分发是需要解决的重要问题。安全问题也是P2P领域的重要研究课题,如何在P2P网络中实现数据存取安全、路由安全、用户身份认证和身份管理都需要进一步研究。此外,如果能够实现P2P应用之间的统一资源定位,统一路由,使得P2P技术有一个统一开发标准,那么就能够融合P2P技术,提升P2P应用的整体性能。     

PCA算法在P2P加密流量识别中的研究与应用

传统的应用层协议识别方法均从改进匹配算法的角度来提高识别率,但是随着P2P协议的发展,其特征呈现多维化的趋势,算法复杂度也随之提高。鉴于此,在对P2P流量的多维特征进行分析并提取后,采用主成分分析(PCA)算法将提取到的特征降维处理,并通过实验证明了该方法在网络流量识别上的可行性和有效性。     

Method of data cleaning for network traffic classification

Network traffic classification aims at identifying the application types of network packets. It is important for Internet service providers （ISPs） to manage bandwidth resources and ensure the quality of service for different network applications However, most classification techniques using machine learning only focus on high flow accuracy and ignore byte accuracy. The classifier would obtain low classification performance for elephant flows as the imbalance between elephant flows and mice flows on Internet. The elephant flows, however, consume much more bandwidth than mice flows. When the classifier is deployed for traffic policing, the network management system cannot penalize elephant flows and avoid network congestion effectively. This article explores the factors related to low byte accuracy, and secondly, it presents a new traffic classification method to improve byte accuracy at the aid of data cleaning. Experiments are carried out on three groups of real-world traffic datasets, and the method is compared with existing work on the performance of improving byte accuracy. Experiment shows that byte accuracy increased by about 22.31% on average. The method outperforms the existing one in most cases.     

An efficient method of P2P traffic identification based on wavelet packet decomposition and kernel principal component analysis

Peer‐to‐peer (P2P) traffic identification is currently an important challenge to network management and measurement. Many approaches based on statistics have been proposed to identify P2P traffic. However, flow features extracted by traditional methods are rough and one‐sided, which might lead to inaccuracy identification of network traffic. Besides, P2P traffic has too many statistical features, which is a challenge to the time complexity and space complexity of the classifier. This work focuses on the study of flow features. First, micro features of flow signals are extracted based on wavelet packet decomposition, and we combine them with the traditional features into combination features. The experimental results show that combination features have better performance than traditional features for P2P traffic identification, and 16 kinds of wavelet functions were tested to find the best one. Second, a feature reduction algorithm based on improved kernel principal component analysis is provided. The results show that the feature reduction algorithm proposed in this paper plays good performance to P2P traffic identification, because it could greatly reduced the number of features while having no affection on identification accuracy. Copyright © 2012 John Wiley & Sons, Ltd.     

对等网络流量检测技术研究

P2P流量检测技术可分为基于流量特征的识别方法(TLI)和基于深层数据包识别方法(DPI)。TLI通过对传输层数据包进行分析并结合P2P系统所表现出来的流量特征,来识别某个网络流是否属于P2P。DPI采用协议分析与还原技术,提取P2P应用层数据,通过分析其载荷所包含的协议特征值,来判断网络流量是否属于P2P应用。DPI由于具有准确性高、健壮性好、具有分类功能,是P2P流量识别的主要方法。如果能够结合TLI和DPI的优点,就有可能设计出一个准确、高效的P2P流量实时识别算法。     

Research on grouping strategy of SIP-based streaming media P2P live broadcast network

The rapid development of Internet has led to the explosion of information sharing, and how to supervise the sharing is a main research topic on current Internet. Aiming at the disadvantage that the current Peer-to-Peer （P2P） is hard to manage and control, this paper presents a Session Initial Protocol （SIP）-based P2P network of three-level architecture. SIP middleware is introduced to the middle level of the three-layer architecture. By the connection function of the SIP signaling, the P2P transmission on media-level can be controlled. Using SIP＇s register and authentication function, the manage layer can manage the whole P2P network. Based on the aforementioned architecture, this paper investigates the grouping strategy on a live broadcast application in P2P network. Combined with the function of SIP register, the paper works on several grouping strategies, sets up models to manage users by grouping them, presents a weight-based K-means IP address grouping algorithm, and realizes it. The experiment shows that the grouping strategy presented in this paper can solve the problem of group sharing of network resource, and can realize the efficient-sharing, reasonable-distributing of network resource     

实时识别P2P-TV视频流的方法研究

基于P2P的IPTV(P2P-TV)是当前发展最为迅速的因特网应用之一,实时识别P2P-TV视频流是管理网络P2P-TV流量和理解网络行为的关键一步。通过分析以PPLive为代表的P2P-TV体系结构、通信过程、报文结构以及系统特征,该文提出了一种实时的基于爬虫的识别视频流CIVF算法和一种实时的基于协议特征的识别视频流PIVF算法,CIVF算法通过爬虫程序获取P2P-TV节点信息来识别P2P-TV视频流,而PIVF算法则基于视频流的通信时序和应用层负载特征实现实时识别。在因特网环境的试验分析结果表明,CIVF算法具有实现便捷但识别率不够高且节点信息残存时间较长的特点,PIVF算法则具有准确率较高、识别速度较快和扩展性强的特点。