Abstract
In this paper we present an algorithm that is able to progressively discover nodes cooperating in a P2P network. Starting from a single known node, we can easily identify other nodes in the peer-to-peer network, through the analysis of widely available and standardized IPFIX (NetFlow) data. Instead of relying on the analysis of content characteristics or packet properties, we monitor connections of known nodes in the network and then progressively discover other nodes through the analysis of their mutual contacts. We show that our method is able to discover all cooperating nodes in many P2P networks. The use of standardized input data allows for easy deployment onto real networks. Moreover, because this approach requires only short processing times, it scales very well in larger and higher speed networks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Acosta, W., Chandra, S.: Trace Driven Analysis of the Long Term Evolution of Gnutella Peer-to-Peer Traffic. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 42–51. Springer, Heidelberg (2007)
Bartlett, G., Heidemann, J., Papadopoulos, C.: Inherent behaviors for on-line detection of peer-to-peer file sharing. In: IEEE Global Internet Symposium, pp. 55–60 (May 2007)
Constantinou, F., Mavrommatis, P.: Identifying known and unknown peer-to-peer traffic. In: Fifth IEEE International Symposium on Network Computing and Applications, NCA 2006, pp. 93–102 (July 2006)
Coskun, B., Dietrich, S., Memon, N.: Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. In: Proceedings of the 26th Annual Computer Security Applications Conference on ACSAC 2010, pp. 131–140. ACM, New York (2010)
Falkner, J., Piatek, M., John, J.P., Krishnamurthy, A., Anderson, T.: Profiling a million user dht. In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 2007, pp. 129–134. ACM, New York (2007)
Giroire, F., Chandrashekar, J., Taft, N., Schooler, E., Papagiannaki, D.: Exploiting Temporal Persistence to Detect Covert Botnet Channels. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 326–345. Springer, Heidelberg (2009)
Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, HotBots 2007, p. 1. USENIX Association, Berkeley (2007)
Ha, D.T., Yan, G., Eidenbenz, S., Ngo, H.Q.: On the effectiveness of structural detection and defense against p2p-based botnets. In: DSN, pp. 297–306. IEEE (2009)
Haq, I.U., Ali, S., Khan, H., Khayam, S.A.: What Is the Impact of P2P Traffic on Anomaly Detection? In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 1–17. Springer, Heidelberg (2010)
Iliofotou, M., Kim, H.-C., Faloutsos, M., Mitzenmacher, M., Pappu, P., Varghese, G.: Graption: A graph-based p2p traffic classification framework for the internet backbone. Comput. Netw. 55(8), 1909–1920 (2011)
Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., Varghese, G.: Network monitoring using traffic dispersion graphs (tdgs). In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 2007, pp. 315–320. ACM, New York (2007)
Kryczka, M., Cuevas, R., Guerrero, C., Azcorra, A.: Unrevealing the structure of live bittorrent swarms: Methodology and analysis. In: 2011 IEEE International Conference on Peer-to-Peer Computing (P2P), August 31-September 2, pp. 230–239 (2011)
Li, C., Chen, C.: Topology analysis of gnutella by large scale mining. In: International Conference on Communication Technology, ICCT 2006, pp. 1–4 (November 2006)
Liu, X., Li, Y., Li, Z., Cheng, X.: Social Network Analysis on KAD and Its Application. In: Du, X., Fan, W., Wang, J., Peng, Z., Sharaf, M.A. (eds.) APWeb 2011. LNCS, vol. 6612, pp. 327–332. Springer, Heidelberg (2011)
Evangelos, P.: Markatos, Tracing a large-scale peer to peer system: An hour in the life of gnutella. In: Proceedings of the 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid, CCGRID 2002, p. 65. IEEE Computer Society, Washington, DC (2002)
McNamee, K.: Malware analysis report - botnet: Zeroaccess/sirefef (February 2012), http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf
Móczár, Z., Molnár, S.: Characterization of BitTorrent Traffic in a Broadband Access Network. In: Szabó, R., Zhu, H., Imre, S., Chaparadza, R. (eds.) AccessNets/Selfmagicnets 2010. LNICST, vol. 63, pp. 176–183. Springer, Heidelberg (2011)
Qi, J., Zhang, H., Ji, Z., Yun, L.: Analyzing bittorrent traffic across large network. In: 2008 International Conference on Cyberworlds, pp. 759–764 (September 2008)
Steiner, M., En-Najjary, T., Biersack, E.W.: A global view of kad. In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 2007, pp. 117–122. ACM, New York (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Jusko, J., Rehak, M. (2013). Revealing Cooperating Hosts by Connection Graph Analysis. In: Keromytis, A.D., Di Pietro, R. (eds) Security and Privacy in Communication Networks. SecureComm 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 106. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36883-7_15
Download citation
DOI: https://doi.org/10.1007/978-3-642-36883-7_15
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36882-0
Online ISBN: 978-3-642-36883-7
eBook Packages: Computer ScienceComputer Science (R0)