Unwanted Traffic Identification in Large-Scale University Networks: A Case Study

  • Chittaranjan Hota
  • Pratik Narang
  • Jagan Mohan Reddy


To mitigate the malicious impact of P2P traffic on University networks, in this article the authors have proposed the design of payload-oblivious privacy-preserving P2P traffic detectors. The proposed detectors do not rely on payload signatures, and hence, are resilient to P2P client and protocol changes—a phenomenon which is now becoming increasingly frequent with newer, more popular P2P clients/protocols. The article also discusses newer designs to accurately distinguish P2P botnets from benign P2P applications. The datasets gathered from the testbed and other sources range from Gigabytes to Terabytes containing both unstructured and structured data assimilated through running of various applications within the University network. The approaches proposed in this article describe novel ways to handle large amounts of data that is collected at unprecedented scale in authors’ University network.


Malicious Node Port Number Internet Traffic Sybil Attack Deep Packet Inspection 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



This work was supported by Grant number 12(13)/2012-ESD for scientific research under Cyber Security area from the Department of Information Technology, Govt. of India, New Delhi, India.


  1. 1.
    Ahn YY, Bagrow JP, Lehmann S (2010) Link communities reveal multiscale complexity in networks. Nature 466(7307):761–764CrossRefGoogle Scholar
  2. 2.
    Berket K, Essiari A, Muratas A (2004) Pki-based security for peer-to-peer information sharing. In: Fourth international conference on peer-to-peer computing, 2004. Proceedings. IEEE, pp 45–52Google Scholar
  3. 3.
    Blondel VD, Guillaume JL, Lambiotte R, Lefebvre E (2008) Fast unfolding of communities in large networks. J Stat Mech: Theory Exp (10):P10,008Google Scholar
  4. 4.
    Borisov N (2006) Computational puzzles as sybil defenses. In: Sixth IEEE international conference on peer-to-peer computing, 2006. P2P 2006. IEEE, pp 171–176Google Scholar
  5. 5.
    Castro M, Druschel P, Ganesh A, Rowstron A, Wallach DS (2002) Secure routing for structured peer-to-peer overlay networks. ACM SIGOPS Oper Syst Rev 36(SI):299–314Google Scholar
  6. 6.
    Condie T, Kacholia V, Sank S, Hellerstein JM, Maniatis P (2006) Induced churn as shelter from routing-table poisoning. In: NDSSGoogle Scholar
  7. 7.
    Dash M, Liu H (2003) Consistency-based search in feature selection. Artif Intell 151(1):155–176MathSciNetCrossRefMATHGoogle Scholar
  8. 8.
    Daswani N, Garcia-Molina H (2002) Query-flood dos attacks in gnutella. In: Proceedings of the 9th ACM conference on computer and communications security., CCS ’02ACM, New York, NY, USA, pp 181–192Google Scholar
  9. 9.
    Day DJ, Burns BM (2011) A performance analysis of snort and suricata network intrusion detection and prevention engines. In: The Fifth international conference on digital societyGoogle Scholar
  10. 10.
    Dhungel P, Hei X, Ross KW, Saxena N (2007) The pollution attack in p2p live video streaming: measurement results and defenses. In: Proceedings of the 2007 workshop on peer-to-peer streaming and IP-TV. ACM, pp 323–328Google Scholar
  11. 11.
    Douceur JR (2002) The sybil attack. In: Peer-to-peer systems. Springer, pp 251–260Google Scholar
  12. 12.
    Falliere N (2011) Sality: story of a peer-to-peer viral network. Symantec Corporation, Rapport techniqueGoogle Scholar
  13. 13.
    Feldman M, Papadimitriou C, Chuang J, Stoica I (2006) Free-riding and whitewashing in peer-to-peer systems. IEEE J Sel Areas Commun 24(5):1010–1019CrossRefGoogle Scholar
  14. 14.
    François J, Wang S, State R, Engel T (2011) Bottrack: tracking botnets using netflow and pagerank. In: Proceedings of the 10th International IFIP TC 6 conference on networking—volume Part I, NETWORKING ’11. Springer, Berlin, pp 1–14Google Scholar
  15. 15.
    García S, Grill M, Stiborek J, Zunino A (2014) An empirical comparison of botnet detection methods. Comput SecurGoogle Scholar
  16. 16.
    Hall MA (1999) Correlation-based feature selection for machine learning. PhD thesis, The University of WaikatoGoogle Scholar
  17. 17.
    Hang H, Wei X, Faloutsos M, Eliassi-Rad T (2013) Entelecheia: detecting p2p botnets in their waiting stage. In: IFIP networking conference, 2013. IEEE, USA, pp 1–9Google Scholar
  18. 18.
    Haribabu K, Arora D, Kothari B, Hota C (2010) Detecting sybils in peer-to-peer overlays using neural networks and captchas. In: 2010 International conference on computational intelligence and communication networks (CICN). IEEE, pp 154–161Google Scholar
  19. 19.
    Haribabu K, Hota C, Paul A (2012) Gaur: a method to detect sybil groups in peer-to-peer overlays. Int J Grid Util Comput 3(2):145–156CrossRefGoogle Scholar
  20. 20.
    Jolliffe I (2005) Principal component analysis. Wiley Online LibraryGoogle Scholar
  21. 21.
    Karagiannis T, Broido A, Faloutsos M et al (2004) Transport layer identification of p2p traffic. In: Proceedings of the 4th ACM SIGCOMM conference on internet measurement. ACM, pp 121–134Google Scholar
  22. 22.
    Karagiannis T, Papagiannaki K, Faloutsos M (2005) Blinc: multilevel traffic classification in the dark. ACM SIGCOMM Comput Commun Rev 35:229–240 (ACM)Google Scholar
  23. 23.
    Li J, Zhang S, Lu Y, Yan J (2008) Real-time p2p traffic identification. In: Global telecommunications conference, 2008., IEEE GLOBECOM 2008. IEEE, USA, pp 1–5Google Scholar
  24. 24.
    Liang J, Kumar R, Xi Y, Ross KW (2005) Pollution in p2p file sharing systems. In: INFOCOM 2005. 24th Annual joint conference of the IEEE computer and communications societies. Proceedings IEEE, vol 2. IEEE, pp 1174–1185Google Scholar
  25. 25.
    Liang J, Naoumov N, Ross KW (2006) The index poisoning attack in p2p file sharing systems. In: INFOCOM. Citeseer, pp 1–12Google Scholar
  26. 26.
    Livadas C, Walsh R, Lapsley D, Strayer WT (2006) Using machine learning techniques to identify botnet traffic. In: 31st IEEE conference on local computer networks, proceedings 2006. IEEE, pp 967–974Google Scholar
  27. 27.
    Locher T, Mysicka D, Schmid S, Wattenhofer R (2010) Poisoning the kad network. In: Distributed computing and networking. Springer, pp 195–206Google Scholar
  28. 28.
    Masud MM, Gao J, Khan L, Han J, Thuraisingham B (2008) Mining concept-drifting data stream to detect peer to peer botnet traffic. University of Texas at Dallas Technical Report# UTDCS-05- 08Google Scholar
  29. 29.
    Mehra P (2012) A brief study and comparison of snort and bro open source network intrusion detection systems. Int J Adv Res Comput Commun Eng 1(6):383–386Google Scholar
  30. 30.
    Nagaraja S (2014) Botyacc: unified p2p botnet detection using behavioural analysis and graph analysis. In: Computer security-ESORICS 2014. Springer, pp 439–456Google Scholar
  31. 31.
    Narang P, Hota C, Venkatakrishnan V (2014) Peershark: flow-clustering and conversation-generation for malicious peer-to-peer traffic identification. EURASIP J Inf Secur 2014(1):1–12CrossRefGoogle Scholar
  32. 32.
    Narang P, Khurana V, Hota C (2014) Machine-learning approaches for p2p botnet detection using signal-processing techniques. In: Proceedings of the 8th ACM international conference on distributed event-based systems. ACM, pp 338–341Google Scholar
  33. 33.
    Narang P, Ray S, Hota C, Venkatakrishnan V (2014) Peershark: detecting peer-to-peer botnets by tracking conversations. In: Security and privacy workshops (SPW), 2014. IEEE, pp 108–115Google Scholar
  34. 34.
    Narang P, Reddy JM, Hota C (2013) Feature selection for detection of peer-to-peer botnet traffic. In: Proceedings of the 6th ACM India computing convention, pp 16:1–16:9Google Scholar
  35. 35.
    Puttaswamy KP, Zheng H, Zhao BY (2009) Securing structured overlays against identity attacks. IEEE Trans Parallel Distrib Syst 20(10):1487–1498CrossRefGoogle Scholar
  36. 36.
    Rahbarinia B, Perdisci R, Lanzi A, Li K (2013) Peerrush: mining for unwanted p2p traffic. Detection of intrusions and malware, and vulnerability assessment. Springer, Berlin, pp 62–82Google Scholar
  37. 37.
    Ratnasamy S, Francis P, Handley M, Karp R, Shenker S (2001) A scalable content-addressable network, vol 31. ACMGoogle Scholar
  38. 38.
    Reddy JM, Hota C (2013) P2p traffic classification using ensemble learning. In: Proceedings of the 5th IBM collaborative academia research exchange workshop. ACM, p 14Google Scholar
  39. 39.
    Roesch M et al (1999) Snort: lightweight intrusion detection for networks. LISA 99:229–238Google Scholar
  40. 40.
    Rowstron A, Druschel P (2001) Pastry: scalable, decentralized object location, and routing for large-scale peer-to-peer systems. In: Middleware 2001. Springer, pp 329–350Google Scholar
  41. 41.
    Ruehrup S, Urbano P, Berger A, D’Alconzo A (2013) Botnet detection revisited: Theory and practice of finding malicious p2p networks via internet connection graphs. In: 2013 IEEE conference on computer communications workshops (INFOCOM WKSHPS). IEEE, pp 435–440Google Scholar
  42. 42.
    Schoof R, Koning R (2007) Detecting peer-to-peer botnets. University of Amsterdam. Technical reportGoogle Scholar
  43. 43.
    Sen S, Spatscheck O, Wang D (2004) Accurate, scalable in-network identification of p2p traffic using application signatures. In: Proceedings of the 13th international conference on World Wide Web. ACM, pp 512–521Google Scholar
  44. 44.
    Singh A et al (2006) Eclipse attacks on overlay networks: threats and defenses. In: IEEE INFOCOM, CiteseerGoogle Scholar
  45. 45.
    Steiner M, En-Najjary T, Biersack EW (2007) Exploiting kad: possible uses and misuses. ACM SIGCOMM Comput Commun Rev 37(5):65–70CrossRefGoogle Scholar
  46. 46.
    Stover S, Dittrich D, Hernandez J, Dietrich S (2007) Analysis of the storm and nugache trojans: P2p is here. USENIX 32(6):18–27Google Scholar
  47. 47.
    Tegeler F, Fu X, Vigna G, Kruegel C (2012) Botfinder: finding bots in network traffic without deep packet inspection. In: Proceedings of the 8th international conference on emerging networking experiments and technologies. ACM, pp 349–360Google Scholar
  48. 48.
    Trifa Z, Khemakhem M (2012) Taxonomy of structured p2p overlay networks security attacks. World Acad Sci, Eng Technol 6(4):460–466Google Scholar
  49. 49.
    Yu H, Kaminsky M, Gibbons PB, Flaxman A (2006) Sybilguard: defending against sybil attacks via social networks. ACM SIGCOMM Comput Commun Rev 36(4):267–278CrossRefGoogle Scholar
  50. 50.
    Yue X, Qiu X, Ji Y, Zhang C (2009) P2p attack taxonomy and relationship analysis. In: 11th International conference on advanced communication technology, 2009. ICACT 2009, vol 2. IEEE, pp 1207–1210Google Scholar
  51. 51.
    Zhang R, Zhang J, Chen Y, Qin N, Liu B, Zhang Y (2011) Making eclipse attacks computationally infeasible in large-scale dhts. In: 2011 IEEE 30th International performance computing and communications conference (IPCCC). IEEE, pp 1–8Google Scholar

Copyright information

© Springer India 2016

Authors and Affiliations

  • Chittaranjan Hota
    • 1
  • Pratik Narang
    • 1
  • Jagan Mohan Reddy
    • 1
  1. 1.BITS-Pilani Hyderabad CampusHyderabadIndia

Personalised recommendations