What is the impact of p2p traffic on anomaly detection
作者: Irfan Ul Haq , Sardar Ali , Hassan Khan , Syed Ali Khayam , None
DOI: 10.1007/978-3-642-15512-3_1
关键词: Encryption 、 Detector 、 BitTorrent 、 Computer science 、 Kademlia 、 False positive rate 、 Internet traffic 、 Data mining 、 Computer security 、 Anomaly detection 、 Principle of maximum entropy
摘要: Recent studies estimate that peer-to-peer (p2p) traffic comprises 40-70% of today's Internet [1]. Surprisingly, the impact p2p on anomaly detection has not been investigated. In this paper, we collect and use a labeled dataset containing diverse network anomalies (portscans, TCP floods, UDP at varying rates) (encrypted unencrypted with BitTorrent, Vuze, Flashget, µTorrent, Deluge, BitComet, Halite, eDonkey Kademlia clients) to empirically quantify detection. Four prominent detectors (TRW-CB [7], Rate Limiting [8], Maximum Entropy [10] NETAD [11]) are evaluated dataset. Our results reveal that: 1) in up 30% decrease rate 45% increase false positive rate; 2) due partial overlap behaviors, inadvertently provides an effective evasion cover for high- low-rate attacks; 3) training detector traffic, instead improving accuracy, introduces significant accuracy degradation detector. Based these results, argue only filtering can provide pragmatic, yet short-term, solution problem. We incorporate two classifiers (OpenDPI [23] Karagiannis' Payload Classifier(KPC) [24]) as pre-processors into show existing non-proprietary do have sufficient accuracies mitigate negative impacts detection. Given premise is here stay, our work demonstrates need rethink classical design philosophy focus performing presence traffic. make publicly available evaluation future designed operate
springer.com
sci-hub.st 参考文章(25)
Debra Anderson, Thane Frivold, Alfonso Valdes, Next-generation Intrusion Detection Expert System (NIDES)A Summary ,(1997)
Mobin Javed, Ayesha Binte Ashfaq, M. Zubair Shafiq, Syed Ali Khayam, On the Inefficient Use of Entropy for Anomaly Detection recent advances in intrusion detection. pp. 369- 370 ,(2009) , 10.1007/978-3-642-04342-0_28
Stuart E. Schechter, Jaeyeon Jung, Arthur W. Berger, Fast Detection of Scanning Worm Infections recent advances in intrusion detection. pp. 59- 81 ,(2004) , 10.1007/978-3-540-30143-1_4
Michael P. Collins, Michael K. Reiter, Finding Peer-to-Peer File-Sharing Using Coarse Network Behaviors Computer Security – ESORICS 2006. pp. 1- 17 ,(2006) , 10.1007/11863908_1
T. Karagiannis, A. Broido, N. Brownlee, K.C. Claffy, M. Faloutsos, Is P2P dying or just hiding? [P2P traffic measurement] global communications conference. ,vol. 3, pp. 1532- 1538 ,(2004) , 10.1109/GLOCOM.2004.1378239
Ayesha Binte Ashfaq, Maria Joseph Robert, Asma Mumtaz, Muhammad Qasim Ali, Ali Sajjad, Syed Ali Khayam, A Comparative Evaluation of Anomaly Detectors under Portscan Attacks recent advances in intrusion detection. pp. 351- 371 ,(2008) , 10.1007/978-3-540-87403-4_19
Jaeyeon Jung, V. Paxson, A.W. Berger, H. Balakrishnan, Fast portscan detection using sequential hypothesis testing ieee symposium on security and privacy. pp. 211- 225 ,(2004) , 10.1109/SECPRI.2004.1301325
Vern Paxson, Stuart Staniford, Nicholas Weaver, Very fast containment of scanning worms usenix security symposium. pp. 3- 3 ,(2004)
Naoum Naoumov, Keith Ross, Exploiting P2P systems for DDoS attacks scalable information systems. pp. 47- ,(2006) , 10.1145/1146847.1146894
Yong Liu, Yang Guo, Chao Liang, A survey on peer-to-peer video streaming systems Peer-to-peer Networking and Applications. ,vol. 1, pp. 18- 28 ,(2008) , 10.1007/S12083-007-0006-Y