What is the impact of p2p traffic on anomaly detection?

Authors:
Irfan Ul Haq;Sardar Ali;Hassan Khan;Syed Ali Khayam
Affiliations:
School of Electrical Engineering & Computer Science, National University of Sciences & Technology, Islamabad, Pakistan;School of Electrical Engineering & Computer Science, National University of Sciences & Technology, Islamabad, Pakistan;School of Electrical Engineering & Computer Science, National University of Sciences & Technology, Islamabad, Pakistan;School of Electrical Engineering & Computer Science, National University of Sciences & Technology, Islamabad, Pakistan
Venue:
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Year:
2010

Citing 17
Cited 3

Throttling Viruses: Restricting propagation to defeat malicious mobile code

ACSAC '02 Proceedings of the 18th Annual Computer Security Applications Conference
Network traffic anomaly detection based on packet bytes

Proceedings of the 2003 ACM symposium on Applied computing
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Exploiting P2P systems for DDoS attacks

InfoScale '06 Proceedings of the 1st international conference on Scalable information systems
Detecting anomalies in network traffic using maximum entropy estimation

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Implementing and testing a virus throttle

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Very fast containment of scanning worms

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
An overview of anomaly detection techniques: Existing solutions and latest technological trends

Computer Networks: The International Journal of Computer and Telecommunications Networking
A Comparative Evaluation of Anomaly Detectors under Portscan Attacks

RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
DDoS Attacks by Subverting Membership Management in P2P Systems

NPSEC '07 Proceedings of the 2007 3rd IEEE Workshop on Secure Network Protocols
Network-aware forward caching

Proceedings of the 18th international conference on World wide web
On dominant characteristics of residential broadband internet traffic

Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
On the Inefficient Use of Entropy for Anomaly Detection

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Measurement and diagnosis of address misconfigured P2P traffic

INFOCOM'10 Proceedings of the 29th conference on Information communications
Finding peer-to-peer file-sharing using coarse network behaviors

ESORICS'06 Proceedings of the 11th European conference on Research in Computer Security
Misusing unstructured p2p systems to perform dos attacks: the network that never forgets

ACNS'06 Proceedings of the 4th international conference on Applied Cryptography and Network Security

Securing application-level topology estimation networks: facing the frog-boiling attack

RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Identifying skype nodes in the network exploiting mutual contacts

TMA'12 Proceedings of the 4th international conference on Traffic Monitoring and Analysis
PeerRush: mining for unwanted p2p traffic

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Quantified Score

Hi-index	0.00

Visualization

Abstract

Recent studies estimate that peer-to-peer (p2p) traffic comprises 40-70% of today's Internet traffic [1]. Surprisingly, the impact of p2p traffic on anomaly detection has not been investigated. In this paper, we collect and use a labeled dataset containing diverse network anomalies (portscans, TCP floods, UDP floods, at varying rates) and p2p traffic (encrypted and unencrypted with BitTorrent, Vuze, Flashget, µTorrent, Deluge, BitComet, Halite, eDonkey and Kademlia clients) to empirically quantify the impact of p2p traffic on anomaly detection. Four prominent anomaly detectors (TRW-CB [7], Rate Limiting [8], Maximum Entropy [10] and NETAD [11]) are evaluated on this dataset. Our results reveal that: 1) p2p traffic results in up to 30% decrease in detection rate and up to 45% increase in false positive rate; 2) due to a partial overlap of traffic behaviors, p2p traffic inadvertently provides an effective evasion cover for high- and low-rate attacks; and 3) training an anomaly detector on p2p traffic, instead of improving accuracy, introduces a significant accuracy degradation for the anomaly detector. Based on these results, we argue that only p2p traffic filtering can provide a pragmatic, yet short-term, solution to this problem. We incorporate two prominent p2p traffic classifiers (OpenDPI [23] and Karagiannis' Payload Classifier(KPC) [24]) as pre-processors into the anomaly detectors and show that the existing non-proprietary p2p traffic classifiers do not have sufficient accuracies to mitigate the negative impacts of p2p traffic on anomaly detection. Given the premise that p2p traffic is here to stay, our work demonstrates the need to rethink the classical anomaly detection design philosophy with a focus on performing anomaly detection in the presence of p2p traffic. We make our dataset publicly available for evaluation of future anomaly detectors that are designed to operate with p2p traffic.