Identification and Management of Sessions Generated by Instant Messaging and Peer-to-Peer Systems

Sessions generated by Instant Messaging and Peer-to-Peer systems (IM/P2Ps) not only consume considerable bandwidth and computing resources but also dramatically change the characteristics of data flows affecting both the operation and performance of networks. Most IM/P2Ps have known security loopholes and vulnerabilities making them an ideal platform for the dissemination of viruses, worms, and other malware. The lack of access control and weak authentication on shared resources further exacerbates the situation. Should IM/P2Ps be deployed in production environments, performance of conventional applications may significantly deteriorate and enterprise data may be contaminated. It is therefore imperative to identify, monitor and finally manage IM/P2P traffic. Unfortunately, this task cannot be easily attained as IM/P2Ps resort to advanced techniques to hide their traces including multiple channels to deliver services, port hopping, message encapsulation and encryption. In this paper, we propose an extensible framework that not only helps to identify and classify IM/P2P-generated sessions in real time but also assists in the manipulation of such traffic. Consisting of four modules namely, session manager, traffic assembler, IM/P2P dissector, and traffic arbitrator, our proposed framework uses multiple techniques to improve its traffic classification accuracy and performance. Through fine-tuned splay and interval trees that help organize IM/P2P sessions and packets in data streams, we accomplish stateful inspection, traffic re-assembly, data stream correlation, and application layer analysis that combined will boost the framework's identification precision. More importantly, we introduce IM/P2Ps "plug-and-play" protocol analyzers that inspect data streams according to their syntax and semantics; these analyzers render our framework easily extensible. Identified IM/P2P sessions can be shaped, blocked, or disconnected, and corresponding traffic can be stored for forensic analysis and threat evaluation. Experiments with our prototype show high IM/P2Ps detection accuracy rates under diverse settings and excellent overall performance in both controlled and real-world environments.

[1]  Robert E. Tarjan,et al.  Self-adjusting binary search trees , 1985, JACM.

[2]  Ronald L. Rivest,et al.  Introduction to Algorithms , 1990 .

[3]  William Cheswick,et al.  Firewalls and Internet Security , 1994 .

[4]  Paul Barford,et al.  Generating representative Web workloads for network and server performance evaluation , 1998, SIGMETRICS '98/PERFORMANCE '98.

[5]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[6]  M. Handley,et al.  SIP: Session Initiation Protocol , 1999, RFC.

[7]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[8]  Alec Wolman,et al.  On the scale and performance of cooperative Web proxy caching , 1999, SOSP.

[9]  Hiroyasu Sugano,et al.  A Model for Presence and Instant Messaging , 2000, RFC.

[10]  Mark Day,et al.  Instant Messaging / Presence Protocol Requirements , 2000, RFC.

[11]  Ian Clarke,et al.  Freenet: A Distributed Anonymous Information Storage and Retrieval System , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[12]  G. Voelker,et al.  On the scale and performance of cooperative Web proxy caching , 2000, OPSR.

[13]  Stefan Saroiu,et al.  A Measurement Study of Peer-to-Peer File Sharing Systems , 2001 .

[14]  Hiroyasu Sugano Presence and Instant Messaging Protocol (PRIM)Server-Server Protocol Specification , 2001 .

[15]  David Moore,et al.  The CoralReef Software Suite as a Tool for System and Network Administrators , 2001, LISA.

[16]  Rüdiger Schollmeier,et al.  A definition of peer-to-peer networking for the classification of peer-to-peer architectures and applications , 2001, Proceedings First International Conference on Peer-to-Peer Computing.

[17]  Scott Shenker,et al.  Can Heterogeneity Make Gnutella Scalable? , 2002, IPTPS.

[18]  Marshall T. Rose,et al.  The Application Exchange Core , 2002, RFC.

[19]  J. Rosenberg,et al.  Session Initiation Protocol , 2002 .

[20]  Rüdiger Schollmeier,et al.  Why peer-to-peer (P2P) does scale: an analysis of P2P traffic patterns , 2002, Proceedings. Second International Conference on Peer-to-Peer Computing,.

[21]  Krishna P. Gummadi,et al.  An analysis of Internet content delivery systems , 2002, OPSR.

[22]  Pascal A Felber Data indexing and querying in P2P DHT networks , 2002 .

[23]  Karl Aberer,et al.  Self-organized construction of distributed access structures: A comparative evaluation of P-Grid and FreeNet , 2002 .

[24]  Margo I. Seltzer,et al.  Self-organization in peer-to-peer systems , 2002, EW 10.

[25]  Chase Cotton,et al.  Packet-level traffic measurements from the Sprint IP backbone , 2003, IEEE Netw..

[26]  Anja Feldmann,et al.  An analysis of Internet chat systems , 2003, IMC '03.

[27]  Krishna P. Gummadi,et al.  Measurement, modeling, and analysis of a peer-to-peer file-sharing workload , 2003, SOSP '03.

[28]  Adam Wierzbicki,et al.  Deconstructing the Kazaa network , 2003, Proceedings the Third IEEE Workshop on Internet Applications. WIAPP 2003.

[29]  Matthew Roughan,et al.  P2P the gorilla in the cable , 2003 .

[30]  Dimitrios Gunopulos,et al.  Peer-to-peer architectures for scalable, efficient and reliable media services , 2003, Proceedings International Parallel and Distributed Processing Symposium.

[31]  Christian Huitema,et al.  STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) , 2003, RFC.

[32]  Guillaume Urvoy-Keller,et al.  Data indexing in peer-to-peer DHT networks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[33]  Jia Wang,et al.  Analyzing peer-to-peer traffic across large networks , 2002, IMW '02.

[34]  Westone,et al.  Home Page , 2004, 2022 2nd International Conference on Intelligent Cybernetics Technology & Applications (ICICyTA).

[35]  Michalis Faloutsos,et al.  Transport layer identification of P2P traffic , 2004, IMC '04.

[36]  Douglas E. Ennis,et al.  The front line battle against P2P , 2004, SIGUCCS '04.

[37]  Stefan Saroiu,et al.  Measurement and Analysis of Spyware in a University Environment , 2004, NSDI.

[38]  Michalis Faloutsos,et al.  Is P2P dying or just hiding? [P2P traffic measurement] , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[39]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[40]  Jason Lee,et al.  A first look at modern enterprise traffic , 2005, IMC '05.

[41]  Sebastian Zander,et al.  Self-Learning IP Traffic Classification Based on Statistical Flow Characteristics , 2005, PAM.

[42]  Patrick Haffner,et al.  ACAS: automated construction of application signatures , 2005, MineNet '05.

[43]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[44]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[45]  Ravi Jain,et al.  An Experimental Study of the Skype Peer-to-Peer VoIP System , 2005, IPTPS.

[46]  Minaxi Gupta,et al.  A study of malware in peer-to-peer networks , 2006, IMC '06.

[47]  Chun-Ying Huang,et al.  Quantifying Skype user satisfaction , 2006, SIGCOMM 2006.

[48]  Daniel Stutzbach,et al.  Understanding churn in peer-to-peer networks , 2006, IMC '06.

[49]  Larry L. Peterson,et al.  binpac: a yacc for writing application protocol parsers , 2006, IMC '06.

[50]  Hari Balakrishnan,et al.  Malware prevalence in the KaZaA file-sharing network , 2006, IMC '06.

[51]  Stefan Savage,et al.  Unexpected means of protocol inference , 2006, IMC '06.

[52]  Sven Ehlert,et al.  Analysis and Signature of Skype VoIP Session Traffic , 2006 .

[53]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[54]  Jon Crowcroft,et al.  Efficient sequence alignment of network traffic , 2006, IMC '06.

[55]  Maurizio Dusi,et al.  Traffic classification through simple statistical fingerprinting , 2007, CCRV.

[56]  C. Papadopoulos,et al.  Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing , 2007, 2007 IEEE Global Internet Symposium.

[57]  Alex Delis,et al.  A Pragmatic Methodology for Testing Intrusion Prevention Systems , 2009, Comput. J..