1. P2P Security ThreatsP2P Security Threats
And TheirAnd Their
Chittaranjan Hota, PhD
Associate Professor, Dept. of Computer Science & Engineering
Birla Institute of Technology & Science-Pilani, Hyderabad Campus
Shameerpet, Hyderabad, AP, India
Workshop on Cyber Security, Bharti School, IIT, Delhi
2. [Source: Privacy & Security, Eric Byres, Communications of the ACM, August 2013]
Air gap MythAir gap Myth
25. P2P Botnet TracesP2P Botnet Traces
Botnet name What it does? Size of data Source of data
Kelihos-Hlux Email spam, DoS, steal Bitcoin
5 MB Generated on testbed + obtained form
online sources 
Waledac Email spam, password stealing 25 MB ISOT dataset 
ZeuS Steals banking information by
MITM key logging and form
5 MB Generated on testbed
TRAINING DATA TEST DATA
ZeuS Steals banking information by
MITM key logging and form
25 MB ISOT dataset 
Storm Email spam 30 MB ISOT dataset 
Conficker Disables important system services
and security products
50 GB Obtained from CAIDA 
26. Bayesian Regularized NNBayesian Regularized NN
• Bayesian Regularized Neural Network based Real-time Peer-to-Peer Botnet Detection, Pratik Narang, Sharat Chandra, Chittaranjan Hota,
Accepted in IEEE P2P 2013, Trento, Italy (Sept 2013)
• 23 features extracted from
• Information Gain with
ranking used to rank the
• Top 16 features chosen.
Malicious samples 25898 276
Percentage 98.9455% 1.0545%
27. Feature SelectionFeature Selection
• 23 features extracted from flows
28. Large Botnet TracesLarge Botnet Traces
What it does? Type of data/Size
Source of data
Sality Infects executable files,
attempts to disable
Binary (.exe) file Generated on testbed
Storm Email Spam .pcap file/ 4.8 GB Obtained from Uni. of
Waledac Email spam, password
.pcap file/ 68 GB Obtained from Uni. of
ZeuS Steals banking
information by MITM
key logging and form
.pcap file/ 105 MB Obtained from Uni. of
Georgia  +
Generated on test bed
29. Experimental ResultsExperimental Results
30. Distributed Data collectionDistributed Data collection
and processingand processing
Botnet traffic generation
InternetInfo. Sec. Lab
Data collection for P2P and
IDS for botnet
31. Hadoop setup running atHadoop setup running at
BITS HydBITS Hyd
32. ReferencesReferences1. http://news.netcraft.com/archives/2007/05/23/p2p_networks_hijacked_for_ddos_attacks.htm
2. S Mcbride, and G A Flower, Estimate of Film-piracy cost soars: Hollywood loss is put at $6.1b a year, The Wall Street Journal Europe, may 4th
3. Thomas Karagiannis, Andre Broido, Michalis Faloutsos, Kc claffy, Transport Layer Identification of P2P Traffic, in Proc. 4th ACM SIGCOMM conference on Internet measurement, pp. 121-134, 2004.
4. Subhabrata Sen, Oliver Spatscheck, and Dongmei Wang, Accurate, Scalable InNetwork Identification of P2P Traffic Using Application Signatures, WWW 2004, May 2004.
5. S Sen, Jia Wang, Analyzing Peer-To-Peer Traffic Across Large Networks, IEEE/ACM Transactions on Networking, Vol. 12, No. 2, April 2004.
6. Thuy T T N, and G Armitage, A survey of Techniques for Internet Traffic Classification using Machine Learning, IEEE Communications Surveys & Tutorials, Vol. 10, No. 4, 2008.
7. Hassan Khan, S A Khayam, L Golubchik, M. Rajarajan, and Michael Orr, Wirespeed, Privacy-Preserving P2P Traffic Detection on Commodity Switches, Available Online at www.xflowresearch.com
8. Intrusion detection system: At: http://en.wikipedia.org/wiki/Intrusion_detection_system.
9. P. Garcia-Teodoroa, J. Diaz-Verdejo, G.Macia-Fernandeza, and E. Vazquezb, Anomaly-based network intrusion detection: Techniques, systems and challenges, Computers and Security, vol. 28, Issue: 1-2, pp. 18-28, 2009.
10. Gupta R, and Somani A K, Game theory as a tool to strategize as well as predict node’s behavior in peer-to-peer networks , International conf. on PDS, 2005, pp. 244-249.
11. Roberto G Cascella, 2nd ENISA Workshop on Authentication Interoperability Languages held at the ENISA/EEMA European eIdentity conference, Paris, France, June 12-13, 2007.
12. C Wang, Li Chen, H Chen, and K Zhou, Incentive Mechanism Based on Game Theory in P2P Networks, ITCS 2010, pp. 190-193.
13. Sarraute, C., et al., Simulation of Computer Network Attacks, CoreLabs, Core Security Technologies, 2010.
18. Quinlan, J. R, C4.5: Programs for Machine Learning, Morgan Kaufmann Publishers, 1993.
22. Massicotte, F. and Labiche, Y, An analysis of signature overlaps in Intrusion Detection Systems, Dependable Systems & Networks (DSN) IEEE/IFIP 41st International Conference, pp. 109-120, 2011.
23. Cheng-Yuan Ho, Yuan-Cheng Lai, I-Wei Chen, Fu-Yu Wang, and Wei-Hsuan Tai, Statistical analysis of false positives and false negatives from real traffic with intrusion detection/prevention systems, Communication Magazine,
IEEE, pp.146-154, 2012.
24. Sardar Ali, Hassan Khan, and Syed Ali Khayam, What is the Impact of P2P Traffic on Anomaly Detection?, Proceeding of 13th International symposium, Recent Advances in Intrusion Detection (RAID) 2010, pp. 1-7, 2010.
25. Jeffrey Erman, et al. Identifying and Discriminating Between Web and Peer-to-Peer in the Network Core, WWW 2007, ACM, pp. 883-892.
26. Genevieve B, et al., Estimating P2P traffic volume at USC, Technical Report, USC, June 2007.
27. Alok Madhukar, Carey W, A Longitudinal Study of P2P Traffic Classification, IEEE International Symposium on Modeling, Analysis, and Simulation, CA, 2006, pp. 179-188.
28. Hongwei C, et al., A SVM method for P2P traffic identification based on multiple traffic mode, Journal of Networks, Nov 2010, pp. 1381-1388.
29. K Ilgun, et al, State transition analysis: A rule based intrusion detection approach, IEEE transactions on software engineering, Vol 21, 1995.
30. F Jemili, et al, A framework for an adaptive intrusion detection system using bayesian network, IEEE Intelligence and Security Informatics, May 2007, pp.66-70.
31. Soysal, Murat, and Ece Guran Schmidt. "Machine learning algorithms for accurate flow-based network traffic classification: Evaluation and comparison." Performance Evaluation 67.6 (2010): 451-467.
32. Williams, Nigel, Sebastian Zander, and Grenville Armitage. "A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification." ACM SIGCOMM Computer Communication
Review36.5 (2006): 5-16.
33. Berg, Peter Ekstrand. "Behavior-based Classification of Botnet Malware." Thesis Report 2011, Gjovik University College, Norway.
34. Rahbarinia, Babak, Roberto Perdisci1 Andrea Lanzi, and Kang Li. "PeerRush: Mining for Unwanted P2P Traffic.“ DIMVA 2013
36. Saad, Sherif, et al. "Detecting P2P botnets through network behavior analysis and machine learning." Privacy, Security and Trust (PST), 2011 Ninth Annual International Conference on. IEEE, 2011.
37. CAIDA, UCSD. "Network Telescope" Three Days Of Conficker“ 21st Nov. 2008."Paul Hick, Emile Aben, Dan Andersen and kcclaffy http://www. caida. org/data/passive/telescope-3days-conficker_dataset. xml.
38. Abbes, Tarek, Adel Bouhoula, and Michaël Rusinowitch. "Protocol analysis in intrusion detection using decision tree." Information Technology: Coding and Computing, 2004. Proceedings. ITCC 2004. International Conference
on. Vol. 1. IEEE, 2004.
39. S. Chebrolu, A. Abraham, and J. P. Thomas. Feature deduction and ensemble design of intrusion detection systems. Computers & Security, 24(4):295–307, 2005.
40. A.H.Sung and S. Mukkamala. The feature selection and intrusion detection problems. In Advances in Computer Science-ASIAN 2004. Higher-Level Decision Making, pages 468–482. Springer, 2005.
41. McHugh, John. "Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory." ACM transactions on Information and system Security 3.4