Zhaohui Hu,Qi Chen,Ruizhao Yu

DOI: https://doi.org/10.3321/j.issn:1002-8331.2001.10.020

2001-01-01

Abstract:This article introduces the implementation of TCP Protocol and the technique of Port Scanning based on the characteristic of TCP Protocol,at the same time,the several implementations of Port Scanning are also described. We also analyze the potential external attacks that can be made because of the weakness of operation system and the ways to avoid suck kinds of attack are also put up.

Liu Bin,Li Zhitang,Li Zhanchun

DOI: https://doi.org/10.1109/iccias.2006.295304

2006-01-01

Abstract:BitTorrent as a kind of P2P application for file-sharing has become tremendously popular over the last few years, now accounting for a significant share of the total network traffic. BitTorrent protocols used arbitrary ports to camouflage its traffic to avoid detection and recognition with standard measurement tools. Some new methods using application layer signature have good accuracy identification. However, these approaches would not be suitable for real-time measurement because of the high overhead. To overcome this problem, we present a measurement system which reliably detects and measures BitTorrent traffic in real-time in this paper. The measurement methodology is based on using application level signatures implemented by Netfilter extension as well as packet classifier. The results from test in a large university network indicate that this approach not only can significantly improve the BitTorrent traffic volume estimates over what pure network port based approaches provide, but also provided the performance required for practical applications

Chen Gong,Wu U. Chunming,Jiang Ming

DOI: https://doi.org/10.1109/WICOM.2010.5601267

2010-01-01

Abstract:Region tracker system can localize the Bittorrent traffic and accelerate user download speed by merging swarms. This paper proposes a concept of private domain name, which makes region tracker system transparent to users and easy to deploy. To reduce the traffic, previous researches focus on how to modify the chossing peer algorithm of a Bittorrent client. However, other peers visible to a Bittorrent client only account for a random portion, causing the previous algorithm to be extremely unstable. In this paper, we design a swarm auto-merging algotithm based on tracker to help user find seeds and significantly increase download speed automatically. Simulation results show that the proposed algorithm localize the tracffic efficiently and improve user download speed.

Wei Ye,Xuan Luo,Rui Xie,Haibin Zhang,Kaida Jiang,Yaohui Jin

DOI: https://doi.org/10.1109/APNOMS.2011.6076985

2011-01-01

Abstract:BitTorrent(BT) has emerged as one of the most popular protocols for content sharing in recent years. Most BT applications are network-oblivious which brings great challenges to traffic engineering. As basic input information, network-wide BT traffic distribution is of vital importance for service providers (SP) or carriers to enforce appropriate control policies. Direct online measurement of network-wide BT traffic faces scalability issue, for it requires deploying application identification deep packet inspection (DPI) device on every subject link. In this paper, we propose a novel approach to estimate network-wide BT traffic distribution through combining sFlow and Tracker traffic analysis. Owing to a noticeable increase of BT traffic using random port numbers, sFlow alone is no longer sufficient for BT recognition. We tackle this problem by combining sFlow with information collected from BT tracker's traffic. With assistance of this information, BT samples can be accurately distinguished from other sFlow samples. The efficacy of our approach is evaluated through experiments on backbone links of campus network. Evaluation results show that our approach can reach a high accuracy in network-wide BT traffic estimation. © 2011 IEEE.

LIU Bin,LI Zhi-Tang,LI Zhan-Chun,ZHOU Li-Juan

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.04.008

2007-01-01

Computer Science

Abstract:BitTorrent as a kind of P2P application for file-sharing is growing dramatically in recent years. BitTorrent application used dynamic port to camouflage its traffic, so it become more difficult to measure BitTorrent traffic. In this paper, a measurement approach based on application level signatures, which reliably detects and measures BitTorrent traffic is described. A presentation of the results from a successful field test in a large university network indicated that this approach is not only accurate, but also provided the performance and scalability required for practical applications.

Shan Rong-sheng,Li Xiao-yong D.,Li Jian-hua

DOI: https://doi.org/10.1007/s11741-004-0073-8

2004-01-01

Abstract:Detection of port scan is an important component in a network intrusion detection and prevention system. Traditional statistical methods can be easily evaded by stealthy scans and are prone to DoS attacks. This paper presents a new mechanism termed PSD(port scan detection), which is based on TCP packet anomaly evaluation. By learning the port distribution and flags of TCP packets arriving at the protected hosts, PSD can compute the anomaly score of each packet and effectively detect port scans including slow scans and stealthy scans. Experiments show that PSD has high detection accuracy and low detection latency.

WANG Ping-hui,ZHENG Qing-hua,NIU Guo-lin,GUAN Xiao-hong,CAI Zhong-min

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.003

2007-01-01

Journal of Communications

Abstract:A slowly port scan detect method was presented based on the statistical traffic features.Two statistical features: the ratio between the number of hosts and ports a host communicates and similarities of the ports set,were selected to denote the traffic features.The CUSUM and wavelet transform methods were employed to analyze the features and detect the slowly port scan behaviors.The experimental results show that the methods proposed detect port scan behaviors effi-ciently and correctly,it has low false negative and false positive alarm rate compared with the Snort.

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Akira Tanaka,Chansu Han,Takeshi Takahashi

DOI: https://doi.org/10.1109/access.2023.3249474

IF: 3.9

2023-01-01

IEEE Access

Abstract:Adversaries perform port scanning to discover accessible and vulnerable hosts as a prelude to cyber havoc. A darknet is a cyberattack observation network to capture these scanning activities through reachable yet unused IP addresses. However, the enormous amount of packets and superposition of diverse scanning strategies prevent extracting significant insights from the aggregate traffic. Some coordinated scanners disperse probe packets whose TCP/IP header follows a unique pattern to determine whether the received packets are valid responses to their probes or are part of other background traffic. We call such a pattern a fingerprint. For example, a probe packet from a Mirai-infected host satisfies a pattern whereby the destination IP address equals the sequence number. A fingerprint indicates that the source host has been involved in a particular scanning campaign. Although some fingerprints have been discovered and known to the public, there are and will be more undiscovered ones. We intend to unveil these fingerprints. Our preliminary work automatically identified flexible fingerprints but overlooked low-rate and coordinated scanners. In this work, we improved the fingerprint identifier, enabling it to detect these stealth scans. Moreover, we revealed the scans’ objectives by investigating destination port sets. We associated fingerprints with threat intelligence and verified their reliability. Our approach identified all well-known and eight unknown fingerprints on one month’s worth of darknet data collected from about three-hundred thousand unused IP addresses. We disclosed the fingerprints of the Mozi botnet and destination port sets that were previously unreported.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiayin Qi,Hongli Zhang,Zhenzhou Ji,Liu Yun

DOI: https://doi.org/10.1109/cw.2008.150

2008-01-01

Abstract:The use of peer-to-peer (P2P) applications is growing dramatically, particularly for BitTorrent system. In order to gain insights into BitTorrent systems and the network traffic load they place on ISPs, we have undertaken an measurement study. Our experimental evaluation is ISP oriented instead of peer oriented, which enables us to study the global characteristics of BitTorrent system. We have developed a dedicated BitTorrent sniffer platform to collected extensive packet across a large ISP network. The measurement results bring important insights into BitTorrent systems. Specifically,our results show that 1) BitTorrent flashcrowd appears around midnight due to the BitTorrent users habits of behavior; 2) workload generated by BitTorrent extention - DHT is much more than it generated by calssic BitTorrent; 3) overhead rather than data transfer is the dominant component of the totle BitTorrent traffic due to DHT; 4) Zipf and pareto are the suitable model to characterize the distribution of visits to both trackers and BitTorrent Websites.Insights obtained in this study will be valuable for the management and development of future P2P file transform systems.

Dalia Nashat,Xiaohong Jiang,Susumu Horiguchi

DOI: https://doi.org/10.1109/icebe.2008.18

2008-01-01

Abstract:The TCP SYN flooding attack is the most prevalent type of DDoS attacks that exhaust network resources. A router based detection scheme has been proposed to detect the SYN flooding agents based on the assumption that the SYN packets from the agent and the SYN/ACK packets from the victimpsilas server pass through different leaf routers. In the current IP spoofing techniques, however, the attacker can spoof a random address from any subnetwork, so the SYN packets from the agent and the SYN/ACK packets from the server may pass through the same leaf router. Therefore, a more general and flexible detection scheme is highly desirable for the efficient detection of these flooding agents under any type of IP spoofing. In this paper, we propose such a scheme to detect the flooding agents by considering all the possible kinds of IP spoofing. The proposed scheme is based on the TCP SYN-SYN/ACK protocol pair with the consideration of packet header information (both sequence and Ack. numbers). The Counting Bloom Filter is used to classify all the incoming SYN/ACK packets to the sub network into two streams, the first SYN/ACK packets (SYN/ACKf ) and the retransmission SYN/ACK packets (SYN/ACKr), to make our scheme generally applicable and the Cumulative Sum algorithm is applied to avoid the dependence of detection on sites and access patterns. Compared to the old detection scheme without the consideration of IP spoofing techniques, the proposed new scheme can significantly improve the accuracy in detecting the SYN flooding agents, as verified by extensive simulation results based on different IP spoofing techniques.

LIU Ting-hua,SONG Hua,DAI Yi-qi

DOI: https://doi.org/10.3969/j.issn.1000-7024.2006.09.003

2006-01-01

Abstract:Techniques of the port scan and its detection were introduced briefly.A new self-adaptive distributed detection method of port scan wasdesigned and implemented.By detecting anomalous packets and calculating the class's anomalysum value,it sets adynamic threshold combined with the network traffic,and then judges whether that is a scan.This method could detect slow scans,random scans and distributed scans effectively.And it could detect DDoS(distributed denial of service) attacks as well.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Yong LIU,Zhi-guang QIN

DOI: https://doi.org/10.3969/j.issn.1001-0548.2011.04.022

2011-01-01

Abstract:BitTorrent-based applications incur massive cross-ISP traffic which heavily decreases Internet efficiency. Taking into account BitTorrent protocol specifications and connection structure among different ISPs, this paper proposes an ISP-aware BitTorrent traffic optimization scheme which is called STracker. STracker is composed of tracker proxies in different ISPs. Tracker proxies are connected with a P2P protocol. Tracker proxies perform node management and biased neighbor allocation. Therefore, the cross-ISP traffic is reduced. Analysis and simulations show that STracker can efficiently reduce the cross-ISP traffic while the download time is not increased. STracker can reduce the operation cost of ISPs and improve the efficiency of Internet efficiently.

LIU Gang,FANG Bin-xing,HU Ming-zeng,ZHANG Hong-li

DOI: https://doi.org/10.3969/j.issn.1001-3695.2006.05.073

2006-01-01

Abstract:The paper studies the capture method of BitTorrent traffic,designs and implements a real project according to the method,presents a quantitative result of the self-similarity parameter supporting modeling of self-similarity.

ZHANG Hai,ZHANG Jian,DAI Shao-feng

DOI: https://doi.org/10.3969/j.issn.1007-130X.2012.09.004

2012-01-01

Abstract:The portscan is most popular anomaly in the network and the TRW is the most representative algorithm for the portscan detection.The packet sampling is currently the majority of packet selection method used by many business demands.Prior work has shown that the packet sampling thins traffic flows and impacts anomaly detection.The success ratio and the false negative ratio of the TRW initially increases for low sampling intervals before dropping off for high sampling intervals as the traffic is increasingly thinned.Based on previous researches , we design an improved TRW using theTCP protocol information in the sampling packet.Experimental results show that using the algorithm the false negative ratio drops off while the success ratio does not change.

Mingjiang Ye,Jianping Wu,Ke Xu,Dah Ming Chiu

DOI: https://doi.org/10.1016/j.comcom.2010.01.005

2009-01-01

Abstract:Classifying network traffic according to its applications is important to a broad range of network areas. Since new applications, especially P2P applications, no longer use well-known fixed port numbers, the native port based traffic classification technique has become much less effective. In this paper, we propose a novel approach to identify P2P traffic by leveraging on the data transfer behaviour of P2P applications. The behaviour investigated in the paper is that downloaded data from a P2P host will be uploaded to other hosts later. To find the shared data of downloading flows and uploading flows online, the content based partitioning schema is used to partition the flows into data blocks. Flows sharing the same data blocks are identified as P2P flows. The effectiveness of this method is demonstrated by experiments on various P2P applications. The results show that the algorithm can identify P2P applications very accurately while only keeping a small set of data blocks. The method is generic and can be applied to most P2P applications.

Liu Bin,Li Zhitang,Tu Hao

DOI: https://doi.org/10.1117/12.773782

2007-01-01

Abstract:P2P applications for file-sharing and video streaming have become tremendously popular in recent years, and it is now accounting for a significant share of the total network traffic. As P2P applications nowadays tend to use arbitrary ports to camouflage their communications, traditional methods like port-based identification have become highly inaccurate. In this paper, we propose a measurement system to detect and measure the real-time P2P traffic more reliably. The measurement methodology is based on using application level signatures implemented by netfilter extension as well as packet classifier. We further present the results from a P2P traffic analysis at a campus network, which show that this P2P traffic measurement system can provide the performance and scalability required for practical applications.

Qianli Zhang,Xing Li

DOI: https://doi.org/10.1007/11919568_78

2006-01-01

Abstract:The wide spread of worms, DDOS attacks and scan activities have greatly affected the network infrastructure security For scan detection, traditionally most detection methods are flow based, thus undesirable for gigabits or multi-gigabits networks To deal with this scalability problem, in this paper, a novel scan detection method is proposed, in which no flow record is required to maintain Based on the observation that scans will generally generate a large volume of return RST packets, a hypothesis testing based approach is proposed Experiments in practical network and on the DARPA 1998 datasets indicate that this algorithm is effective.

HUANG Li-Hui,LI Zhi-Tang,LIU Bin

2008-01-01

Periodical of Ocean University of China

Abstract:With increasingly attention to P2P,more and more researches have been launched into the flow characteristics of P2P.The traditional researches on the network always focus on analyzing network flow captured at intercepted export.But these methods are kind of passive way,not only can not find out the internal characteristics of P2P application,but also unable to explain some of the flow characteristics.By running a typical P2P application-a BitTorrent client in the actual network,we can approach the statistical information on the transceiver initiatively,observe and collect the internal characteristics of the client.According to these statistics,we summed up the characteristics of BT in the practical application,analyzed the strategy used by the agreement.And we also analyzed the characteristics which turned out when measuring passively.