Xiaoyu Ma,Feiyan Chen

DOI: https://doi.org/10.4028/www.scientific.net/amr.433-440.5193

2012-01-01

Advanced Materials Research

Abstract:The P2P streaming media technology is popular and promising in recent years, to ensure the correctness of the identification method, and improve the identification rate and accuracy of the network traffic, this paper proposes a identification principle and algorithm of the P2P network traffic, and gives the overall structure of the system, Finally, puts up the system test environment. The experimental results show that the identification method of the network traffic proposed in this paper can effectively improve the identification rate and accuracy of the network traffic, the scheme has the value of further research and promotion.

Hou Xinrui,Cheng Zhen,Zhou Yajin,Li Jinku

2020-01-01

Abstract:The invention discloses a system and method for detecting Ethereum digital currency stealing attacks. The method comprises the steps: deploying an Ethereum honeypot, inducing a network attacker to quickly find a honeypot host, transmitting a detection request, and capturing a malicious request from the attacker; storing the malicious request from the attacker in a database; and analyzing the attack data, associating the malicious request, detecting an attack behavior, identifying an attack method used by an attacker, tracking the attacker, and generating a detection result. According to the method, the malicious request sent by the attacker is attracted and captured, and the attack technique used by the attacker is further recognized, and weak points of an existing system are effectively found, so that the Ethereum system is better protected.

Taotao Wang,Chonghe Zhao,Qing Yang,Shengli Zhang,Soung Chang Liew

DOI: https://doi.org/10.1109/tnse.2021.3078181

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:The peer-to-peer (P2P) network of blockchain used to transport its transactions and blocks has a high impact on the efficiency and security of the system. The P2P network topologies of popular blockchains such as Bitcoin and Ethereum, therefore, deserve our highest attention. The current Ethereum blockchain explorers (e.g., Etherscan) focus on the tracking of block and transaction records but omit the characterization of the underlying P2P network. This work presents the Ethereum Network Analyzer (Ethna), a tool that probes and analyzes the P2P network of the Ethereum blockchain. Unlike Bitcoin that adopts an unstructured P2P network, Ethereum relies on the Kademlia DHT to manage its P2P network. Therefore, the existing analytical methods for Bitcoin-like P2P networks are not applicable to Ethereum. Ethna implements a novel method that accurately measures the degrees of Ethereum nodes. Furthermore, it incorporates an algorithm that derives the latency metrics of message propagation in the Ethereum P2P network. We ran Ethna on the Ethereum Mainnet and conducted extensive experiments to analyze the topological features of its P2P network. Our analysis shows that the Ethereum P2P network possesses a certain effect of small-world networks, and the degrees of nodes follow a power-law distribution that characterizes scale-free networks.

Taotao Wang,Chonghe Zhao,Qing Yang,Shengli Zhang,Soung Chang Liew

DOI: https://doi.org/10.48550/arXiv.2010.01373

2021-03-27

Abstract:The peer-to-peer (P2P) network of blockchain used to transport its transactions and blocks has a high impact on the efficiency and security of the system. The P2P network topologies of popular blockchains such as Bitcoin and Ethereum, therefore, deserve our highest attention. The current Ethereum blockchain explorers (e.g., Etherscan) focus on the tracking of block and transaction records but omit the characterization of the underlying P2P network. This work presents the Ethereum Network Analyzer (Ethna), a tool that probes and analyzes the P2P network of the Ethereum blockchain. Unlike Bitcoin that adopts an unstructured P2P network, Ethereum relies on the Kademlia DHT to manage its P2P network. Therefore, the existing analytical methods for Bitcoin-like P2P networks are not applicable to Ethereum. Ethna implements a novel method that accurately measures the degrees of Ethereum nodes. Furthermore, it incorporates an algorithm that derives the latency metrics of message propagation in the Ethereum P2P network. We ran Ethna on the Ethereum Mainnet and conducted extensive experiments to analyze the topological features of its P2P network. Our analysis shows that the Ethereum P2P network possesses a certain effect of small-world networks, and the degrees of nodes follow a power-law distribution that characterizes scale-free networks.

Networking and Internet Architecture,Cryptography and Security

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

ZHOU Shi-jie,QIN Zhi-guang,WU Chun-jiang

DOI: https://doi.org/10.3969/j.issn.1009-6868.2007.05.004

2007-01-01

Abstract:The Peer-to-Peer (P2P) network traffic identification technology includes Transport Layer Identification (TLI) and Deep Packet Inspection (DPI) methods. By analyzing packets of the transport layer and the traffic characteristic in the P2P system, TLI can identify whether or not the network data flow belongs to the P2P system. The DPI method adopts protocol analysis technology and reverting technology. It picks up data from the P2P application layer and analyzes the characteristics of the payload to judge if the network traffic belongs to P2P applications. Due to its accuracy, robustness and classifying ability, DPI is the main method used to identify P2P traffic. Adopting the advantages of TLI and DPI, a precise and efficient technology for P2P network traffic identification can be designed.

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Mingjiang Ye,Jianping Wu,Ke Xu,Dah Ming Chiu

DOI: https://doi.org/10.1016/j.comcom.2010.01.005

2009-01-01

Abstract:Classifying network traffic according to its applications is important to a broad range of network areas. Since new applications, especially P2P applications, no longer use well-known fixed port numbers, the native port based traffic classification technique has become much less effective. In this paper, we propose a novel approach to identify P2P traffic by leveraging on the data transfer behaviour of P2P applications. The behaviour investigated in the paper is that downloaded data from a P2P host will be uploaded to other hosts later. To find the shared data of downloading flows and uploading flows online, the content based partitioning schema is used to partition the flows into data blocks. Flows sharing the same data blocks are identified as P2P flows. The effectiveness of this method is demonstrated by experiments on various P2P applications. The results show that the algorithm can identify P2P applications very accurately while only keeping a small set of data blocks. The method is generic and can be applied to most P2P applications.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Zhongqiang Chen,Alex Delis,Peter Wei

DOI: https://doi.org/10.1142/s0218843008001750

2008-01-01

International Journal of Cooperative Information Systems

Abstract:Sessions generated by Instant Messaging and Peer-to-Peer systems (IM/P2Ps) not only consume considerable bandwidth and computing resources but also dramatically change the characteristics of data flows affecting both the operation and performance of networks. Most IM/P2Ps have known security loopholes and vulnerabilities making them an ideal platform for the dissemination of viruses, worms, and other malware. The lack of access control and weak authentication on shared resources further exacerbates the situation. Should IM/P2Ps be deployed in production environments, performance of conventional applications may significantly deteriorate and enterprise data may be contaminated. It is therefore imperative to identify, monitor and finally manage IM/P2P traffic. Unfortunately, this task cannot be easily attained as IM/P2Ps resort to advanced techniques to hide their traces including multiple channels to deliver services, port hopping, message encapsulation and encryption. In this paper, we propose an extensible framework that not only helps to identify and classify IM/P2P-generated sessions in real time but also assists in the manipulation of such traffic. Consisting of four modules namely, session manager, traffic assembler, IM/P2P dissector, and traffic arbitrator, our proposed framework uses multiple techniques to improve its traffic classification accuracy and performance. Through fine-tuned splay and interval trees that help organize IM/P2P sessions and packets in data streams, we accomplish stateful inspection, traffic re-assembly, data stream correlation, and application layer analysis that combined will boost the framework's identification precision. More importantly, we introduce IM/P2Ps "plug-and-play" protocol analyzers that inspect data streams according to their syntax and semantics; these analyzers render our framework easily extensible. Identified IM/P2P sessions can be shaped, blocked, or disconnected, and corresponding traffic can be stored for forensic analysis and threat evaluation. Experiments with our prototype show high IM/P2Ps detection accuracy rates under diverse settings and excellent overall performance in both controlled and real-world environments.

Hui Liu,Wenfeng Feng,Yongfeng Huang,Xing Li

DOI: https://doi.org/10.1109/nas.2007.6

2007-01-01

Abstract:The use of peer-to-peer (P2P) applications is growing dramatically, which results in several serious problems such as the network congestion and traffic hindrance. In this paper, a method is', proposed to identify the P2P traffic based on the machine learning. The novelty of the proposed method is that it utilizes only the size of packets exchanged between IPs within seconds. By investigating the ratio between the upload and download traffic volume of several P2P applications, a characteristic library is constructed. Then the unknown network traffic can be recognized online using this library. The distinguished features of the proposed method lie in that fast computation, high identification accuracy, and resource-saving capability. Finally, experiment results show the satisfactory performance of the proposed method.

Dongyan Zhang,Chao Zheng,Hongli Zhang,Hongliang Yu

DOI: https://doi.org/10.1109/iciw.2010.36

2010-01-01

Abstract:More and more applications are adopting peer-to-peer (P2P) technology. Skype is a P2P based, popular VoIP software. The software works almost seamlessly across Network Address Translations (NATs) and firewalls and has better voice quality than most IM applications. The communication protocol and source code of Skype are undisclosed. It uses high strength encryption and random port number selection, which render the traditional flow identification solutions invalid. In this paper, we first obtain the Skype clients and super nodes by analyzing the process of login and calling in different network environments. Then we propose a method to identify Skype traffic based on Skype nodes and flow features. Our proposed method makes the previously hard-to-detect Skype traffic, especially voice service traffic, much easier to identify. We design an identification system utilizing the proposed method and implement the system in a LAN network. We also successfully identified Skype traffic in one of the largest Internet Providers over a period of 93 hours, during which over 30TB data were transmitted. Through experiments, we show that our proposed approach and implementations can indeed identify Skype traffic with higher accuracy and effectiveness.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Chonghe Zhao,Yipeng Zhou,Shengli Zhang,Taotao Wang,Quan Z. Sheng,Song Guo

2024-05-17

Abstract:In Ethereum, the ledger exchanges messages along an underlying Peer-to-Peer (P2P) network to reach consistency. Understanding the underlying network topology of Ethereum is crucial for network optimization, security and scalability. However, the accurate discovery of Ethereum network topology is non-trivial due to its deliberately designed security mechanism. Consequently, existing measuring schemes cannot accurately infer the Ethereum network topology with a low cost. To address this challenge, we propose the Distributed Ethereum Network Analyzer (DEthna) tool, which can accurately and efficiently measure the Ethereum network topology. In DEthna, a novel parallel measurement model is proposed that can generate marked transactions to infer link connections based on the transaction replacement and propagation mechanism in Ethereum. Moreover, a workload offloading scheme is designed so that DEthna can be deployed on multiple distributed probing nodes so as to measure a large-scale Ethereum network at a low cost. We run DEthna on Goerli (the most popular Ethereum test network) to evaluate its capability in discovering network topology. The experimental results demonstrate that DEthna significantly outperforms the state-of-the-art baselines. Based on DEthna, we further analyze characteristics of the Ethereum network revealing that there exist more than 50% low-degree Ethereum nodes that weaken the network robustness.

Networking and Internet Architecture

Soohoon Maeng,Meryam Essaid,Changhyun Lee,Sejin Park,Hongteak Ju

DOI: https://doi.org/10.1002/nem.2175

2021-07-05

International Journal of Network Management

Abstract:Ethereum is arguably the second most popular cryptocurrency-based network after Bitcoin. Both use the distributed ledger technology known as the blockchain, which is considered secure. However, the provided security level is proportional to the number of connected nodes, the number of influential nodes, and the supported amount of hash power. Thus, the knowledge of the network properties and nodes' behavior is helpful to protect the network from possible attacks such as double-spending attacks, DDoS attacks, 51% attacks, and Sybil attacks. This paper proposes a node discovery mechanism, which performs a P2P link discovery on the Ethereum main network. For that, we develop Search-node, a modified version of Ethereum client that searches for all participating nodes in the blockchain network, stores the node information in the Bucket, and then processes the peer discovery method. Based on the collected data, we first visualize the Ethereum network topology and analyze the attributes of the network such as node degree, path length, diameter, and clustering coefficient. We then analyze the node properties and provide analytical results regarding the relationship between nodes, heavily connected nodes, node geo-distribution, security issues, and possible attacks over the influential nodes. As a result, we have identified 68,406 nodes with a total of 642,034 edges. By analyzing the collected data, we have found that the diameter in the Ethereum network is equal to 8. The node degree is over 19, which is two times higher than the default configuration.

computer science, information systems,telecommunications

Libing Qiao,Enhuan Dong,Huanpu Yin,Haisheng Li,Jiahai Yang

DOI: https://doi.org/10.1109/mnet.2024.3374080

IF: 10.294

2024-01-01

IEEE Network

Abstract:With the continuous development of network devices, there are increasingly types and quantities of network devices. Accurate identification of device types helps proactively protect potentially vulnerable devices exposed on the Internet. Among the network device identification methods, the TCP/IP stack active detection method is an important kind since it does not require many open ports of target devices. However, its performance is limited by the rule/fingerprint database quality. Maintaining such a database requires a lot of expert effort, making the method difficult to scale up. To solve the scalability problem, our insight in this paper is to use machine learning methods to generate network device classifiers without needing expert effort. However, generating labeled datasets, extracting features, and selecting features without expert effort is non-trivial. We propose IntelliNDI, an intelligent and active network device identification method. IntelliNDI collects network device type information from multiple cyberspace search engines and filter out the network devices with different types on different search engines. We regard the approximately consistent network device types as the ground truth network device types. As for feature extraction, we use the same attributes employed in the well-known Nmap protocol stack detection to avoid the requirements for constructing features. Finally, we select features with basic ML methods. We implement IntelliNDI for several kinds of typical network devices. The trained classifiers in our experiments can achieve 90 percent accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Tao Qin,Lei Wang,Dan Zhao,Min Zhu

DOI: https://doi.org/10.1007/s12083-015-0350-2

IF: 3.488

2016-01-01

Peer-to-Peer Networking and Applications

Abstract:Peer-to-Peer system has achieved great success with millions of end users in the past several years. P2P traffic has occupied about 60-80 % of the total traffic volumes, which greatly consumes network bandwidth and causes congestions. To achieve the goal of efficacious P2P system management in the monitored network, in this paper we develop a framework named CUFTI (Core Users Finding and Traffic Identification). The core users are referred as long-lived peers, and we focus on life-time characteristics of coexisting peers within each snapshot of the overlay. Based on the analysis results of user's behaviour in PPlive system, we develop an accurate model to forecast the peer's residual life-time and identify the long-lived peers. Furthermore, we develop a flow identification model for P2P traffic management of those core users. Based on the analysis results of actual traffic traces, we find the P2P traffic flows are composed of data and control packets. Most of the control packets appear at the beginning and end of each flow to establish and close the communication between peers. We employ the direction and payload length of the control packets at the beginning of the flow as features to perform flow identification. Experimental results based on traces collected from the Northwest Region Center of CERN ET (China Education and Research Network) show that the newly developed methods outperforms other existing methods with lower false negative rate (FNR) and false positive rate (FPR).

Ting Chen,Zihao Li,Yuxiao Zhu,Jiachi Chen,Xiapu Luo,John Chi-Shing Lui,Xiaodong Lin,Xiaosong Zhang

DOI: https://doi.org/10.1145/3381036

IF: 5.3

2020-01-01

ACM Transactions on Internet Technology

Abstract:Being the largest blockchain with the capability of running smart contracts, Ethereum has attracted wide attention and its market capitalization has reached 20 billion USD. Ethereum not only supports its cryptocurrency named Ether but also provides a decentralized platform to execute smart contracts in the Ethereum virtual machine. Although Ether's price is approaching 200 USD and nearly 600K smart contracts have been deployed to Ethereum, little is known about the characteristics of its users, smart contracts, and the relationships among them. To fill in the gap, in this paper, we conduct the first systematic study on Ethereum by leveraging graph analysis to characterize three major activities on Ethereum, namely money transfer, smart contract creation, and smart contract invocation. We design a new approach to collect all transaction data, construct three graphs from the data to characterize major activities, and discover new observations and insights from these graphs. Moreover, we propose new approaches based on cross-graph analysis to address two security issues in Ethereum. The evaluation through real cases demonstrates the effectiveness of our new approaches.

Yiyang Shao,Baohua Yang,Jingjie Jiang,Yibo Xue,Jun Li

DOI: https://doi.org/10.1109/ICCNC.2014.6785300

2014-01-01

Abstract:Network traffic identification has become more and more important in recent years. However, as the Internet backbone bandwidth continuously grows, traditional flow-based traffic identification methods gradually become impractical. In order to improve the performance of traffic identification, this paper proposes an ingenious and practical flow dispatching mechanism named Emilie, which intelligently predicts the elephant flows using only the first three packets of each flow. By discriminating mouse flows against elephant flows, methods with various complexity are utilized to identify the application-level protocol type of elephant and mouse flows separately. Emilie utilizes Machine Learning techniques to achieve high accuracy as well as keep fast speed in predicting elephant flows. Experimental results on real network traffic traces illustrate that around 88% precision, 85% recall and over 85% accuracy are gained on average, which is much better than existing solutions. To the best of our knowledge, this is the first practical and efficient work that supports inline elephant flow prediction. Flow dispatching based on Emilie empowers traffic identification systems to achieve both high accuracy and fast speed.

Yunyi Xie,Jiajun Zhou,Jinhuan Wang,Jian Zhang,Yunxuan Sheng,Jiajing Wu,Qi Xuan

DOI: https://doi.org/10.1007/978-981-16-2609-8_7

2021-01-01

Abstract:Ethereum, which is one of the largest public blockchain-based platforms, provides an unprecedented opportunity for data mining. However, the analysis of Ethereum transaction records remains under-explored. In this chapter, we model Ethereum transaction records as a complex network and further study the problem of phishing detection and transaction tracking via node classification and link prediction, respectively, which provides a deeper understanding of Ethereum transactions from a network perspective. Specifically, we introduce time-series snapshot network (TSSN) to model Ethereum transaction records as a spatial-temporal network and present temporal biased walk (TBW) to effectively embed accounts via their transaction records, which integrates temporal and structural information of the proposed network. Furthermore, we provide a detailed and systematic analysis of various graph embedding models and compare our proposed method with these embedding technologies on realistic Ethereum transaction records. Experimental results demonstrate the superiority of our TBW in learning more informative representations, and is essential for Ethereum network analysis.