skip to main content
research-article

Scalable Stealth Mode P2P Overlays of Very Small Constant Degree

Published:01 October 2011Publication History
Skip Abstract Section

Abstract

P2P technology has recently been adopted by Internet-based malware as a fault tolerant and scalable communication medium. Due to its decentralized and self-organizing nature, P2P malware is harder to detect and block, especially if it utilizes specialized techniques for hiding. We analyze a number of hiding strategies through extensive and realistic simulations over a model of the AS-level Internet topology. We show that the most effective strategy to avoid detection is to drastically reduce the maximal number of peers a node communicates with. While overlay networks of a small constant maximal degree are generally considered to be unscalable, we argue that it is possible to design them to be scalable, efficient, and robust. An important implication is that stealth mode P2P malware that is very difficult to discover with state-of-the-art methods is a plausible threat. We discuss algorithms and theoretical results that support the scalability of stealth mode overlays, and we present realistic event-based simulations of a proof-of-concept system. Besides the context of P2P malware, some of our results are of general interest in the area of constant degree overlays in connection with the problem of how to maintain reasonable performance and reliability with the smallest degree possible.

References

  1. Cheetancheri, S. G., Agosta, J. M., Dash, D. H., Levitt, K. N., Rowe, J., and Schooler, E. M. 2006. A distributed host-based worm detection system. In Proceedings of the SIGCOMM Workshop on Large-Scale Attack Defense (LSAD). ACM, New York, 107--113. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. Cooper, C. and Frieze, A. 2000. Hamilton cycles in random graphs and directed graphs. Random Struct. Algor. 16, 4, 369--401. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Dagon, D. 2005. Botnet detection and response: The network is the infection. In OARC Workshop.Google ScholarGoogle Scholar
  4. Grizzard, J., Sharma, V., Nunnery, C., Kang, B., and Dagon, D. 2007. Peer-to-peer botnets: Overview and case study. In Proceedings of the 1st USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. Gu, G., Perdisci, R., Zhang, J., and Lee, W. 2008. BotMiner: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In Proceedings of the 17th USENIX Security Symposium (Security). Google ScholarGoogle ScholarDigital LibraryDigital Library
  6. Holz, T., Steiner, M., Dahl, F., Biersack, E., and Freiling, F. 2008. Measurements and mitigation of peer-to-peer-based botnets: A case study on storm worm. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). USENIX Association, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Hyun, Y., Huffaker, B., Andersen, D., Aben, E., Luckie, M., Claffy, K., and Shannon, C. 2008. The IPv4 Routed /24 AS Links Dataset -- 2008-01-02. http://www.caida.org/data/active/ipv4_routed_topology_aslinks_dataset.xml.Google ScholarGoogle Scholar
  8. Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., and Varghese, G. 2007. Network monitoring using traffic dispersion graphs (TDGs). In Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement (IMC). ACM, New York, 315--320. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Varghese, G., and Kim, H. 2008. Graption: Automated detection of P2P applications using traffic dispersion graphs (TDGs). Tech. rep. UCR-CS-2008-06080, Department of Computer Science and Engineering, University of California, Riverside.Google ScholarGoogle Scholar
  10. Jelasity, M. and Babaoglu, O. 2006. T-Man: Gossip-based overlay topology management. In Proceedings of the 3rd International Workshop on Engineering Self-Organising Systems (ESOA) (Revised Selected Papers). S. A. Brueckner, G. Di Marzo Serugendo, D. Hales, and F. Zambonelli Eds., Lecture Notes in Computer Science Series, vol. 3910. Springer-Verlag, 1--15. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Jelasity, M. and Bilicki, V. 2009a. Scalable P2P overlays of very small constant degree: An emerging security threat. In Proceedings of the 11th International Symposium on Stabilization, Safety, and Security of Distributed Systems (SSS). R. Guerraoui and F. Petit Eds., Lecture Notes in Computer Science Series, vol. 5873. Springer-Verlag, 399--412. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Jelasity, M. and Bilicki, V. 2009b. Towards automated detection of peer-to-peer botnets: On the limits of local approaches. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). USENIX. http://www.usenix.org/events/leet09/tech/. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Jelasity, M., Montresor, A., and Babaoglu, O. 2005. Gossip-based aggregation in large dynamic networks. ACM Trans. Comput. Syst. 23, 3, 219--252. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Jelasity, M., Voulgaris, S., Guerraoui, R., Kermarrec, A.-M., and van Steen, M. 2007. Gossip-based peer sampling. ACM Trans. Comput. Syst. 25, 3, 8. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Jelasity, M., Montresor, A., and Babaoglu, O. 2009. T-Man: Gossip-based fast overlay topology construction. Comput. Netw. 53, 13, 2321--2339. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Johnson, D. S. and McGeoch, L. A. 1997. The traveling salesman problem: A case study in local optimization. In Local Search in Combinatorial Optimization, E. H. L. Aarts and J. K. Lenstra Eds., John Wiley and Sons, 215--310.Google ScholarGoogle Scholar
  17. Kaashoek, M. F. and Karger, D. R. 2003. Koorde: A simple degree-optimal distributed hash table. In Proceedings of the 2nd International Workshop on Peer-to-Peer Systems (IPTPS).Google ScholarGoogle Scholar
  18. Kanich, C., Levchenko, K., Enright, B., Voelker, G. M., and Savage, S. 2008. The heisenbot uncertainty problem: Challenges in separating bots from chaff. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). USENIX Association, Berkeley, CA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. Kermarrec, A.-M., Massoulié, L., and Ganesh, A. J. 2003. Probabilistic reliable dissemination in large-scale systems. IEEE Trans. Parall. Distrib. Syst. 14, 3, 248--258. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. Kleinberg, J. 2000. The small-world phenomenon: An algorithmic perspective. In Proceedings of the 32nd ACM Symposium on Theory of Computing (STOC). ACM, New York, 163--170. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Kleinberg, J. 2007. The wireless epidemic. Nature 449, 287--288.Google ScholarGoogle ScholarCross RefCross Ref
  22. Kong, J. S., Bridgewater, J. S. A., and Roychowdhury, V. P. 2006. A general framework for scalability and performance analysis of DHT routing systems. In Proceedings of the International Conference on Dependable Systems and Networks (DSN). IEEE Computer Society, Los Alamitos, CA, 343--354. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Kostoulas, D., Psaltoulis, D., Gupta, I., Birman, K. P., and Demers, A. J. 2007. Active and passive techniques for group size estimation in large-scale and dynamic distributed systems. J. Syst. Softw. 80, 10, 1639--1658. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Le Merrer, E., Kermarrec, A.-M., and Massoulie, L. 2006. Peer to peer size estimation in large and dynamic networks: A comparative study. In Proceedings of the 15th IEEE International Symposium on High Performance Distributed Computing (HPDC). 7--17.Google ScholarGoogle Scholar
  25. Lua, E. K., Crowcroft, J., Pias, M., Sharma, R., and Lim, S. 2005. A survey and comparison of peer-to-peer overlay network schemes. IEEE Comm. Surv. Tuts. 7, 2, 72--93. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Malkhi, D., Naor, M., and Ratajczak, D. 2002. Viceroy: A scalable and dynamic emulation of the butterfly. In Proceedings of the 21st ACM Symposium on Principles of Distributed Computing (PODC). ACM, New York, 183--192. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Manku, G. S., Bawa, M., and Raghavan, P. 2003. Symphony: Distributed hashing in a small world. In Proceedings of the 4th USENIX Symposium on Internet Technologies and Systems (USITS). Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Manku, G. S., Naor, M., and Wieder, U. 2004. Know thy neighbor’s neighbor: The power of lookahead in randomized P2P networks. In Proceedings of the 36th ACM Symposium on Theory of Computing (STOC). ACM, New York, 54--63. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Massoulié, L., Kermarrec, A.-M., and Ganesh, A. J. 2003. Network awareness and failure resilience in self-organising overlay networks. In Proceedings of the 22nd Symposium on Reliable Distributed Systems (SRDS). 47--55.Google ScholarGoogle Scholar
  30. Melamed, R. and Keidar, I. 2008. Araneola: A scalable reliable multicast system for dynamic environments. J. Paral. Distrib. Comput. 68, 12, 1539--1560. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Montresor, A. and Jelasity, M. 2009. Peersim: A scalable P2P simulator. In Proceedings of the 9th IEEE International Conference on Peer-to-Peer Computing (P2P). IEEE, Los Alamitos, CA, 99--100.Google ScholarGoogle Scholar
  32. Naor, M. and Wieder, U. 2005. Know thy neighbor’s neighbor: Better routing for skip-graphs and small worlds. In Peer-to-Peer Systems III, Lecture Notes in Computer Science Series, vol. 3279. Springer, 269--277. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Nguyen, T. T. T. and Armitage, G. 2008. A survey of techniques for Internet traffic classification using machine learning. IEEE Comm. Surv. Tuts. 10, 4, 56--76. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Porras, P., Saïdi, H., and Yegneswaran, V. 2009. A foray into Conficker’s logic and rendezvous points. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET). Google ScholarGoogle ScholarDigital LibraryDigital Library
  35. Ramachandran, A., Feamster, N., and Dagon, D. 2006. Revealing botnet membership using DNSBL counter-intelligence. In Proceedings of the 2nd Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI). Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Steiner, M., En-Najjary, T., and Biersack, E. W. 2009. Long term study of peer behavior in the KAD DHT. IEEE/ACM Trans. Netw. 17, 5, 1371--1384. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Stern, H. 2009. Effective malware: The trade-off between size and stealth. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET).Google ScholarGoogle Scholar
  38. Stoica, I., Morris, R., Karger, D., Kaashoek, M. F., and Balakrishnan, H. 2001. Chord: A scalable peer-to-peer lookup service for Internet applications. In Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM). ACM Press, New York, NY, 149--160. Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Strayer, W. T., Lapsely, D., Walsh, R., and Livadas, C. 2008. Botnet detection based on network behavior. In Botnet Detection: Countering the Largest Security Threat, W. Lee, C.Wang, and D. Dagon Eds., Advances in Information Security Series, vol. 36. Springer, 1--24.Google ScholarGoogle Scholar
  40. Stutzbach, D. and Rejaie, R. 2006. Understanding churn in peer-to-peer networks. In Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (IMC). ACM, New York, 189--202. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Weaver, N., Ellis, D., Staniford, S., and Paxson, V. 2004. Worms vs. perimeters: The case for hard-LANs. In Proceedings of the 12th Annual IEEE Symposium on High Performance Interconnects (HOTI). IEEE Computer Society, Los Alamitos, CA, 70--76. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Scalable Stealth Mode P2P Overlays of Very Small Constant Degree

        Recommendations

        Comments

        Login options

        Check if you have access through your login credentials or your institution to get full access on this article.

        Sign in

        Full Access

        • Published in

          cover image ACM Transactions on Autonomous and Adaptive Systems
          ACM Transactions on Autonomous and Adaptive Systems  Volume 6, Issue 4
          October 2011
          171 pages
          ISSN:1556-4665
          EISSN:1556-4703
          DOI:10.1145/2019591
          Issue’s Table of Contents

          Copyright © 2011 ACM

          Publisher

          Association for Computing Machinery

          New York, NY, United States

          Publication History

          • Published: 1 October 2011
          • Accepted: 1 August 2010
          • Received: 1 February 2010
          Published in taas Volume 6, Issue 4

          Permissions

          Request permissions about this article.

          Request Permissions

          Check for updates

          Qualifiers

          • research-article
          • Research
          • Refereed

        PDF Format

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader
        About Cookies On This Site

        We use cookies to ensure that we give you the best experience on our website.

        Learn more

        Got it!