Download detection of peer to peer applications

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
Document related concepts

Unix security wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Network tap wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
DETECTION OF PEER TO PEER APPLICATIONS
AN OPSWAT WHITE PAPER
Author: Priti Dadlani
Contributors: Benny Czarny, Steven Ginn, Toshit Antani
April 2008
OPSWAT, INC.
www.opswat.com
CONTENTS
Introduction ................................................................................................................ 3
Methods of Detecting P2P Applications .................................................................... 3
Network Based Detection ............................................................................................... 3
Client Based Detection .................................................................................................... 4
Client Behavioral Detection ............................................................................................ 4
About OPSWAT ........................................................................................................... 5
2
INTRODUCTION:
A peer to peer (P2P) application, such as BitTorrent, Kazaa, Napster, etc., is
software where clients communicate directly with each other over a common
network. The application acts both as the client as well as the server. A common
use case of a P2P application is file sharing. Simple file sharing has raised a lot
of controversy and questions challenging the usage of P2P applications. An issue
that has been raised is the legality of file sharing. Many files that are being shared
between clients do not have authorization of the copyright owner, making it illegal
to transfer. Also, the bandwidth consumption of P2P applications has caused a
network delay for users. Computers running P2P applications are also vulnerable
to data leaks simply because important information can be easily transferred over
a network that may not be tracked or monitored. P2P applications have caused
concern in etwork administrators, forcing them to disable P2P applications from
gaining network access. This document will outline two technologies in detecting
P2P applications, client based and network based.
METHODS OF DETECTING P2P APPLICATIONS:
There are various methods that security vendors use in order to detect P2P technology, below are two common methods that are currently used.
Network Based Detection
Some P2P applications communicate and function thru a common port, common
protocol, or use a common traffic pattern. A Network based approach uses both
network sniffing and network scanning. Network sniffing looks for both P2P traffic
patterns and packets. Network scanning looks for common ports or protocols that
may be open. These methods are useful for detecting P2P applications such as Piolet. Piolet is an executable which can be dropped and run from anywhere. It requires
no installation and leaves no footprint behind. An administrator is able to watch the
network traffic and determine whether an application like Piolet is in use.
Network scanning or sniffing to see if certain P2P patterns are present can have its
limitations. New age P2P applications use what is called “anonymous P2P” technology. The networks used by these “anonymous P2P” applications (Winny, Imule, Rodi,
etc.) carry no identifiers and the IP addresses of the networks are encrypted. This
makes it almost impossible for P2P traffic to be traced and identified.
3
Client Based Detection
Client based detection is typically performed by analyzing the footprint that the
P2P application leaves behind. This includes the registry keys installed, binary
files installed, MD5 signature of the running process, and the name of the running
process. With client based detection it is easy to take remediation actions against
the P2P application. Administrators can prevent the application from being run
and can even monitor the files that are being transferred. This method of detection can detect “anonymous P2P” applications, as well, by using the footprint left
behind. RShare is an example of a P2P application that anonymizes and encrypts
the network traffic it uses. Detection of this application can be based on the
registry information that gets installed or the running processes. Unfortunately,
a disadvantage to this is the P2P applications’ footprint can be tampered with. A
user can easily go in and delete the installed registry keys of the product, rename
the executable, or change the MD5 signature to spoof something safe and reliable, once again leaving network administrators unaware that a P2P application is
running and in use.
Client Behavioral Detection
Every P2P applications executable contains a binary representation of instructions that it needs in order to run correctly. Behavioral detection of P2P applications tracks the execution patterns and specific code patterns, such as state
machines, protocols, and or network activity. By using the assembly based binary
signatures and other behavior of the application (ports opened, files being accessed, and other techniques), security software can identify whether or not an
executable in question is a valid P2P application or not. By enumerating through
all the running processes and monitoring its behavior it is possible to detect
a P2P application disguising itself as a valid executable such as “notepad.exe”.
Winny is an example of an “anonymous P2P” application that leaves no footprint
behind. Network based and pure client based detection would not be able to
detect a product like this. Analyzing the assembly signature of the executable
and monitoring the behavior of how this application works could give an administrator insight on if this product is running or not. There are of course drawbacks
to this method of detection. The application must be analyzed on the endpoint
and behavioral detection can make it difficult to guarantee a certain level of
performance.
4
ABOUT OPSWAT
Founded in 2002, OPSWAT (www.opswat.com) is the world leader in development
tools and data services that power products managing features of security applications. OPSWAT SDKs and services enable integration with a broad range of applications from traditional security products such as antivirus, antispyware, personal
firewalls and hard disk encryption applications to more conventional products such
as browsers, instant messenger and peer to peer applications with security-related
features. OPSWAT is headquartered in San Francisco, California, with an additional
office in Herzliya, Israel.
OPSWAT™ and the OPSWAT logo are trademarks of OPSWAT, Inc. or its affiliates.
All other names mentioned herein are trademarks or registered trademarks of their respective owners.
5
Related documents
The Internet and World Wide Web
The Internet and World Wide Web
Copyright Law
Copyright Law
Ecosystems Review Sheet - Liberty Union High School District
Ecosystems Review Sheet - Liberty Union High School District
AP Biology – Ecology Unit Study Guide – C. Gray Mitchell This list is
AP Biology – Ecology Unit Study Guide – C. Gray Mitchell This list is
1. What is the definition of a p2p system given by the authors in sec
1. What is the definition of a p2p system given by the authors in sec
Net Primary Production (NPP)
Net Primary Production (NPP)
Seeing Beyong Risk
Seeing Beyong Risk
Ecosystems and Biomes
Ecosystems and Biomes
Ap Biology Ecology review
Ap Biology Ecology review
Document
Document
HEALTH HISTORY Name Date Date of last health care e
HEALTH HISTORY Name Date Date of last health care e