Development of enterprise P2P communication network detection and protection technology

Development of enterprise P2P communication network detection and protection technology

When it comes to representative images of life in old Beijing, many people may think of the beautiful courtyard house. However, once you are walking in the streets and alleys of Beijing, you may find that many courtyards have become large complexes. The phenomenon of private construction is very common, and it is often inconvenient to enter and leave the hospital. For the full-bodied people, the narrowest place may pass through will become a challenge. This phenomenon also exists in the enterprise network. Although the network bandwidth of the enterprise is much richer than a few years ago, the network experience may not keep pace with the times. The obstacles are those users who love downloads. No matter how the network is upgraded, for network administrators, P2P traffic related to network downloads has always been the deepest nightmare. Aside from the legal difficulties that may be caused by the use of P2P protocol to transfer audiovisual files and applications within the organization, even from the perspective of network availability, P2P traffic will generally occupy the organization that currently does not restrict P2P communication. 20% to 60%, which will seriously affect the normal business of the enterprise. Normal e-mail, VoIP and other applications are just like you and me, who are struggling in a large yard, and go forward in a narrow gap.

P2P traffic must be controlled in the organization, which has become the consensus of most network managers. At present, the common intrusion prevention technology and traffic shaping technology have been highly expected by people. This technology uses a signature technology to distinguish various traffic from white lists and black lists. Its working mechanism is similar to anti-virus software. In the early days, it was quite satisfactory, and it can solve the P2P problems of enterprises. But the problem is that with the development of P2P protocol technology, signature technology is more and more difficult to capture P2P traffic. The effect of traditional intrusion prevention technology and traffic shaping technology on P2P is also getting weaker.

Challenges brought by P2P protocol technology development

Take the two most representative P2P protocols as an example. In the early days of the BitTorrent protocol, the client relied on connecting to the Tracker server to obtain the address information of other people who were downloading the file from the server. From this point of view, BT is not all peer-to-peer, and the Tracker server is the core of BT's existence. Therefore, the blocking of the Tracker server can realize the blocking of BT. However, after the two professors at Harvard University published a "decentralized" peer-to-peer network paper, BT technology appeared a distributed hash table DHT network, which really achieved complete decentralization, there is no centralized server for registration, login or storage Information about which files are shared by which nodes. Another proof that DHT technology has brought tremendous changes to BT downloads is that the world ’s largest BT download site "The Pirate Bay" (thepiratebay.org) announced in the official blog in mid-November 2009 that it will permanently shut down the Tracker server. This is not a huge victory for anti-piracy, but the site believes that it is technically not necessary to continue to provide the Tracker server to complete the BT download on the client. The DHT technology certainly poses a great challenge for detecting and blocking BT based on the network, because there is no list of IP addresses or specific ports that can be blacklisted — BT cannot be achieved by blocking IP addresses and ports Blocking must be done by analyzing network traffic. Moreover, once a node gets the IP-port pair of the remote node sharing the requested file, the BitTorrent protocol supports information flow encryption (MSE) or protocol header encryption (PHE) to encrypt the entire file-transport TCP session. For a traditional intrusion prevention system or traffic shaping device, once a shared key is set between two nodes, and the key is used to encrypt to start sharing the requested file. These devices may be helpless. The Skype protocol is similar, and also uses communication encryption processing. More tricky than BT is that Skype is not open source software, and it uses a variety of anti-reverse engineering measures in its release. This makes it more difficult to parse its protocol. Intrusion prevention systems or traffic shaping devices first need to parse the Skype protocol and reverse the key by consuming a lot of computing resources, and implement this detection for all network communications. This makes the detection of Skype uneconomical even without technical obstacles—because turning on this detection function will seriously affect network performance.

Development of P2P detection and protection technology

In order to adapt to the changes of P2P, in addition to facing DHT technology and encryption technology, there is a need to have a once-and-for-all approach to the P2P research carried out by McAfee Labs. McAfee researchers have designed several patent-pending technologies that can identify escaped P2P files The general behavioral characteristics of the sharing protocol, that is, the high evasion, file sharing and decentralization characteristics of these P2P systems themselves. The advantage of this technology is that the more fierce P2P's "resistance" against the traditional traffic shaping protocol-based identification signature technology, the easier it is to detect it with new technologies. Next, an overview of this innovative technique for rate limiting of evasive bulk transmission will be provided.

This technology classifies P2P file sharing using evasion technology through the following three stages:

Stage 1: Set up a gray list-classify unclassified protocols

First, we have to try to classify protocols based on known "known good" (white list) and "known harmful" (black list).

McAfee researchers have developed a network application layer protocol classification engine that detects hundreds of protocols, including TCP / IP stacks (for example, TCP and ICMP), application-level protocols (for example, FTP, TFTP, and HTTP) and P2P and instant messaging protocols (for example, eDonkey, BitTorrent, and MSN). The engine can be used to whitelist and blacklist the network traffic. For example, protocols such as FTP and SSH are whitelisted, while BitTorrent and Gnutella variants are blacklisted. Any network flow that is not classified as a whitelist or blacklist will be marked as a graylist (unknown) protocol.

Second stage: Heuristic detection method for batch data transmission stream

For the gray list flow list, a carefully designed heuristic is used to identify whether the flow is batch data transmission or non-batch data transmission. Through this in-depth analysis, all interactive sessions or low-bandwidth traffic that does not require traffic shaping are excluded. Some of the heuristics employed by the researchers include finding:

• Large-capacity data transmission traffic—Efficient P2P technology is designed so that the smallest non-complete file “block” that a server node can hold also has at least hundreds of Kb (each block in BitTorrent is 256 Kb). Therefore, this technology will focus on the traffic that has transmitted a predetermined minimum amount of data (for example, hundreds of kilobytes of data), while ignoring the less efficient data streams-always transmitting only a small amount of data.

• Contains data traffic instead of interactive sessions—Interactive sessions usually have bidirectionally exchanged packets with lighter loads from time to time. Data transmission is often a one-way flow of data packets. The size of the data packet is comparable to the physical characteristics of the network or the negotiated maximum session segment size (MSS). For example, if the network traffic has hundreds of packets in the server-client direction, and most of the packets are 1412 bytes, the traffic is likely to belong to the server-client bulk data transmission, where 1412 bytes is the network route The maximum transmission unit (MTU) or MSS negotiated by the peers.

• Non-printable / binary response — Protocols that have been obfuscated or encrypted will naturally contain non-printable (non-ASCII) characters. Since traditional traffic shaping techniques usually look for signatures at the beginning of network traffic, the evasive P2P protocol usually encrypts or obfuscates the bytes when the traffic starts to be transmitted. Therefore, when the network traffic starts to be transmitted, researchers That is to find binary characters.

Through the first and second phases above, McAfee researchers can clearly identify the graylist / unknown, unprintable / binary, long time (no small data packets) and non-interactive / data traffic very accurately and mark them as A file transfer protocol that uses evasion technology. The researchers defined all similar network traffic as a protocol family called "bulk data". At this point, you can choose to rate limit the traffic marked above so that its priority is lower than the specified rate of the "known good" protocol, but higher than the "known harmful" protocol. For example, HTTP may be explicitly whitelisted, and Emule, the P2P protocol, may be explicitly blacklisted. In the scheme based on rate limiting priority, the priority of traffic such as "batch data" will be lower than HTTP, but higher than Emule. This algorithm enables network administrators to treat network traffic differently based on whether they are whitelisted, blacklisted, or graylisted ("invisible" to traditional detection techniques).

The third stage: Correlation detection of multiple batch data streams using evasion technology within a period of time

This stage focuses on the decentralized nature of P2P technology. The latest P2P technology divides the file into multiple blocks. At any point in time, multiple different P2P nodes are downloading and / or sharing these blocks. For decentralized purposes, P2P technology is designed so that a P2P client that requires a file will request different blocks from different nodes. This process shows that a requesting node initiates a series of network traffic for a group of random target nodes. Since P2P technology is designed to evade firewalls and traffic shapers, the source IP address is the only common parameter for these flows. The destination IP, destination port, source port, etc. will all be displayed as random parameters. At the same time, the content of the stream itself will also be obfuscated or encrypted.

Because of the obfuscated nature of those batches of data streams, the first and second stages of McAfee researchers ’detection algorithms can easily capture them. In the third stage of the algorithm, these "component" detections can be correlated based on time:

• Source-based association—various flows identified through the first and second stages of the algorithm (unknown traffic, binary traffic, long-term traffic, and data traffic), all of which come from the same source IP.

• Scanning characteristics / multiple different destinations—The algorithm considers multiple flows connected to the same destination from a given source IP as one flow. This can avoid false positives, such as a source node frequently connected to the same target node (for example, HTTP browser session, HTTP / FTP site mirroring, etc.).

• Configurable scanning threshold—Network administrators can define this type of traffic. The threshold (N) of a stream initiated by a source connecting multiple different targets within a specified time period (P) to determine whether it belongs to a P2P file transfer block Discrete requested. That is, if the discrete point exceeds (N) within the (P) time period, the source can be marked as a P2P file sharing node.

• If all traffic marked by the first and second stages is still marked by the algorithm in the third stage, the data flow is undoubtedly a P2P file transfer. More stringent rate limits can be imposed on these flows.

The third stage of the algorithm provides network administrators with a configurable threshold method for identifying P2P discrete points and further digging into P2P file sharing sources. In addition, it provides a more detailed rate limit for the protocols belonging to the gray areas determined in the first and second phases.

Practice of new P2P detection and protection technology

McAfee researchers have integrated the technology in intrusion prevention system (IPS) products and tested this new technology in large real networks (enterprise and open university network environments). The researchers first selected some network traffic that was clearly unrecognizable for bulk data transmission based on rapid manual inspection. Then retried all these flows using an algorithm and found that these flows were captured 100%. This essentially verifies the correctness of the implementation of this algorithm-it can detect all traffic that matches the definition of "evasive, long-term bulk data transmission". The researchers also focused on analyzing the source host captured in the third stage of the algorithm. Through detailed forensic analysis, it is determined that all these source hosts have P2P activities involving the use of protocols not covered by the current protocol recognizer (accuracy rate 100% or false alarm rate 0%). The researchers also found a large number of batch data transmission activities using evasion technology-according to the first and second stages of the algorithm, 40% to 50% of these gray flows were identified as "batch data using evasion technology". In other words, in large real-world networks, about half of the P2P file transfers use evasion technology to make it completely invisible in the past and become a fish in the net. The researchers also conducted another experiment-selected several P2P protocols including BitTorrent and eMule. The protocol recognition engine does not load the analysis of these protocols, but only uses new algorithms for detection. Using the first and second stages of the algorithm, without identifying the P2P protocol, about 84% to 92% of them are captured. % Long-term batch data traffic. Since BitTorrent and eMule are the most representative P2P technologies, this result shows that the algorithm can capture 84% to 92% of the P2P bulk data transmission traffic that was previously invisible to the device through signature technology and thus completely invisible.

For enterprises, the gray list method combined with network behavior analysis will become the most effective method for detecting and managing P2P traffic. Through the above introduction, the excellent results brought by this method have been explained. This technology makes the P2P network traffic that is difficult to detect but the most occupied bandwidth in the past unremarkable, providing network managers with much-needed P2P traffic monitoring and protection functions.

TM1914 Digital LED Strip is a double signal transmission led strip,mainly use in 5050RGBWW 5in 1 led strip,the TM1914IC is outside on the strip,

To achieve the Digital and dimmer color by a extend controller . More functions can to change the range of digital color,

the Color Temperature is range of the 2600-6500K. Meet the needs of different scenarios.

TM1914 Digital LED Strip

Rgbw Led,Tm1914 White LED Strip Light,TM1914 LED Strip,TM1914 Digital LED Strip

SHEN ZHEN SEL LIGHTING CO.,LTD , https://www.sel-lighting.com