A NEW APPROACH TO DETECT P2P TRAFFIC BASED ON SIGNATURES ANALYSIS

In recent years, peer-to-peer (P2P) networks have gained more popularity in the form of file-sharing applications, such as uTorrent and eMule, that use BitTorrent and eDonkey protocols. With such popularity comes security risks and external attacks; the latter is often associated with information hacking. In this paper, we will introduce a new way to monitor and detect the use of each of the P2P applications within the corporate network. Based on the inspection of traffic packets in order to extract digital signatures of these applications using the open-source packet analysis program "Wireshark," in addition to using the well-known Snort intrusion detection system (IDS) with a number of adequate and new rules, this solution can allow us to receive powerful warning messages that detect the presence of P2P applications inside the network. We implemented our rules in Snort IDS. Over a period of time, this solution allowed us to achieve 96% effectiveness in detecting the presence of P2P applications


INTRODUCTION
Over the past few years, P2P applications have gained immense popularity in the online realm.These applications allow users to share files and exchange data with other P2P users worldwide.However, this widespread accessibility also introduces potential risks, as it exposes data not only to legitimate users but also to potential intruders.Among the well-known P2P applications widely used today are µTorrent and eMule.Due to their nature as file transfer tools, these applications are susceptible to exploits that can result in the exposure of sensitive data, network overload, and the distribution of malicious software like spyware, bots, and viruses.Malicious actors with nefarious intent can exploit vulnerabilities in the protocols used by P2P applications to target peer-to-peer networks.
The objective of this thesis is to devise an effective strategy for detecting the usage of P2P applications within a network and mitigating the associated risk factors involved in their utilization.
In recent years, P2P applications have become very popular in the internet world.Anyone can install a P2P application, which allows us sharing files and exchange data with all other users (P2P) around the world.This process makes the data available to others as well as intruders.Examples of some well-known applications for P2P used in our time that have great popularity there are µtorrent and emule, since these applications are transfer tools, they are vulnerable to exploits that involve exposure of sensitive data, network overloading, and the distribution of malware that includes spyware, bots, and viruses.Criminals with malicious intentions can attack peer-to-peer networks by exploiting vulnerabilities in the protocols used by P2P applications in the network.Our goal of this thesis is to develop an effective plan to detect the presence of using P2P applications within the network and reduce the risk factors involved in the use of these P2P applications.
For this purpose, in order to monitor the network and detect any uses of P2P applications and minimize the risks generated by them.In our work, we will depend on the intrusion detection system "Snort" and a deep analytical study of P2P protocols.The work is divided into the following steps: Step 1: Deep analysis of traffic resulting from the use of P2P applications by the analyzer program "Wireshark".Wireshark is used for traffic analysis.This type of tool tries to capture network packets and tries to display this belt data in as much detail as possible [1].
Step 2: Extract signatures of protocols P2P (BitTorrent and E-donkey) Step 3: Implantation the extracted digital signatures of the P2P protocols into the intrusion detection system "Snort".
Step 4: Discuss the results of monitoring the recorded network traffic to confirm the effectiveness of this work.

BACKGROUND AND RELATED WORK 1 BACKGROUND
In this section we provide some background on peer-to-peer networks and describe some applications of P2P.Peer-to-peer networks (P2P) are a type of decentralized network architecture that allows users to share files between them without going through a server.There are two types of P2P architecture: unstructured and structured [2].In a structured system, peers are organized to search other peers more efficiently, but in an unstructured system, peers are randomly connected to certain other peer subsets [3].There are three models of unstructured P2P network architecture [4].P2P applications have become attracting millions of users after their appearance and are very popular in the Internet World.However, Peer-to-peer applications also introduce security risks that may put your information, your computer or your network in danger [5].these applications still pose a threat to user privacy.Because they are considered very effective in distributing viruses, bots to launch DDOS attacks, spyware, malware, trojans, etc., by sharing fake files or other ways.
Figure : The risk of using P2P applications Among the P2P file sharing applications that are very popular (µtorrent [6] and emule [7]).
emule is a popular file sharing application which is based on the eDonkey and Kademlia protocol [8].
µTorrent is a very popular file sharing application that implements the BitTorrent protocol on the internet, and consumes a large bandwidth, which affects the service within the corporate network and causes problems of the same denial of Service (DOS) [9].We always need a new way to detect the use of these applications within the network of the company and the ability to control or prevent them based on intrusion detection systems.
In addition to intrusion detection systems that monitor the traffic passing through the network and examine the payload of each packet, help us detect P2P applications, based on the signature of the protocols used by p2p applications.There are many open-source intrusion detection systems available, for example snort [10].It monitors each load of the package and raises alerts when a applications and extract new signatures.

Packet inspection (P2P Traffic analysis)
In-depth analysis of the packets by use Wireshark will be performed for each previous operating state to extract digital signatures of protocols P2P, the latter will allow us to identify the use of each protocol.The figure 1 shows the working architecture used for analysis part.The server responds to this request by "Hello Answer", the contents of this query are detailed in the figure 4: The server offers a «Public -key» to the client by request, to index the client's ID at the server.The client responds with a query containing the confirmation of this key.
To complete the identification, the client proposes to the server a special signature that will identify the downloads or sharing, by a signature request.The server responds with a request containing the signature which will later identify all the tasks of this client.
The client automatically establishes UDP connections with the servers in this network to constantly make status updates, using the «Server status request» query.3-The file download using emule is based entirely on the KADEMLIA protocol, the latter operates according to a UDP-based mechanism for downloading even if the TCP ports are blocked.

2-
The main queries of this protocol are represented in the following figure 6:  Among the extensions of the Bittorrent protocol, BitTorrent uses a "distributed hash table" (DHT) for storing peer contact information for "trackerless" torrents.In effect, each peer becomes a tracker called node.Each node has a globally unique identifier known as the "node ID" Node IDs are chosen at random from the same 160-bit space as BitTorrent infohashes.BitTorrent clients include a DHT node, which is used to contact other nodes in the DHT to get the location of peers to download from using the BitTorrent protocol.The protocol is implemented over UDP. Figure 10 clearly illustrates this appearance.In the sniffer traces associated with protocol DHT that represented in "get_peers1" query [9].Get_peers query has two arguments, represented by the chain «d1:ad2:id20»containing the node ID of the querying node and containing information of torrent by «info_hash20 » [11].All Peer-to-Peer exchanges that are based on BitTorrent will be encrypted.Protocol encryption is a strengthening to privacy and confidentiality.In addition, traffic makes more difficult to determine by parties.

A. Signatures of protocol E-Donkey
Our digital of signatures Extraction Structure Based on three Fields in the Captured E-Donkey Packet: 1. Protocol: A protocol ID with a byte -0xE3 for e-donkey, 0xc5 for emule, 0xE4 for Kademlia.

Size:
The number of bytes between the protocol ID and the message type of this protocol.

Type :
A unique byte -a unique message ID.
Through our analysis, the

Create rules of extracted signatures
The structure of creating the detection rules of these two protocols is based completely on the transport protocol (TCP and UDP) in the first place.As previously mentioned, each protocol is identified by a different method.

A. The rules that refer to App emule
We will give SID number to identify Snort rules signature of E-donkey (1000000 + order of signature in the table) e.g.: -

IMPLEMENTATION
After extracting the digital signatures of P2P protocols to detect the usage of P2P applications and protect the network, we employed the Snort system as our chosen intrusion detection system.
Snort operates based on the extracted signatures of protocols.To evaluate the effectiveness of our approach, we conducted tests on a simulated network that simulates a typical company network.The network setup is illustrated in the figure below.It should also be noted that the number of alerts generated by the "DHT Peer" rule is very large, this is completely normal because this rule generates an alert on each request send to peers.

Alert tcp any any -> any any (msg
The operation of the BitTorrent protocol is based completely on the "BitTorrent Handshake" request.We can clearly note the absence of the alerts triggered by the two "Handshake" and "Handshake Extended" rules of the BitTorrent protocol, due to encryption.
We conclude from all these results, taken at a specific time interval, that the percentage of detection of P2P applications by this method was approximately 96%.

RELIABILITY TEST
To assess the reliability of our rules, we focused on the aspect of false positives, which refers to events that generate an alert indicating the use of P2P applications when there is actually no such usage.To ensure the accuracy of our rules, we conducted a test in which no P2P applications were used within the network.
During this test, we monitored the network traffic in real-time for a duration of 4 days.We ran the Snort system to detect any alerts related to P2P protocols.The results of this experiment were tracked and analyzed using the primary interface called "BASE." Figure 17 presents the recorded results of this experiment.15 with an acceptable average of 0.000643 %, by this rate, its reliability can be confirmed.There is always a wrong positive rate on this type of alert, so it is necessary to check the context of alerts in order to determine whether one of them deals with a real alert because of the use of a P2P network.

CONCLUSION
In this study, our main focus was on presenting a novel approach to detect the usage of P2P applications within a network and mitigate the associated risks and drawbacks that pose a significant threat to both company and client privacy.To achieve this, we conducted a thorough analysis of the traffic generated by popular P2P file sharing applications such as µTorrent and eMule, which rely on the BitTorrent and eDonkey protocols, respectively.Through this analysis, we extracted digital signatures indicative of these protocols.
Building upon this analysis, we developed a strategy that employed new rules within the "Snort" intrusion detection system to identify and detect P2P applications.By implementing this strategy over several time periods, we achieved a remarkable 96% detection rate for P2P application usage within the network.However, we observed that P2P applications continue to evolve rapidly, necessitating the regular updating of rules to ensure effective and reliable detection within the network.
matched.Only, we always need to constantly track the development of P2P

Figure 1 : 1 -
Figure 1: Analysis of traffic by Wireshark A. Traffic of Application emule

Figure 2 :5Figure 3 :
Figure 2: E-Donkey packets captured during connection establishment We notice there are multiple of UDP and TCP packets.In the first, emule operating step, which allows us establishment connection to download files.If we want to identify and explain all messages of E-Donkey protocol, we will need to study and analyze these requests in detail.

Figure 4 :
Figure 4: Capture the Paquet (server hello answer) After connecting, the E-DONKEY server and the client starts the exchange of additional parameters that relate to the identification and sharing options.The client sends «the second identification state» to ensure communication with the server.Subsequently, the server responds with a query that contains the two previous information in «Hello & second identification state».

6 Figure 5 :
Figure 5: E-Donkey packets captured during a search emule The client sends a request to the server "80.208.228.241", of the «Reask File Ping» type to locate the file and the server responds with a query «Search file results».The emule client uses the «search File» query to request information about searching, this query is broadcast to all servers, only the primary server of the E-Donkey network responds to LOWID.

Figure 6 :B. Traffic of Application μTorrent 1 -Figure 7 : 2 -
Figure 6: E-Donkey packets captured when downloading a file According to figure 6, it can be seen that the functioning of the KADEMLIA protocol is based on four main types of queries: KADEMLIA_hello_REQ, KADEMLIA_hello_RES, KADEMLIA2_REQ, KADEMLIA2_RES.

Figure 8 : 3 - 8 Figure 9 :
Figure 8: Peer-Tracker main requests -HTTP GETThe client contacts a server, it called tracker.In this time, client contacts the tracker «172.67.140.164» by sends http GET SCRAPE «Get /scarpe?Info_hash» query that contains the file ID «info_hash» to get information about the file that want to download it.In addition to that, the client also sends http GET ANOUNCE «Get /announce?Info_hash» query with the same ID «info_hash» to all available trackers[9].Once one of these trackers respond, let's take a tracker «104.21.3.146», it responds by message the request «http/1.1 200 OK» with the text/plain.This response contains a list of peers that allows the client to establish connections with peers that shares the file.Only the HTTP protocol that supports the establishment of the connection between peers and tracker.3-Once a client connection with peers, we notice the first message it sends by client is BitTorrent Handshake.

Figure 12 :
Figure 12: Work Architecture Laboratorywith P2P AppsIn our implementation, the extracted signatures are written into a file named "local.rules.txt"within the Snort system.Once the signatures are in place, we launch the Snort system to begin the intrusion detection process.Additionally, we utilize the graphical interface BASE "Basic Analysis and Security Engine" to facilitate the reading of alerts and real-time monitoring of the network status.

Figure 13
Figure13illustrates the graphical interface used for this purpose.

Figure 17 :
Figure 17: Graphic columns of the results of false alertsThe following figure displays the records for four days, 16 false alerts were taken from

Table 1 :
E-donkey Protocol Digital signatures B.

Signatures of Protocol BitTorrent We
have extracted from using the Torrent application from the beginning of installation until the download, several frequent signatures.Bit Torrent's signature analysis results are summarized in the table 2:

Table 2 :
BitTorrent Protocol Digital signatures