ncm2010 ruo ando
Post on 30-Jun-2015
188 Views
Preview:
DESCRIPTION
TRANSCRIPT
Blink: Large-scale P2P network monitoring and visualization system using VM introspection
Ruo Ando, Youki Kadobayashi, Yoichi ShinodaNational Institute of Information and Communication
Technology
Abstract
virtualization technologies for large scale monitoring
■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.
■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.
■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.
BLINK: P2P network monitoring system based on virtual clusters
BLINK SYSTEM① monitor / probe : virtualized② analyzer extensible for storage request : able to be added dynamically for increasing traffic data③ database :
P2P network communication and its security
■Distribution of P2P software and large amount of traffic: P2P application is free. Today GNUTELLA hasapproximately 3,000,000 nodes and BitTorrent has more than 100,000,000 nodes. More than 70% of Internet traffic is sometimes generated by BitTorrent. Besides, more than 97% of files are illegal or malicious.
■Invisible and complicated traffic: P2P network is constructed on L7 application layer network with complicated and sometimes encrypted traffic.
We need more fine-grained, flexible and large scale traffic monitoring system to cope with P2P network.
Visualization in Google Earth KML (Keyhole Markup Language)
KML is a file format, famous for usage in Google Earth to display geographic data. KML has a tag-based structure based on the XML standard.Figure above show the sample output of generating KML file.
L7 application layer network monitoring crawler is necessary
■In application layer network (P2P, web), by packet monitoring on Layer 3-6,we couldn’t know what is happening. ■In layer 7, we need crawler; packet monitoring and “protocol speaking”.■In the case without open specification and information, we need to analyze protocol with packet monitoring and debugging.
Two kinds of monitoring system: active crawler and passive crawler
Passive crawler analyzes packet send to it: understanding protocol.Active crawler analyzes inward packet, send packet and analyze response packet:speaking packet.
Active crawler takes advantages in the range of monitor.At first, to make crawler, we need to construct passive monitor.
proposed system internal node traffic audit – Passive Monitor
■ Hooking Windows OS socket function.
□ Analyzing socket buffer, sometimes decode buffer to “hidden” ip address to construct address list and its topology and distribution.
DLL injectionDOSヘッダ
PEヘッダ
セクションヘッダ1
セクションテーブル1
セクションヘッダ2
・・・
セクションヘッダN
セクションテーブル2
・・・
セクションテーブルN
オリジナルの関数Aオリジナルの関数B
オリジナルの関数Z・・・
オリジナル関数Aの
メモリアドレス
オリジナル関数Bのメモリアドレス
・・・
オリジナル関数Zのメモリアドレス
フック用の関数A
オリジナル関数Aのメモリアドレスを取得
オリジナル関数Aを
実行
DOSヘッダ
PEヘッダ
セクションヘッダ1
セクションテーブル1
セクションヘッダ2
・・・
セクションヘッダN
セクションテーブル2
・・・
セクションテーブルN
オリジナルの関数Aオリジナルの関数B
オリジナルの関数Z・・・
フック用の関数Aの
メモリアドレス
オリジナル関数Bのメモリアドレス
・・・
オリジナル関数Zのメモリアドレス
フック用の関数A (流し込んだ自前のDLL)
オリジナル関数Aのメモリ
アドレスを取得(実際にはフック用の関数Aのメモリアドレスを取得) フック用の関数A
を実行
Example of passive monitor
Jun 7 12:04:12 command04;1182363918;118;236;39;18;219125249219;219;125;249;219;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;581586158;58;158;61;58;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;22014878220;220;148;78;220;notification(2)
乱数
(2byt
e)
RC4暗
号鍵
(4byte)
通信ブ
ロック1
(5 byte)
暗号鍵を利用して
復号化を行った後
通信ブロックを解
析
第1パケットデー
タ構造
ダ
ミ
ー
暗
号
鍵
通 信 ブ
ロック
通 信 ブ
ロック
・・
・
0 2 6
ブ
ロ ッ
ク長
コ マ ン
ト ゙ 番
号
コマンド引数
(任意長)
0 4 5
Detecting super node
Detecting super node:
P 2 P T r a c e n e t w o r k
P 2 P N e t w o r k
D e t e c ta n dT r a c e !
S u p e r N o d e 2S u p e r N o d e 1
F i l e L e a k !
Demo: Visualization of Japan’s P2P network
BitTorrent Network crawling
Demo: BitTorrent and BitTorrent datase
Conclusion■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.
■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.
■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.
観測機能の強化:JGN2Plusを用いたP2P観測網の構築
ANALYZER system in NICT (Tokyo1)
Probing in Kyoto(1G) Probing in Tokyo2(10G)
StarBED is a large scale Test bed for Developers who desire to evaluate their new Technologies in realistic situations.
Blink: Large-scale P2P network monitoring and visualization system using VM introspection
Ruo Ando, Youki Kadobayashi, Yoichi ShinodaNational Institute of Information and Communication
Technology
Abstract
virtualization technologies for large scale monitoring
■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.
■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.
■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.
BLINK: P2P network monitoring system based on virtual clusters
BLINK SYSTEM① monitor / probe : virtualized② analyzer extensible for storage request : able to be added dynamically for increasing traffic data③ database :
P2P network communication and its security
■Distribution of P2P software and large amount of traffic: P2P application is free. Today GNUTELLA hasapproximately 3,000,000 nodes and BitTorrent has more than 100,000,000 nodes. More than 70% of Internet traffic is sometimes generated by BitTorrent. Besides, more than 97% of files are illegal or malicious.
■Invisible and complicated traffic: P2P network is constructed on L7 application layer network with complicated and sometimes encrypted traffic.
We need more fine-grained, flexible and large scale traffic monitoring system to cope with P2P network.
Visualization in Google Earth KML (Keyhole Markup Language)
KML is a file format, famous for usage in Google Earth to display geographic data. KML has a tag-based structure based on the XML standard.Figure above show the sample output of generating KML file.
L7 application layer network monitoring crawler is necessary
■In application layer network (P2P, web), by packet monitoring on Layer 3-6,we couldn’t know what is happening. ■In layer 7, we need crawler; packet monitoring and “protocol speaking”.■In the case without open specification and information, we need to analyze protocol with packet monitoring and debugging.
Two kinds of monitoring system: active crawler and passive crawler
Passive crawler analyzes packet send to it: understanding protocol.Active crawler analyzes inward packet, send packet and analyze response packet:speaking packet.
Active crawler takes advantages in the range of monitor.At first, to make crawler, we need to construct passive monitor.
proposed system internal node traffic audit – Passive Monitor
■ Hooking Windows OS socket function.
□ Analyzing socket buffer, sometimes decode buffer to “hidden” ip address to construct address list and its topology and distribution.
DLL injectionDOSヘッダ
PEヘッダ
セクションヘッダ1
セクションテーブル1
セクションヘッダ2
・・・
セクションヘッダN
セクションテーブル2
・・・
セクションテーブルN
オリジナルの関数Aオリジナルの関数B
オリジナルの関数Z・・・
オリジナル関数Aの
メモリアドレス
オリジナル関数Bのメモリアドレス
・・・
オリジナル関数Zのメモリアドレス
フック用の関数A
オリジナル関数Aのメモリアドレスを取得
オリジナル関数Aを
実行
DOSヘッダ
PEヘッダ
セクションヘッダ1
セクションテーブル1
セクションヘッダ2
・・・
セクションヘッダN
セクションテーブル2
・・・
セクションテーブルN
オリジナルの関数Aオリジナルの関数B
オリジナルの関数Z・・・
フック用の関数Aの
メモリアドレス
オリジナル関数Bのメモリアドレス
・・・
オリジナル関数Zのメモリアドレス
フック用の関数A (流し込んだ自前のDLL)
オリジナル関数Aのメモリ
アドレスを取得(実際にはフック用の関数Aのメモリアドレスを取得) フック用の関数A
を実行
Example of passive monitor
Jun 7 12:04:12 command04;1182363918;118;236;39;18;219125249219;219;125;249;219;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;581586158;58;158;61;58;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;22014878220;220;148;78;220;notification(2)
乱数
(2byt
e)
RC4暗
号鍵
(4byte)
通信ブ
ロック1
(5 byte)
暗号鍵を利用して
復号化を行った後
通信ブロックを解
析
第1パケットデー
タ構造
ダ
ミ
ー
暗
号
鍵
通 信 ブ
ロック
通 信 ブ
ロック
・・
・
0 2 6
ブ
ロ ッ
ク長
コ マ ン
ト ゙ 番
号
コマンド引数
(任意長)
0 4 5
Detecting super node
Detecting super node:
P 2 P T r a c e n e t w o r k
P 2 P N e t w o r k
D e t e c ta n dT r a c e !
S u p e r N o d e 2S u p e r N o d e 1
F i l e L e a k !
Demo: Visualization of Japan’s P2P network
BitTorrent Network crawling
Demo: BitTorrent and BitTorrent datase
Conclusion■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.
■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.
■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.
観測機能の強化:JGN2Plusを用いたP2P観測網の構築
ANALYZER system in NICT (Tokyo1)
Probing in Kyoto(1G) Probing in Tokyo2(10G)
StarBED is a large scale Test bed for Developers who desire to evaluate their new Technologies in realistic situations.
top related