Blink: Large-scale P2P network monitoring and visualization system using VM introspection

Ruo Ando, Youki Kadobayashi, Yoichi ShinodaNational Institute of Information and Communication

Technology

Abstract

virtualization technologies for large scale monitoring

■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.

■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.

■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.

BLINK: P2P network monitoring system based on virtual clusters

BLINK SYSTEM① monitor / probe : virtualized② analyzer extensible for storage request : able to be added dynamically for increasing traffic data③ database :

P2P network communication and its security

■Distribution of P2P software and large amount of traffic: P2P application is free. Today GNUTELLA hasapproximately 3,000,000 nodes and BitTorrent has more than 100,000,000 nodes. More than 70% of Internet traffic is sometimes generated by BitTorrent. Besides, more than 97% of files are illegal or malicious.

■Invisible and complicated traffic: P2P network is constructed on L7 application layer network with complicated and sometimes encrypted traffic.

We need more fine-grained, flexible and large scale traffic monitoring system to cope with P2P network.

Visualization in Google Earth KML (Keyhole Markup Language)

KML is a file format, famous for usage in Google Earth to display geographic data. KML has a tag-based structure based on the XML standard.Figure above show the sample output of generating KML file.

L7 application layer network monitoring crawler is necessary

■In application layer network (P2P, web), by packet monitoring on Layer 3-6,we couldn’t know what is happening. ■In layer 7, we need crawler; packet monitoring and “protocol speaking”.■In the case without open specification and information, we need to analyze protocol with packet monitoring and debugging.

Two kinds of monitoring system: active crawler and passive crawler

Passive crawler analyzes packet send to it: understanding protocol.Active crawler analyzes inward packet, send packet and analyze response packet:speaking packet.

Active crawler takes advantages in the range of monitor.At first, to make crawler, we need to construct passive monitor.

proposed system internal node traffic audit – Passive Monitor

■ Hooking Windows OS socket function.

□ Analyzing socket buffer, sometimes decode buffer to “hidden” ip address to construct address list and its topology and distribution.

DLL injectionDOSヘッダ

PEヘッダ

セクションヘッダ１

セクションテーブル１

セクションヘッダ２

・・・

セクションヘッダN

セクションテーブル２

・・・

セクションテーブルN

オリジナルの関数Aオリジナルの関数B

オリジナルの関数Z・・・

オリジナル関数Aの

メモリアドレス

オリジナル関数Bのメモリアドレス

・・・

オリジナル関数Zのメモリアドレス

フック用の関数A

オリジナル関数Aのメモリアドレスを取得

オリジナル関数Aを

実行

DOSヘッダ

PEヘッダ

セクションヘッダ１

セクションテーブル１

セクションヘッダ２

・・・

セクションヘッダN

セクションテーブル２

・・・

セクションテーブルN

オリジナルの関数Aオリジナルの関数B

オリジナルの関数Z・・・

フック用の関数Aの

メモリアドレス

オリジナル関数Bのメモリアドレス

・・・

オリジナル関数Zのメモリアドレス

フック用の関数A (流し込んだ自前のDLL)

オリジナル関数Aのメモリ

アドレスを取得（実際にはフック用の関数Aのメモリアドレスを取得） フック用の関数A

を実行

Example of passive monitor

Jun 7 12:04:12 command04;1182363918;118;236;39;18;219125249219;219;125;249;219;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;581586158;58;158;61;58;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;22014878220;220;148;78;220;notification(2)

乱数

(2byt

e)

RC4暗

号鍵

(4byte)

通信ブ

ロック1

(5 byte)

暗号鍵を利用して

復号化を行った後

通信ブロックを解

析

第1パケットデー

タ構造

ダ

ミ

ー

暗

号

鍵

通 信 ブ

ロック

通 信 ブ

ロック

・・

・

0 2 6

ブ

ロ ッ

ク長

ｺ ﾏ ﾝ

ﾄ ﾞ 番

号

ｺﾏﾝﾄﾞ引数

(任意長)

0 4 5

Detecting super node

Detecting super node:

P 2 P T r a c e n e t w o r k

P 2 P N e t w o r k

D e t e c ta n dT r a c e !

S u p e r N o d e 2S u p e r N o d e 1

F i l e L e a k !

Demo: Visualization of Japan’s P2P network

BitTorrent Network crawling

Demo: BitTorrent and BitTorrent datase

Conclusion■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.

■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.

■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.

観測機能の強化：JGN2Plusを用いたＰ２Ｐ観測網の構築

ANALYZER system in NICT (Tokyo1)

Probing in Kyoto(1G) Probing in Tokyo2(10G)

StarBED is a large scale Test bed for Developers who desire to evaluate their new Technologies in realistic situations.

Blink: Large-scale P2P network monitoring and visualization system using VM introspection

Ruo Ando, Youki Kadobayashi, Yoichi ShinodaNational Institute of Information and Communication

Technology

Abstract

virtualization technologies for large scale monitoring

■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.

■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.

■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.

BLINK: P2P network monitoring system based on virtual clusters

BLINK SYSTEM① monitor / probe : virtualized② analyzer extensible for storage request : able to be added dynamically for increasing traffic data③ database :

P2P network communication and its security

■Distribution of P2P software and large amount of traffic: P2P application is free. Today GNUTELLA hasapproximately 3,000,000 nodes and BitTorrent has more than 100,000,000 nodes. More than 70% of Internet traffic is sometimes generated by BitTorrent. Besides, more than 97% of files are illegal or malicious.

■Invisible and complicated traffic: P2P network is constructed on L7 application layer network with complicated and sometimes encrypted traffic.

We need more fine-grained, flexible and large scale traffic monitoring system to cope with P2P network.

Visualization in Google Earth KML (Keyhole Markup Language)

KML is a file format, famous for usage in Google Earth to display geographic data. KML has a tag-based structure based on the XML standard.Figure above show the sample output of generating KML file.

L7 application layer network monitoring crawler is necessary

■In application layer network (P2P, web), by packet monitoring on Layer 3-6,we couldn’t know what is happening. ■In layer 7, we need crawler; packet monitoring and “protocol speaking”.■In the case without open specification and information, we need to analyze protocol with packet monitoring and debugging.

Two kinds of monitoring system: active crawler and passive crawler

Passive crawler analyzes packet send to it: understanding protocol.Active crawler analyzes inward packet, send packet and analyze response packet:speaking packet.

Active crawler takes advantages in the range of monitor.At first, to make crawler, we need to construct passive monitor.

proposed system internal node traffic audit – Passive Monitor

■ Hooking Windows OS socket function.

□ Analyzing socket buffer, sometimes decode buffer to “hidden” ip address to construct address list and its topology and distribution.

DLL injectionDOSヘッダ

PEヘッダ

セクションヘッダ１

セクションテーブル１

セクションヘッダ２

・・・

セクションヘッダN

セクションテーブル２

・・・

セクションテーブルN

オリジナルの関数Aオリジナルの関数B

オリジナルの関数Z・・・

オリジナル関数Aの

メモリアドレス

オリジナル関数Bのメモリアドレス

・・・

オリジナル関数Zのメモリアドレス

フック用の関数A

オリジナル関数Aのメモリアドレスを取得

オリジナル関数Aを

実行

DOSヘッダ

PEヘッダ

セクションヘッダ１

セクションテーブル１

セクションヘッダ２

・・・

セクションヘッダN

セクションテーブル２

・・・

セクションテーブルN

オリジナルの関数Aオリジナルの関数B

オリジナルの関数Z・・・

フック用の関数Aの

メモリアドレス

オリジナル関数Bのメモリアドレス

・・・

オリジナル関数Zのメモリアドレス

フック用の関数A (流し込んだ自前のDLL)

オリジナル関数Aのメモリ

アドレスを取得（実際にはフック用の関数Aのメモリアドレスを取得） フック用の関数A

を実行

Example of passive monitor

Jun 7 12:04:12 command04;1182363918;118;236;39;18;219125249219;219;125;249;219;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;581586158;58;158;61;58;notification(2) Jun 7 12:04:12 command04;1182363918;118;236;39;18;22014878220;220;148;78;220;notification(2)

乱数

(2byt

e)

RC4暗

号鍵

(4byte)

通信ブ

ロック1

(5 byte)

暗号鍵を利用して

復号化を行った後

通信ブロックを解

析

第1パケットデー

タ構造

ダ

ミ

ー

暗

号

鍵

通 信 ブ

ロック

通 信 ブ

ロック

・・

・

0 2 6

ブ

ロ ッ

ク長

ｺ ﾏ ﾝ

ﾄ ﾞ 番

号

ｺﾏﾝﾄﾞ引数

(任意長)

0 4 5

Detecting super node

Detecting super node:

P 2 P T r a c e n e t w o r k

P 2 P N e t w o r k

D e t e c ta n dT r a c e !

S u p e r N o d e 2S u p e r N o d e 1

F i l e L e a k !

Demo: Visualization of Japan’s P2P network

BitTorrent Network crawling

Demo: BitTorrent and BitTorrent datase

Conclusion■P2P network is now widely pervasive and increase usability of Internet while P2P network traffic is difficult to trace and analyze owing to network architecture, probe design and large scale traffic.

■In this paper we have proposed Blink, Large-scale P2P network monitoring and visualization system using VM introspection. We have shown the improvement of P2P network probing using virtualization technologies.

■We apply Virtual machine monitor for dynamic provisioning for the request for analyzing large amount of Data for P2P network monitoring.

観測機能の強化：JGN2Plusを用いたＰ２Ｐ観測網の構築

ANALYZER system in NICT (Tokyo1)

Probing in Kyoto(1G) Probing in Tokyo2(10G)

StarBED is a large scale Test bed for Developers who desire to evaluate their new Technologies in realistic situations.