This dissertation has been submitted by a student. This is not an example of the work written by our professional dissertation writers.

ACKNOWLEDGEMENTS:

The interest in the field of networking, driven me to take the computer networking as my course in M.Sc. there are many different types of networks. Out of them the more popularized and upcoming trend of networks are peer-to-peer networks. This report of my final dissertation for the partial fulfilment of my M.Sc, computer networking, would not have been possible without the support of my supervisor, Mr. Harry Benetatos. He helped me a lot by guiding me and pin-pointing the key mistakes which I have done during my research. My course leader Mr. Nicholas Ioannides also helped me a lot to complete this dissertation. His advises and suggestions gave me a lot of encouragement and support which made me do this research and finish it in time. I am very thankful to my university, LONDON METROPOLITAN UNIVERSITY which provided me the free access to the IEEE library which helped me to find the key papers which are very useful for my research. I also thank my parents for their support given to me in all walks of my life.

DEDICATION:

I dedicate this report to my parents and my well wisher Sakshi for their constant support and encouragement throughout my education and life.

CHAPTER 1

PROJECT INTRODUCTION

1.1 INTRODUCTION TO THE PROJECT:

This dissertation is all about the security issues in the peer-to-peer networks. There are many security issues in peer-to-peer networks. I have chosen to do research on worm intrusions in peer-to-peer networks. In this document I have mentioned how the worm propagates in the network from one peer to another peer, how the worm can be detected and how the detected worm can be attacked and save the network from getting infected.

1.2 AIM:

Security issue in Peer-to-peer networks:

Securing the peer-to-peer network from worms. 

1.3 OBJECTIVES:

Ø To understand how the peers communicate with each other in the peer-to-peer network

Ø To analyse the propagation of worms in the network.

Ø To detect the worms near the nodes of the network

Ø To defence the worms in the network.

1.4 RESEARCH QUESTION:

This document briefly discusses about how the worms propagates in the network and how can it be detected and attacked in order to save the peer-to-peer network

1.5 APPROACH:

My approach for this dissertation is as follows:

Ø Understanding peer-to-peer networks

Ø Defining the problem

Ø Data collection and analysis

Ø Study and understanding the existing solutions for the problem

Ø Comparing different solutions

Ø conclusion

1.6 METHODOLOGY:

This section of my document contains what important steps to be followed in order to achieve the mentioned objectives. It also helps to schedule how to develop and complete different parts of the dissertation.

In this dissertation firstly I will study and understand about the peer-to-peer networks and how the peers in the networks communicate and share information with the remaining peer in the network. Then I do research on how the worm propagates in the network, how can the worm be detected and how the detected worm can be attacked and restore the network.  In the pictorial form the different stages of my dissertation are

Literature review:

Study and understand the peer-to-peer networks

Identifying the problem :

Securing the nodes of the peer-to-peer networks from the worms

Solution to the problem:

Understanding how the worm propagates from one node to another in the network.

Detecting the worm in the network.

Attacking the detected worm and saving the network

Comparing the results

Conclusion

1.7 PREVIEW ABOUT THE COMING CHAPTERS IN THE REPORT:

The rest of the report is organised as follows: in the chapter 2, there is brief discussion about the peer-to-peer networks, different types of peer-to-peer networks, advantages and disadvantages of the peer-to-peer networks. There is also some information about the worms, its nature and different types of worms. In chapter 3, there is a discussion about the methods given by the different person to detect the worm in the network by the method of matching the characteristic string of the worm. In section 4, there is a solution for this issue. That is mathematical method of detecting the worm in the network and defending it. Chapter 5 consists of a critical appraisal and suggestions for the further work. Finally, I concluded in chapter 6.

CHAPTER 2

OVERVIEW OF THE GENERIC AREA AND IDENTIFICATION OF PROBLEM:

2.1 NETWORK:

Network is a group of electronic devices which are connected to each other in order to communicate which each other.  The devices can be computers, laptops, printers etc. networks can be wired or wireless. Wired networks are networks in which the devices are connected with the help of wires. Wireless networks are the networks in which the devices are connected without the wires. There are many different types of networks and peer-to-peer is one of the important and special types of networks.

2.2 PEER-TO-PEER NETWORKS:

Peer-to-peer networks are emerged in 1990 because of the development of the peer-to-peer file sharing like Napster [1].  Peer-to-peer networks abbreviated as p2p networks are the networks in which all the nodes or peers in the network acts as servers as well as clients on demand. This is unlike typical client server model, in which the clients requests the services and server supplies the resources. But in case of peer-to-peer networks every node in the networks requests services like a client and every node will supply the resources like server on demand. Peer-to-peer network doesn’t need any centralized server coordination.  Peer-to-peer network is scalable. Addition of new nodes to the network or removal of already existing nodes on the network doesn’t affect the network. That means addition or removal of nodes can be done dynamically. All the nodes connected in a peer-to-peer network run on the same network protocol and software. Resources available on a node in the network are available to the remaining nodes of the network and they can access this information easily. Peer-to-peer networks provide robustness and scalability. All the wired and wireless networks can be configured as peer-to-peer networks. Home networks and small enterprise networks are preferable to configure in a peer-to-peer networks. Most the networks are not pure peer-to-peer networks because of they use some network interface devices. In the beginning, the information is stored at all the nodes by making a copy of it. But this increases the flow of traffic in the network. But now, a centralised system is maintained by the network and the requests are directed to the nodes which contains the relevant information. This will save the time and the traffic flow in the network.

2.3 WIRELESS NETWORKS:

Devices connected to each other without any wires can also be configured like peer-to-peer networks. In a case of small of number of devices it is preferable to configure the network in wireless peer-to-peer networks because it will be easy to share the data in both the directions. It is even cheaper to connect the networks in wireless peer-to-peer because we do not need to spend on the wires.

Peer-to-peer networks are divided into three types. They are:

  1. Instant messaging networks
  2. Collaborative networks
  3. Affinity community networks[2]

Instant messaging networks:

In this type of peer-to-peer networks, the users can chat with each other in real time by installing some software such as MSN messenger, AOL instant messenger etc.

Collaborative networks:

This type of peer-to-peer networks are also called as distributed computing.  This is widely used in the field of science and biotechnology where the intense computer processing is needed.

Affinity community peer-to-peer networks:

It is a type of p2p network, where the group of devices are connected only for the purpose of sharing the data among them.

Peer to peer networks are basically classified into two types. They are:

Ø Structured peer-to-peer networks

Ø Unstructured peer-to-peer networks

2.4 STRUCTURED PEER-TO-PEER NETWORKS:

In the structured peer-to-peer nodes connected in the network are fixed. They use distributed hashing table (DHT) for indexing [4].

In DHT data is stored in the form of hash table like (key, value). Any node willing to retrieve the data can easily do that using the keys. The mapping of values to the keys are maintained by all the nodes present in the network such that there will be very less disruption in case of change in the set of participants

DHT-based networks are very efficient in retrieving the resources.

2.5 UNSTRUCTURED PEER-TO-PEER NETWORKS:

In unstructured p2p network nodes are established arbitrarily. There are three types of unstructured p2p networks. They are

Pure peer-to-peer

Hybrid peer-to-peer

Centralized peer-to-peer

In Pure p2p networks all the nodes in the network are equal. There won’t be any preferred node with special infrastructure function.

In hybrid p2p networks there will be a special node called “supernodes” [3] . This supernode can be any node in the network depending on the momentary need of the network.

Centralized p2p network is a type of hybrid network in which there will be one central system which manages the network. The network cannot be able to work without this centralized system

Basically, all the nodes in the peer-to-peer networks contain the information of the neighbour in its routing table. The rate of propagation of worms in the peer-to-peer networks is larger than compared to the other networks. This is because the information of the neighbour peers can easily achieved from the routing table of the infected node.

Different types of files are shared between the nodes in the peer-to-peer networks. These files can be the audio files, video files, music files, text documents, books; articles etc. there are a lot of peer-to-peer software available these days in the market for sharing the files. Some of them are bittorrent, limeware, shareaza, kazaa, Imesh, bearshare Lite, eMule, KCeasy, Ares Galaxy, Soulseek, WinMX, Piolet, Gnutella, Overnet, Azureus (vuze), FrostWire, uTorrent, Morpheus, Ants, Acquisition[5]. There are lot more file sharing softwares in the market but these are the top 20 file sharing softwares for peer-to-peer networks.

Basically, all the nodes connected together in the network should configure with the same network protocol and the same software should be installed in all the nodes in order to communicate with each other. Else the nodes in the network cannot communicate if they are configured with the different software or protocol.

2.6 ADVANTAGES OF PEER-TO-PEER NETWORKS [6]:

  1. It is more useful for the small business network comprising of very small number of computer systems or devices.
  2. Computers in this network can be configured easily.
  3. Full time network administrator is not required for the p2p networks.
  4. Easy maintenance of the network.
  5. Only a single operating system and less number of cables needed to get connected
  6. Can be installed easily
  7. Users can control the shared resources
  8. Distributed nature of the network increases the robustness of the network.

2.7 DISADVANTAGES OF THE PEER-TO-PEER NETWORKS [12]:

  1. No centralised administration
  2. Back-up should be performed on the each computer individually.
  3. Peer-to-peer networks are not secure
  4. Every computer in the network behaves as server and client which can slow down the performance of the system
  5. Legal controversy with the copyrights.

2.8 WORM:

Worm is a computer malware program or it can be called as a mischievous code which can multiple itself  into several replicas or it duplicate itself into several copies. Worm in simple can be called as “autonomous intrusion agent” [19] .It doesn’t actually alters the function of the system but it pass through i.e., worm is unlike virus.  It intrudes the network without the mediation of the user.

This is first detected by Robert T Morris in 1988[18]. Today we have some billions of systems connected to internet. Bu during 1988 there were only 60,000 systems connected to the internet. During that period 10% of the internet systems i.e., 6000 of the systems are infected and almost clogged because of the worms [8].

Worms when enters the system it hides in the operating system where it cannot be noticeable [18] . It drastically slows down the system the effect the other programs in the system. In worst cases it could even effect the entire network and slow down the internet across whole world.

As it is said earlier that it replicates itself into multiple copies and attach itself to the emails and corrupt them and sometimes deleting the file without the user interaction. If it enters our email, it can able to send itself to all the contacts in our email book and then to all the contacts of the emails of our email book and likewise it propagates, grow and spread at the higher rate.

Worms will even create the “backdoor” into the computer [11]. This will make the attackers to send spam easily.

Some famous worms discovered in 2003 and 2004 are “Mydoom”, “ Sobig” and “Sasser”[7].  “Sasser” worm has recently affected the computers which are using Windows 2000 or Windows XP operating system. It restarts the system automatically and crashes it. It is spread to all the nodes in the network.

There are some worms which are unlike the normal worms. These worms are very useful to the user some times. Hence, these are called the “helpful worms” [9]. Sometimes they help users without the interaction with the user. But most of the known worms are harmful and will always tries to infect the nodes in the network and affect the performance of the network.

When the peer-to-peer networks are attacked by the worms, it slows down the efficiency of the network. So there is a need to save the networks from entering into the network and spreading itself all over the network. The worms should be detected and defended. If we delay in defending these worms, they replicate itself and makes many copies of itself and spread all through the network. This is very dangerous to the network as it affects the performance and efficiency of the network [10].

CHAPTER 3

RELEVANT WORK DONE BY OTHERS IN ORDER TO SOLVE THE PROBLEM:

Many people proposed solutions to this problem. First Zhou L gave solution to p2p worm and he observed that propagation of worm in p2p network is very speed when compared to other networks[13] . Jayanthkumar performed some simulations on worm propagation from infected node to other node[10]. Wei yu researched on the behaviour of worms in p2p networks[14]. In my research I found one more interesting method of detecting the worms in the peer-to-peer network. This is indeed a special method of detecting the worms in network because the authors Yu Yao, Yong Li, Fu-xiang Gao, Ge Yu in their paper titled “A Signature-behaviour-based P2P worm detection approach” they proposed a mechanism of detecting the known worms in the peer-to-peer networks based on characteristic string matching. Worm make use of vulnerabilities in the network and +Spreads[15]. They also proposed the detection mechanism for the unknown worms based on their behaviour. They technique mainly consists of the technology of characteristic string matching, identifying the application and the unknown worm detection technology. They have given the algorithm for the matching the characteristics string of the worm called suffix-tree algorithm- suffix array algorithm. This is efficient and simple with very less time complexity. As peer-to-peer network follows fragment transfer technique there is chance of assigning the characteristics string of the worm to the other blocks of data. And again during the reorganisation process this characteristic string can identify the worm. These authors even validated their results by simulation. They proved that their method is also one of the efficient methods of p2p worm detection.

As mentioned above this method detects the known worm and also the unknown worms based on characteristic string matching and their behaviour respectively. In this method they initially capture the network packets using the library function called “LibPcap”. “LibPcap” is the library function that captures the network packets in UNIX and Linux platforms. This function contains many functions that will be useful for capturing the network packets. After capturing the data packets with help of these functions the non-P2P packets are filtered out. So now the P2P packets are filtered. In these P2P packets the known worms are detected by using the characteristic string matching. This is implemented by the couple of algorithms. They are the “suffix array algorithm” and the “dichotomy algorithm”. These algorithms are very accurate and are capable of detecting the worms in very less time. As I mentioned above peer-to-peer networks follow fragment transfer mechanism. Hence the characteristic string of the worm can be assigned to the other blocks of data. So, in this situation it is difficult to detect the worm if the characteristic string of the worm is based on the single packet. But if the characteristic string is present in the block then there is a chance of detecting the worm because it will assign it to the two packets. At this time the worm characteristic string present in the two different data packets need to restructure. After restructuring, the worm can be detected by using the matching mechanism. In this way the known worm in the network is detected by using the characteristic string matching. The unknown worms in the p2p network can be detected with the help of the act characteristics of the worm at the initial stage of its propagation. This can be called as the behaviour based detection of the unknown p2p worms. Like this all the known and unknown worms in the network are detected.

3.1 P2P KNOWN WORM DETECTION:

There are four steps in detecting the p2p known worms. They are:

  1. Deal flow
  2. Technology of identifying the application
  3. Characteristic string matching
  4. Reorganising the characteristic string

3.1.1 DEAL FLOW:

In this step of deal flow the flow of data is divided into four steps[16].

Step 1: Extracting the p2p data stream from the original data stream.

Step 2: check the extracted p2p data stream for worms using characteristic string matching with the worms already existing in the library function.

Step 3: data is flow is reorganised. It now contains worm characteristic string as well. Go to step 2.

Step 4: check the data flow for unknown worms using unknown worm detection techniques.

After performing the four steps update the library function.

All the four steps is represented  pictorially as in the next page.

Figure 4: flow chart representing four steps to detect worms

 yes   normal  Normal

no    

Abnormal

abnormal

3.1.2 TECHNOLOGY OF IDENTIFYING THE APPLICATION:

As said earlier, this paper uses the method of capturing the data packets and sca it for the worms which are known with the help of a function library called “LibPcap”[17] . For this there should be already some assigned rules in the network interface devices. So assigning these rules to those devices is done in stepwise procedure as:

  • Identify the available network interface devices
  • Open the network interface device
  • Compile the rules that we are willing to attach to the devices
  • Setup the rules of filtering to the device
  • Now operate the equipment
  • Start the process of capturing the packets

There are some rules for identifying the p2p application. They are:

  1. Characteristic information of the known p2p is used
  2. Sometimes, if source-destination IP pairs don’t use the known P2P and they may use TCP and UDP at same time, then they are p2p.
  3. At a particular time source pairs {srcIP, srcport}[27] and the destination pairs {dstIP, dstport}[27] are checked

Here we can identify whether it’s a p2p or not. If the number of connection port is equal to the number of connection IP, then we can say that it is a p2p. There are the situations where these rules have been used unruly. So the there were some amendments made to these rules. The amendments are rule (2) can identify even the mazes which are present and rule (3) is modified in such a way that in the detect cycle {srcIP, srcport}[27] pairs at the source and the {dstIP,  dstport }[27] pairs at the destination are checked. From this they derived that if the number of connection port is equal to the number of connection IP, the protocols which are used are same. If they are different then the protocols are different.

3.1.3 CHARACTERISTIC STRING MATCHING:

This is the most important section of the paper. Here authors have given some definitions to the terms which we are going to use, the algorithms which we are going to use to detect the worm. Couple of algorithms are mentioned. They are suffix-array algorithm and the dichotomy algorithm. So the entire process of detecting the worm depends on the efficiency and the accuracy of these algorithms.

First of all before using and understanding suffix-array algorithm we will try to understand some keywords and rules.

Suffix: suffix is the part of a string or a substring which starts at a particular location to the end of the string. If a suffix in the string S starts at the location ‘i’ to the end of the string S, then the suffix can be represented as Suffix(i)=S[i,Len(S) ][27] .

Let us understand how the strings can be compared. The comparison in this paper followed “dictionary comparison” If u and v are the two different strings. Comparing the strings u and v is same like comparing u[i] and v[i], where ‘i’ starts with the value 1.

Ø Here string u is equal to string v i.e., u=v when u[i]=v[i]

Ø String u is greater then string v i.e., u>v when u[i]>v[i]

Ø String u is less than string v i.e., u<v when u[i]<b[i]

But the results were still not obtained for i>len(u) or i>len(v)

Also if len(u)>len(v) then u >v, if len(u) <len(v) then u<v and if len(u)=len(v) then u=v[27].

Suffix-array: suffix-array is denoted by SA. It is a one-dimensional array. It is an array of SA[1], S[2], SA[3],…. And so on. Here s[i]< s[i+1], where 1< or =i<n. that means all the suffixes in the array are arranged in the order of small to large.

Rank-array: rank-array is nothing but SA-1. If SA[i]=j, then Rank[j]=i. we can say that the rank[i] saves the rank of Suffix(i) in an ascending order for all the suffixes.

In this paper the author has taken the example of string “science” and explained everything clearly. The string “science” can generate seven suffixes. They are:

Suffix(1): science

Suffix(2): cience

Suffix(3): ience

Suffix(4): ence

Suffix(5): nce

Suffix(6): ce

Suffix(7): e

When we sort out everything in a dictionary order it will be in the order as follow

Suffix(6)= ce

Suffix(2)= cience

Suffix(7)= e

Suffix(4)= ence

Suffix(3)= ience

Suffix(5)= nce

Suffix(1)= science

Suffix-array algorithm follows multiplier ideas. Firstly get SA1 and Rank1 by comparing every character in the string. Comparing string is similar to comparing the every character sequentially. So by comparing every character, SA1 and Rank1 can derive SA2 and Rank2. And this SA2 and Rank2 will derive SA4 and Rank4. And this will again derive SA8 and Rank8. So finally suffix-array and rank-array are derived from this process. The main process of the suffix-array algorithm is

Ø Calculating SA1 and Rank1. Firstly all the suffixes are arranged in the first letter order and then suffix-array (SA1) is generated by using quick sorry algorithm and then Rank1 is also generated.

Ø Comparing 2k-prefix Suffix(i) and Suffix(j) using SAk and Rankk.

2k-Suffix(i) = 2k-Suffixes(j), this is equivalent to Rankk[SAk[i]] = Rankk[SAk[j]] and Rankk[SAk[i+k]] = Rankk[SAk[j+k]]

2k-Suffix(i) < 2k-Suffixes(j), this is equivalent to Rankk[SAk[i]] = Rankk[SAk[j]] and Rankk[SAk[i+k]] < Rankk[SAk[j+k]] or Rankk[SAk[i]] < Rankk[SAk[j]] [16].

Suffix-array algorithm is a sorting algorithm which sorts out the characteristic string. So, this uses binary search algorithm. The algorithm follows

Step 1: in the first step values are assigned like left=1, right=n and max_match=0

Step 2: the middle value i.e., mid= (left +right)/2.

Step 3: comparing the characters corresponding to Suffix (SA[mid]) and P. the longest public prefix r can be helpful in implantation and comparison. If r > max_match, then max_match=r.

Step 4: if Suffix(SA[mid])<P, then left=mid+1

 If Suffix(SA[mid])>P, then right=mid-1

 If Suffix(SA[mid])=P, then go to step 6

Step 5: if left<right, then go to step 2, else go to step 6

Step 6: if max_match= m, then print “match is successful”.

3.1.4 REORGANISING THE CHARACTERISTIC STRING:

In this step the characteristic string is reorganised. If the character string is divided into two different data blocks, then the data block with the partial characteristic string is stored. Basically, all the information about the data block like index, beginning offset, length of the block and so on are contained at the head of the each block. Here a structure piece is defined which consists of index of the block, beginning offset of the block offset, length of the character array head and the length of the character array end[18]. Initially each and every data packet is compared with the characteristic string for matching. If it is matched then the warning or an alert is sent to all the users about the worm. Here if the tail of the characteristic string of the worm matches with the head of the data block, then it will be stored in the character array end. And if the head of the characteristic string of the worm matches with the tail of the data block then it is stored in the corresponding character array head. Suppose if the neighbouring data block contains a partial characteristic string of the worm then the neighbour string in the array head as well as in the end will be reorganised. Now this reorganised string will again perform the characteristic string matching and if any worm is detected then again the warning is sent to all users saying that the worm have found. If it is not matched then it won’t perform any operation. If in a case that the characteristic string is present in the block but is divided into two different data packets, then a special term called “character array” is introduced. First the matching mechanism is performed in both the data packet. If the matching characteristic string is found then the warning is sent to the users that there is a worm present. But if only part of the characteristic string is found then it will be enough if it meets some of the requirements like the head of the data packet should match with the tail of the characteristic string or the tail of the data packet should match with the head of the characteristic string. But if these conditions are not satisfied then no operation is performed. Now, if the tail of the data packet contains the partial characteristic string then the data packet is stored in the array. If the length of the characteristic string is m, then the Array[m] is set as ’\0’. And if the head of the data packet contains a part of the characteristic string then that data packet is stored in the n consecutive units of array. Finally, this array will be the characteristic string matching and if the worm is detected then the warning is sent to all the users. If it is not matched then nothing is done.

3.2 DETECTING UNKNOWN P2P WORM:

In the above section we have seen how the known worm is detected. But that algorithm or mechanism are meant to detect the unknown p2p worms. So here in this section we will understand how the unknown worms can be detected and restrain the network. As we know in p2p networks a node can able to send the information to multiple hosts at a same time. Anyhow same protocol is used by all the nodes in the network[27]. These characteristics of the network helps worm to propagate easily. As we discussed above, only the known worms can be detected by using the characteristic string matching method. Here we will see how the unknown worms can be detected. The unknown worms are detected based on the behaviour of the node. Some of the detection rules are: same content files are transferred to multiple hosts in a very short time. Same protocol is used and the destination port is same. If these rules are satisfies by the source port then it allows the p2p worm to propagate. Now, it is necessary to extract the characteristics of worm near the worm propagation nodes. When these characteristics are extracted, they are added to the feature library. This data similarity comparison and extracting the characteristics are done using the LCSeq algorithm. But the LCSeq algorithm based on generalized suffix tree (GST) is the more efficient. The overall idea is that all the suffixes are represented as a tree.

And this tree will have some characteristics like:

Ø Every node in a tree is a string and root is the empty string

Ø Every suffix can be represented as a path from the root.

Ø Every substring can be considered as a prefix of a suffix.

Ø To achieve the searching public sub sequence, every node should be set the information of its subordinate source string.

3.3 EXPERIMENT:

We know that the worm body tries to infect the other nodes in the network by sending the worm to the specific ports of p2p node. So here the author tried to prove the efficiency of his method by performing an experiment. In this experiment he prepared a multiple group worm body and sent it repeatedly at regular intervals of time. Then he captured these packets and extracted their characteristics and compared it with the one that already exist in the feature library.

P2p worm is detected separately using different algorithms like BF algorithm, KMP algorithm and suffix-array algorithm and compared their results doing three experiments. In the experiment 1, worm characteristics are in the same packet.. in the experiment 2, the worm characteristics are in the same data block but in the different packets. Finally in the experiment 3, the worm characteristics are in the different data blocks. He observed the following results

Graph 1: Experiment results comparing packet loss rate.

Graph 2: Experiment results comparing worm detecting rate.

3.4 SUMMARY:

In this chapter, the author has proposed four steps for detecting the worms in the network. They are: deal flow, technology of identifying the application, characteristic string matching and reorganising the characteristic string. In this chapter, initially a feature library is taken and some characteristics strings are assigned to them. The worms that propagate in the network are matched with these strings. If they match then they are detected. Then the library is reorganised again that is the feature library is updated. The suffix-array algorithm is given to perform the string matching. In this chapter, the unknown p2p worms are also detected. But there is no methods proposed for defending the worms. Only detection methods for known and unknown worms are given. At the end of the chapters there is an experiment conducted to validate the results given. He has taken the requires devices and performed the experiment. The experiments proved that the results proposed are true and as a proof, the graphs are given.

CHAPTER 4

JUSTIFICATION TO THE PROBLEM:

In the scientific article “signature-behaviour-based p2p worm detection method”, the authors proposed the detection method of worms in peer-to-peer networks. According to them worms can be detected based on the criteria of matching the characteristic string. They proposed method to detect worms in the network, but they didn’t propose any methods for defending the worms. For the security of the network, defending the worm in the network is as important as detecting it.

So, in this chapter of the dissertation, some mathematical methods are given to understand the propagation of worms, methods to detect the worms and the mathematical methods to counter attack the worm. The rate of propagation of worm in peer-to-peer network is larger when compared to other networks. The reason is that, when worm enters network and hides at one node of the network, it can get the information of the remaining nodes easily from the routing table of the infected node. So, the worm can then propagate to the neighbour nodes of the network. So, when one node is infected by the worm then the probability of infecting the neighbouring nodes is very high. Worms have the properties such as wide damage, fast propagation and deep concealment. And the peer-to-peer networks are highly connective to one another; hence these types of networks are complex and sensitive to the worms. So, it is really very difficult to detect and defence the worm in the peer-to-peer networks.

4.1 PROPAGATION OF WORM IN PEER-TO-PEER NODES:

Peer-to-peer networks have very large number of users across the world in real time. Hosts in the network are highly vulnerable and rich connectivity [25]. So, when the worm enters the network, it can propagate and spreads all over the network and infect the network easily. Worm enters the network because of the flaws in the operating system or the application software. Worm propagates in p2p network by share mechanism [23,24]. As soon as the node in the network is infected by the worm, the infected worm will try to take charge over the network to infect the whole network by launching the worm into all the neighbours of the infected node[22]. This is illustrated this with the help of an algorithm.

Suppose in the whole network, a node is vulnerable (can be infected easily).

  1. Assume that worm intruded and infected the node “a” in the network
  2. Worms will get the information of its neighbour from its routing table and selects some more nodes to infect them. This list of nodes is called hit-list E(P1,P2,….,P2)
  3. WHILE hit-list is not empty DO following action:
  4. Worms scans the operating system and the application software to find some flaws in nodes of the hit-list, E
  5. IF any vulnerable nodes are found in E THEN send worm and infect it.
  6. IF all the nodes in the hit-list i.e., E are scanned THEN get some more active neighbours to refresh the hit-list (E)
  7. END WHILE
  8. Also scan non-p2p vulnerable nodes in the surrounding regions of the node “a”.
  9. IF any vulnerable non-p2p hosts are found

THEN launch attack and infect it.

4.2 QUANTITATIVE ANALYSIS OF ATTACKING THE WORM :

Let us assume that every node in the peer-to-peer network could be in any of the three states[20]. The three states are:

  • Vulnerable
  • Infected and
  • Immune

Vulnerable node is the node which can be attacked by the worm or ready to get infected. Infected node is the node which is already attacked and infected by the worm. And finally the immune node is that kind of node which cannot be attacked by the worm [21]. It is resistant to the worm attack.

When one node is infected by the worm in the network, it gathers the information or the ip addresses of all the remaining nodes in network and creates the list of vulnerable nodes. This is called the “HIT-LIST”.

In this section of the report, mathematical equations for the total number of infected nodes in both p2p and non p2p networks are given. For this, we assumed some parameters. The parameters are:

S----------Number of nodes which are infected in the network

F----------Number of nodes with flaw

NI----------   Number of newly added nodes which are infected at time “i”

n----------Number of nodes in P2P network

Λ----------Probability of infecting by worm

R----------Rate of worm scan

W----------Accuracy of alarm transferred by sentry nodes

Using these parameters the equation for number of newly infected nodes added at time “i” is given as:

NIP (i+1) = Fp(i) [(1 - 1/(n*Λ))R*S(i) - Q]  ---------- (1)

Where,

NIp(i+1) = number of newly infected nodes in p2p networks at time (i+1)

Fp(i) = number of nodes in the p2p networks with some flaws in it at time “i”

n = total number of nodes in p2p network

Λ = probability of infecting by the worm

R = scan rate of worm

S(i) = number of  nodes which are infected in the network at time “i”

According to this equation, total number of newly infected nodes depends on the number of nodes with some flaws in it, number of nodes that are already infected and scan rate of worm. If at time instant “i”, there are “F” number of nodes with some flaws in it and total number of nodes in the network is n, then the total number of nodes in the network that are scanned by the worm is (R * S(i)). Probability of number of nodes getting infected by the worm is (n*Λ). So the number of nodes infected by the time “i+1” is given in the equation (1). Equation (1) is used to determine the number of newly infected nodes added at time “i” in peer-to-peer networks only.

Q is the success rate of worm attack in peer-to-peer network and its value lies in between 0.5 to 1 i.e., 0.5 < Q < 1.

And the number of newly infected hosts added in time “i” in non p2p networks is given as

NINP(i+1) = FNP(i)[(1-1/N)R*S(i) – X] ---------- (2)

Where,

NINP(i+1) = number of newly infected nodes added to non-p2p network at time (i+1)

FNP(i) = number of nodes with some flaws in non-p2p network at time “i”

R = scan rate of worm

S(i) = number of nodes which are infected in non-p2p network at time “i”

N = total number of nodes in non-p2p network

This equation gives the total number of newly infected nodes added at time “i” in non-p2p networks

Where “X” is the success rate of worm attack in non peer-t-peer networks and its value lies in between 0.5 to 1 i.e., 0.5<X<1.

Using the equations (1) and (2), the author derived some more equations for the total number of nodes already infected in both peer-to-peer networks as well as non peer-to-peer networks. This is denoted by S(i) at time “i” and the total number of vulnerable nodes in both peer-to-peer and non peer-to-peer networks denoted by F(i) at time “i”.

SNP(i+1) = SNP(i)+NINP(i+1)

SP(i+1) = SP(i)+NIP(i+1)

S(i) = SP(i)+SNP(i)

F(i)=FP(i)+FNP(i)---------------- (3)

Where,SP(i+1) = number of nodes already infected in p2p network at time “i+1”

SNP(i+1) = number of nodes already infected in non-p2p network at time “i+1”

FP(i+1) = number of nodes with some flaws in it in p2p network at time “i+1”

FNP(i+1) = number of nodes with some flaws in a non-p2p network at time “i+1”

SP(i) = number of nodes already infected in p2p network at time “i”

SNP(i) = number of nodes already infected in non-p2p network at time “i”

FP(i) = number of nodes with some flaws in p2p network at time “i”

FNP(i) = number of nodes with some flaws in non-p2p network at time “i”

S(i) = number of nodes which are infected in both p2p and non-p2p networks at time “i”

F(i) = number of nodes with some flaws in both p2p and non-p2p networks at time “i”

4.3 DESIGN OF WORM DEFENSE SYSTEM IN PEER-TO-PEER NETWORK:

It is really a difficult task to monitor all suspicious communications between the nodes by a single node. So, here the worm defence system with multiple-node cooperation and detection is designed. Based on the performance of the nodes, some nodes in the network are picked up and assumed them as the “commandant node”. Entire network is divided into many defence regions. Each defence region is managed by the elected commandant node. The remaining volunteering nodes in the region are called “sentry nodes”.  The commandant node regularly sends its identity to its neighbour nodes in the network. Whenever the new node tries to join the p2p network, it must first know its commandant node from the neighbours and join the region. In this way if any worm trying to intrude the network can be detected and its counteracting worm can be triggered to defence it. The main p2p networks do not have the worm detection system and the anti-worm. So, each commandant node should plug-in this software. But here it is assumed that this software is installed by the each defence nodes by default.

4.4 DETECTION METHOD OF P2P WORMS:

If there are any abnormal scans occur in the network, the sentry node will report this to the commandant node of the region. By understanding various classes of the worm attack this can be resolved [21] . The various classes of worm attack are abnormal communication of the nodes in the network, hacking of vulnerable nodes and the abnormal scanning rates [26]. As soon as the worm detection alarm is reported to the commandant node from the sentry node it just confirms whether the worm attack has really occurred or not. When this attack is confirmed, commandant node sends the information about the worm to other regions. Then the immunization mechanism starts in the entire network to save the network from worms.

The commandant node comes to know about the worm attack with the help of the report sent by the sentry node. The alarm sent by sentry node couldn’t be considered as the decisive factor for the worm attack in the network all the time. The commandant node will configure a detection sliding window by grouping many small detection sampling windows[26]. Depending on the time sequence information of the alarms sent by the sentry node, the commandant node calculates the tendency analysis report and compares it with the previously captured tendency of attack of the worm.

By combining the equations (1), (2) and (3), the new equation is derived for the alarm tendency.

Sp(i+1) = Sp(i) + Fp(i)[{1-1/(n* Λ)}R*S(i) – Q]

< Sp(i) + {Q – S/(n* Λ)}Sp(i)

  < Sp(i){1- S/(n* Λ)} -------------------------- (4).

Where,

Sp(i+1) = number of nodes which are infected in p2p network at time “i+1”

Sp(i) = number of nodes which are infected in p2p network at time “i”

Fp(i) = number of nodes with some flaws in it in a p2p network at time “i”

n = total number of nodes in p2p network

Λ = probability of infecting by worm

Q = success rate of worm attack in p2p networks.

R = scan rate of worm.

From this derived formula we can observe that there is no ratio relation between the Sp(i+1) and Sp(i) and the number of infected nodes i.e., Sp(i)  increases exponentially. The worm attack is happening when the worm alarms increases the matching tendency showed in equation (4).

4.5 COUNTERACTING STRATEGY TO ATTACK WORMS IN THE PEER-TO-PEER NETWORKS:

When the worm is detected in the network with the help of detection mechanism, the commandant node will starts the anti-worm program. In this program, the commandant worm will send the commands to all the sentry nodes. Then the sentry nodes will alert the infected nodes and help them install the software patches and make them immune to the worms.

If a node in a peer-to-peer network is immunized after triggering the anti-worm program by the commandant node is at the probability Pi and the number of infected nodes in the network be Sp(i), then the average rate of infection in the entire network can be given by

Sp(i) / (n* Λ *W). 

Where,

Sp(i) = number of nodes which are infected in p2p network at time “i”

n = number of nodes in p2p network

Λ = probability of infecting by worm

W = accuracy of alarm transferred by sentry node to the commandant node.

If the rate of immunization is given by “I” and the number of sentry nodes in the network which are active is (n* Λ *W), then the number of nodes which are not yet infected but can be immunized with the help of anti-worm program at time “i” is given by the formula

n* Λ*I*[1-Sp(i)/(n* Λ *W )].

With the help of the formulas mentioned above, we can get the formulae for the immunization as

Fp(i+1)=Fp(i)-NIp(i+1)-n* Λ *I*[1-Sp(i)/(n* Λ *W) ] -------- (5)

Where,

FP(i+1) = number of nodes with some flaws in p2p network at time “i+1”

FP(i) = number of nodes with some flaws in p2p network at time “i”

NIP(i+1) = number of newly infected nodes added in p2p network at time “i+1”

n = total number of nodes in p2p network

Λ = probability of infecting by worm

SP(i) = number of nodes already infected in p2p network at time “i”

W = accuracy of alarm transferred to commandant node by sentry node.

As it is said earlier the worm can also propagate to the adjacent nodes which are not present in the peer-to-peer network and infect them with the help of routing tables in the infected node. So the number of non p2p nodes that can be immunized by the anti-worm program is given by theSp(i)/n* Λ *W. so,

Sp(i+1)=Sp(i)-NIp(i+1)-n*Λ*I*[Sp(i)/(n*Λ*W)] ---------- (6)

Where,

Sp(i+1) = number of nodes which are infected in the p2p network at time “i+1”

SP(i) = number of nodes which are infected in the p2p network at time “i”

NIP(i+1) = number of newly infected p2p network added to p2p network at time “i+1”

n = total number of nodes in p2p network

Λ = accuracy of alarm transferred to commandant node by sentry nodes.

From the observation of equation (5) and equation (6) we can notice that with the increase in number of sentry nodes in the network Sp(i) and Fp(i) decreases simultaneously in peer-to-peer and non peer-to-peer networks.

Where SP(i) is the number of infected nodes in p2p network at time “i” and FP(i) is the number of nodes with flaws in p2p network.

These equations and calculations are validated by some simulations. for this simulation we need the PC with P4 3.0 GHz and 2Giga bytes of memory to carry out these simulations. Fedora Linux 9.0 operating system and simulation software, P2Psim3.5 is needed. Network with 106 peers is taken and divided that network into 103 regions. Initially, 100 sentry nodes are assigned in every region. The rate of addition of new nodes and the rate of removal of nodes from the network is set to 8%. Graphs are obtained like.

GRAPH 1: PROPOGATION OF SENTRY NODES ON RATE OF INFECTION OF WORM ON P2P NETWORKS

Graph 3: graph against propagation of sentry nodes against infection of worm

From this graph it is clear that the as the number of sentry nodes in the network increases, the rate of infection of the worm decreases.

GRAPH 2: RATIO OF COMMANDANTS TO SENTRIES ON RATE OF INFECTION OF WORM IN P2P NETWORKS:

Graph 4: graph showing time of detection against propagation of infected nodes.

From this graph it is clear that the rate of infection of the worm increases rapidly in the beginning. When the worm infection is detected then the counterattack or the anti-worm program is operated. So, the rate of worm infection falls down rapidly. In this graph we can also notice that the peak of the worm infection is very small when the ratio of commandant to the sentry nodes is 1:60. And the increase and decrease in the worm infection rate is almost same in remaining. But in the case of 1:20, the number of sentry nodes is very less that means the commandant node takes some time till it receives the alerts from the sentries and start the defence mechanism. Hence, the infection rate will be high for certain amount of time till the anti-worm mechanism is operated by the commandant node.

4.6 SUMMARY:

In this chapter, the algorithm is given to understand the propagation of worm in p2p nodes. By taking some parameters such as number of nodes in the network, number of infected nodes in the network, number of nodes with flaw and worm scan rate the equations are given to attack the worms. Worm defence system is also designed in this chapter. Mathematical method for detecting the worm that propagates in the network is also given in this chapter. Mathematical method for counterattacking the worm in the network is given in this chapter. Finally, the results of the simulation are showed at the end of the chapter.

CHAPTER 5

CRITICAL APPRAISAL, RECOMMENDATIONS AND SUGGESTIONS FOR FURTHER WORK:

5.1 CRITICAL APPRAISAL:

My interest in the networking made me choose the networking as my major course in the M.Sc. this interest even made me to choose this field of peer-to-peer networks for my research during my dissertation. I’ve chosen the peer-to-peer networks, as it will play a major role in the future for file sharing. In this research I have followed two scientific articles. One is “signature-behaviour based p2p worm detection approach” by Yu Yao, Fu-xiang Gao, Yong Li and Ge Yu. And the other is “Research on Intrusion and Defence of P2p worm” by Lu Chuiwei. Both articles are related to the worms in peer-to-peer networks and the methods to detect and defence worms in the network. Worms will affect the performance and efficiency of the network always.

In the first article the author has given the method of detecting the worms in p2p networks as well as the worms in the non-p2p networks. He detected the p2p worms based on characteristic string matching.  He has chosen the feature library with some known worms and matched them with characteristic string of the worm. If it is matched, then the worm is detected. He has given the suffix-array algorithm for performing this. Here, there are many problems with this. Firstly, if the worm exists in the network and if it is not matched with the feature library then it is not caught. Even if it caught later based on its behaviour, by that time it will replicates itself into more copies and propagates all over the network. Secondly, in this article the author has not given any methods for counterattacking the worm. That means he just gave the methods to detect the worms. Thirdly, he was not clear in the method of detecting the non-p2p worms.

In the second article the author has taken some parameters like number of infected nodes, number of nodes with flaws, rate of worm scan, number of newly infected nodes, number of nodes in p2p network, accuracy of alarm transferred and has given the equations for detecting the worms and counterattacking them. In this article the author also discussed the need of detecting the worms in the surrounding networks of the p2p networks and also given the mathematical method to detect and defend them. He has given the equations by assuming all the nodes in p2p network in one of the three states i.e., vulnerable, infected and immune and taken them at a time instant “i”. He didn’t mention how it can be implemented practically. According to his methods, we get the accurate results only when the values for all the parameters are given correctly, else the results will be wrong. His methods are little complicated. People with very less mathematical background couldn’t understand his methods. Worms in the surrounding network to the peer-to-peer network can easily enter in to the network. So, there is need to detect and defence the worms in the surrounding network as well.

5.2 FURTHER WORK:

During this research I felt more excited by knowing different things about the worms, their behaviour, how it affects the networks and the need to defence them in the network. In the further work I will do more research on many more detecting methods to detect the worms and also methods to defend the worms that propagates in the peer-to-peer networks. All the methods proposed above are been used after the network is been infected. It will be really helpful for the network, if there are some methods which avoid the worm from being entered into the network. Worms enter the network through some loopholes in the network or the software that is being used in the networks by the nodes. So it is better to solve this problem and avoid the worm from entering into the network. In future,

Ø I will try to improve the efficiency of the methods I proposed.

Ø I will try to find the methods for detecting the worms in the surrounding networks of the peer-to-peer network.

Ø I will try to decrease the time taken by the methods to detect the worms in the network.

CHAPTER 6

CONCLUSION:

Peer-to-peer networks have many security issues. Worm is a major threat to peer-to-peer networks. In this report, some parameters are taken like number of nodes in the p2p network; number of infected nodes in the network, number of newly added infected nodes, worm scan rate etc and some mathematical methods are proposed to estimate the propagation of worm in the network. Some defence systems are also defined in this report. The whole network is divided into many small regions. Each region is monitored by the special node called “commandant node”. Remaining nodes in the region are called “sentry nodes”. Sentry nodes alerts commandant node if there is any worm intrusion in the network. The commandant node will start the anti-worm program. This report also proposes mathematical method for the detection and the defence strategies against worms. All the mathematical methods are validated by performing some simulations. From the results of the simulations it is proved that this method is highly efficient and accurate in detecting the p2p worms and defending them.

1. ABSTRACT:

Peer-to-peer network is an upcoming trend of networks which is more popularized for file sharing these days. Because of the complications in the network there are many security issues in the peer-to-peer networks. Worms are the serious security threat to the p2p networks. Because of some loopholes in the network, the worm can intrude, propagate and affect the efficiency of network. So, this paper proposes some strategies to resolve this issue. Taking some parameters, the strategy for how worm propagates, how it can be detected and counterattacking the worm is given in this report

CTPP04NPage 10

Security issues in peer-to-peer networks

CTPP04NPage 55

Security issues in peer-to-peer networks

2. INTRODUCTION:

Peer-to-peer network abbreviated as p2p network is an upcoming trend of networks. Due to the complexities in the network, there are many security issues in p2p networks. Worms are the serious threat to p2p networks. They intrude the networks and affects the efficiency of the networks. This is first detected by Robert T Morris in 1988[8]. This article contains the mathematical models to determine the propagation of worm in the network, detecting the propagation of worm and defending it to retrain the system from attack. the mathematical equations are framed by considering some parameters such as total number of nodes in the network, number of nodes already affected by the worm, scan rate of worm, etc. initially, entire network is divided into small regions. Every region is assigned with a “commandant node” and “sentry nodes”. Commandant node monitors the region. When any new node tries to entire the region, it should first get to know by the commandant node. It contains the anti-worm program. If a new node contains any worm or malicious program, it will be scanned and defended.

3. RELEVANT WORK DONE BY THE OTHERS :

Many people proposed solutions to this problem. First Zhou L gave solution to p2p worm and he observed that propagation of worm in p2p network is very speed when compared to other networks [1]. Jayanthkumar performed some simulations on worm propagation from infected node to other node [2]. Wei yu researched on the behaviour of worms in p2p networks [3]. In my research I found one more interesting method of detecting the worms in the peer-to-peer network. This is indeed a special method of detecting the worms in network because the authors Yu Yao, Yong Li, Fu-xiang Gao, Ge Yu in their paper titled “A Signature-behaviour-based P2P worm detection approach” they proposed a mechanism of detecting the known worms in the peer-to-peer networks based on characteristic string matching. Worm make use of vulnerabilities in the network and spreads.

4. WORM PROPAGATION IN THE NETWORK:

This is illustrated this with the help of an algorithm.

Suppose in the whole network, a node is vulnerable (can be infected easily).

  1. Assume that worm intruded and infected the node “a” in the network

  2. Worms will get the information of its neighbour from its routing table and selects some more nodes to infect them. This list of nodes is called hit-list E(P1,P2,….,P2)

  3. WHILE hit-list is not empty DO following action:

  4. Worms scans the operating system and the application software to find some flaws in nodes of  the hit-list, E

  5. IF any vulnerable nodes are found in E THEN send worm and infect it.

  6. IF all the nodes in the hit-list i.e., E are scanned THEN get some more active neighbours to refresh the hit-list (E)

  7. END WHILE

    Also scan non-p2p vulnerable nodes in the surrounding regions of the node “a”.

    IF any vulnerable non-p2p hosts are found THEN launch attack and infect it.

When one node is infected by the worm in the network, it gathers the information or the ip-addresses of all the remaining nodes in network and creates the list of vulnerable nodes. This is called the “HIT-LIST” [4].

In this section of the report, mathematical equations for the total number of infected nodes in both p2p and non p2p networks are given. For this, we assumed some parameters. The parameters are:

S----------Number of nodes which are infected in the network

F----------Number of nodes with flaw

NI----------Number of newly added nodes which are infected at time “i” [5]

n----------Number of nodes in P2P network

Λ----------Probability of infecting by worm

R----------Rate of worm scan

W----------Accuracy of alarm transferred by sentry nodes

Using these parameters the equation for number of newly infected nodes added at time “i” is given as:

NIP (i+1) = Fp(i) [(1 - 1/(n*Λ))R*S(i) - Q]  --- (1)

Where,

NIp(i+1) = number of newly infected nodes in p2p networks at time (i+1)

Fp(i) = number of nodes in the p2p networks with some flaws in it at time “i”

n = total number of nodes in p2p network

Λ = probability of infecting by the worm

R = scan rate of worm

S(i) = number of  nodes which are infected in the network at time “i”

According to this equation, total number of newly infected nodes depends on the number of nodes with some flaws in it, number of nodes that are already infected and scan rate of worm. If at time instant “i”, there are “F” number of nodes with some flaws in it and total number of nodes in the network is n, then the total number of nodes in the network that are scanned by the worm is (R * S(i)). Probability of number of nodes getting infected by the worm is (n*Λ). So the number of nodes infected by the time “i+1” is given in the equation (1). Equation (1) is used to determine the number of newly infected nodes added at time “i” in peer-to-peer networks only.

Q is the success rate of worm attack in peer-to-peer network and its value lies in between 0.5 to 1 i.e., 0.5 < Q < 1.

And the number of newly infected hosts added in time “i” in non p2p networks is given as

NINP(i+1) = FNP(i)[(1-1/N)R*S(i) – X] ---------- (2)

This equation gives the total number of newly infected nodes added at time “i” in non-p2p networks

Where “X” is the success rate of worm attack in non peer-t-peer networks and its value lies in between 0.5 to 1 i.e., 0.5<X<1.

Using the equations (1) and (2), the author derived some more equations for the total number of nodes already infected in both peer-to-peer networks as well as non peer-to-peer networks. This is denoted by S(i) at time “i” and the total number of vulnerable nodes in both peer-to-peer and non peer-to-peer networks denoted by F(i) at time “i”.

SNP(i+1) = SNP(i)+NINP(i+1)

SP(i+1) = SP(i)+NIP(i+1)

S(i) = SP(i)+SNP(i)

F(i)=FP(i)+FNP(i)---------------- (3)

4.1 DESIGN OF WORM DEFENSE SYSTEM IN PEER-TO-PEER NETWORK:

Entire network is divided into small regions. Each region is assigned with a “commandant node”. It monitors all other nodes in the network. Remaining nodes are called “commandant nodes”. When a new node enters, it should first know its commandant node by sentry nodes.

4.2 DETECTION METHOD OF P2P WORMS:

The commandant node comes to know about the worm attack with the help of the report sent by the sentry node. The alarm sent by sentry node couldn’t be considered as the decisive factor for the worm attack in the network all the time. The commandant node will configure a detection sliding window by grouping many small detection sampling windows [6]. Depending on the time sequence information of the alarms sent by the sentry node, the commandant node calculates the tendency analysis report and compares it with the previously captured tendency of attack of the worm [7].

By combining the equations (1), (2) and (3), the new equation is derived for the alarm tendency.

Sp(i+1) = Sp(i) + Fp(i)[{1-1/(n* Λ)}R*S(i) – Q]

< Sp(i) + {Q – S/(n* Λ)}Sp(i)

< Sp(i){1- S/(n* Λ)} --------------- (4).

From this derived formula we can observe that there is no ratio relation between the Sp(i+1) and Sp(i) and the number of infected nodes i.e., Sp(i)  increases exponentially. The worm attack is happening when the worm alarms increases the matching tendency showed in equation (4).

4.3 COUNTERACTING STRATEGY TO ATTACK WORMS IN THE PEER-TO-PEER NETWORKS:

When the worm is detected in the network with the help of detection mechanism, the commandant node will starts the anti-worm program. In this program, the commandant worm will send the commands to all the sentry nodes. Then the sentry nodes will alert the infected nodes and help them install the software patches and make them immune to the worms.

If a node in a peer-to-peer network is immunized after triggering the anti-worm program by the commandant node is at the probability Pi and the number of infected nodes in the network be Sp(i), then the average rate of infection in the entire network can be given by

Sp(i) / (n* Λ *W). 

Where,

If the rate of immunization is given by “I” and the number of sentry nodes in the network which are active is (n* Λ *W), then the number of nodes which are not yet infected but can be immunized with the help of anti-worm program at time “i” is given by the formula

n* Λ*I*[1-Sp(i)/(n* Λ *W )].

With the help of the formulas mentioned above, we can get the formulae for the immunization as

Fp(i+1)=Fp(i)-NIp(i+1)-n* Λ *I*[1-Sp(i)/(n* Λ *W) ] -------- (5)

As it is said earlier the worm can also propagate to the adjacent nodes which are not present in the peer-to-peer network and infect them with the help of routing tables in the infected node. So the number of non p2p nodes that can be immunized by the anti-worm program is given by the

Sp(i)/n* Λ *W. so,

Sp(i+1)=Sp(i)-NIp(i+1)-n*Λ*I*[Sp(i)/(n*Λ*W)] ---------- (6)

From the observation of  equation (5) and equation (6) we can notice that with the increase in number of sentry nodes in the network Sp(i) and Fp(i) decreases simultaneously in peer-to-peer and non peer-to-peer networks.

Where SP(i) is the number of infected nodes in p2p network at time “i” and FP(i) is the number of nodes with flaws in p2p network.

4.4 RESULTS AND ANALYSIS:

These equations and calculations are validated by some simulations. for this simulation we need the PC with P4 3.0 GHz and 2Giga bytes of memory to carry out these simulations. Fedora Linux 9.0 operating system and simulation software, P2Psim3.5 is needed. Network with 106 peers is taken and divided that network into 103 regions. Initially, 100 sentry nodes are assigned in every region. The rate of addition of new nodes and the rate of removal of nodes from the network is set to 8%. Graphs are obtained like.

GRAPH 1: PROPOGATION OF SENTRY NODES ON RATE OF INFECTION OF WORM ON P2P NETWORKS

Graph 3: graph against propagation of sentry nodes against infection of worm

From this graph it is clear that the as the number of sentry nodes in the network increases, the rate of infection of the worm decreases.

GRAPH 2: RATIO OF COMMANDANTS TO SENTRIES ON RATE OF INFECTION OF WORM IN P2P NETWORKS:

Graph 4: graph showing time of detection against propagation of infected nodes.

From this graph it is clear that the rate of infection of the worm increases rapidly in the beginning. When the worm infection is detected then the counterattack or the anti-worm program is operated. So, the rate of worm infection falls down rapidly. In this graph we can also notice that the peak of the worm infection is very small when the ratio of commandant to the sentry nodes is 1:60. And the increase and decrease in the worm infection rate is almost same in remaining. But in the case of 1:20, the number of sentry nodes is very less that means the commandant node takes some time till it receives the alerts from the sentries and start the defence mechanism. Hence, the infection rate will be high for certain amount of time till the anti-worm mechanism is operated by the commandant node.

5. CONCLUSION:

Peer-to-peer networks have many security issues. Worm is a major threat to peer-to-peer networks. In this report, some parameters are taken like number of nodes in the p2p network; number of infected nodes in the network, number of newly added infected nodes, worm scan rate etc and some mathematical methods are proposed to estimate the propagation of worm in the network. Some defence systems are also defined in this report. The whole network is divided into many small regions. Each region is monitored by the special node called “commandant node”. Remaining nodes in the region are called “sentry nodes”. Sentry nodes alerts commandant node if there is any worm intrusion in the network. The commandant node will start the anti-worm program. This report also proposes mathematical method for the detection and the defence strategies against worms. All the mathematical methods are validated by performing some simulations. From the results of the simulations it is proved that this method is highly efficient and accurate in detecting the p2p worms and defending them.

Writing Services

Essay Writing
Service

Find out how the very best essay writing service can help you accomplish more and achieve higher marks today.

Assignment Writing Service

From complicated assignments to tricky tasks, our experts can tackle virtually any question thrown at them.

Dissertation Writing Service

A dissertation (also known as a thesis or research project) is probably the most important piece of work for any student! From full dissertations to individual chapters, we’re on hand to support you.

Coursework Writing Service

Our expert qualified writers can help you get your coursework right first time, every time.

Dissertation Proposal Service

The first step to completing a dissertation is to create a proposal that talks about what you wish to do. Our experts can design suitable methodologies - perfect to help you get started with a dissertation.

Report Writing
Service

Reports for any audience. Perfectly structured, professionally written, and tailored to suit your exact requirements.

Essay Skeleton Answer Service

If you’re just looking for some help to get started on an essay, our outline service provides you with a perfect essay plan.

Marking & Proofreading Service

Not sure if your work is hitting the mark? Struggling to get feedback from your lecturer? Our premium marking service was created just for you - get the feedback you deserve now.

Exam Revision
Service

Exams can be one of the most stressful experiences you’ll ever have! Revision is key, and we’re here to help. With custom created revision notes and exam answers, you’ll never feel underprepared again.