1. Field of the Invention
The present invention relates to a P2P traffic management apparatus and method, and more particularly, to detecting harmful P2P traffic and control thereof based on a cooperation model between a P2P security gateway and a P2P flow agent to recognize encrypted packets exchanged through a peer-to-peer (hereinafter, simply referred to as P2P) application service or application program on a network or selectively pass, intercept, and control P2P traffic according to a domain policy based on a determination whether information is harmful or illegal.
This work was supported by the IT R&D program of MIC/IITA [2005-S-090-03, Development of P2P Network Security Technology based on Wired/Wireless IPv6 Network].
2. Description of the Related Art
An existing P2P network has been researched and used as technical means that uses distributed computing resources (computers or logical resources, such as files and software) and enables easy sharing of multimedia resources, such as files, music, and moving pictures, provided by a file-sharing service such as Napster, BearShare, Lime Wire, Morphias, Winee, Pruna, and E-Donkey in terms of commerce, or Gnutella, Kazaa, BitTorrent, Pastry, and Chord in terms of research. The P2P network is supported by many people and attracts universal subscribers. Further, the P2P network is used to construct a large-scale computing system using various distributed resources, such as a process cycle, a storage space, and a database, for experimental purposes, such as SATI@HOME.
However, in recent years, among P2P frameworks, which provide hybrid P2P architecture that includes a server in pure P2P architecture, a P2P VoIP service, such as Kazaa-based SKYPE, and a P2P streaming service, such as JOOST, which represents the next-generation TV, are provided through the Internet. Accordingly, it is increasingly required to convert recognition for a P2P network application, which has been used for sharing music files in an MP3 format, or a messaging service.
As such, P2P application services or application programs may be generally defined as network applications that communicate with each other using a P2P network protocol or participate in a network that is composed of peers each serving as both a client and a service or network applications that operate on the basis of a P2P framework, such as JXTA of Sun Microsystems. The P2P application services or application programs may be used for various purposes, such as file sharing, VoIP, moving picture streaming, and distributed computing, according to application objects under various network scales.
In the P2P application services or application programs, according to circumstances, a computer that participates in a P2P network is called a node, a peer, or a host without discriminating terms used in existing computer science or network field. However, it is preferable that the computer be referred to as the peer, because a characteristic of a P2P technology is that it has two functions of providing and using a service without a central server.
The P2P network has unique security requirements (White Washing, ID Spoofing, Sybil Attack, Eclipse Attack, Storage & Retrieval Attack, and Privacy Violation) of only the P2P network due to not only security vulnerability (Man-in-the-middle-attack, Denial of Service, Insertion of Virus, Warm, Spyware, and Spamming) that may be considered in an existing distributed computing environment but also free participation and withdrawal of peers, non-limited generation of new IDs at low costs, and absence of a peer identifier verification structure.
However, the most severe risk to security vulnerability in the 2P network may be the result of the circulation of large P2P traffic (in particular, P2P network used to share files). A P2P file share network has been rapidly developed to such a degree that the traffic amount of the P2P file share network occupies 60 to 80% of the total amount of network traffic. In recent years, Cisco Systems Inc. expresses that it has anticipated that the amount of P2P traffic in 2011 will be at least four times larger than the amount of the current traffic, through a report in 2007. This means that most of the network equipment constituting the Internet consumes a large amount of processing capabilities while processing P2P network traffic. Due to the increase in the amount of network traffic, network bottleneck or congestion frequently occurs. It has been reported that most of the Internet service providers (ISP) incur a large amount of cost loss due to P2P traffic processing. If the P2P users increase and a large amount of application services are provided on the basis of the P2P network, the problem will become severe.
In particular, in recent years, application services and application programs using a P2P network are forming a new content circulation structure or a content delivery network. As a result, security requirements, such as detection and prevention of circulation of illegal materials, propagation of secret materials, and transmission of attached files including malicious codes, are increased, and a P2P technology is actively used as a basic network model to perform various application services. Subsequently, it is anticipated that the Internet traffic share will increase as compared with the related art, and thus, security countermeasure is needed.
In regards to these problems, as a heuristic scheme for resolving traffic congestion or bottleneck caused by a general network application service, a “methodology based on traffic volume threshold and time threshold” has been applied to network equipment (Firewall, Intrusion Detection System (IDS), and Intrusion Prevention System (IPS). In the case of the P2P network, the technology standard (protocol or framework) and a network state that is generated at the time of actually operating a service are very varied, and thus the methodology is not preferable as a method of detecting harmful P2P traffic or recognizing a P2P application service and controlling it.
Methodologies to selectively detect network traffic and control it may be classified into six methodologies including the above-described methodology. In the case of commercially used network security equipment, such as the current IDS and IPS, an attempt to adopt “signature” or a methodology similar to the signature to shutdown a P2P network has been made.
First, a description is given of a packet inspection methodology. The packet inspection methodology may be divided into “stateless packet inspection” and “stateful packet inspection”. In the case of the stateless packet inspection, individual packets are determined on the basis of a specific field value of a header or a service port for each of the inflowing packets. In this case, since the packets are individually determined, a network failure that can be determined only when combining a plurality of packets cannot be detected, and it is disadvantageous to port shifting and a random port, which are frequently used in a P2P application service. The stateful packet inspection means a method in which traffic passing through network equipment is inspected on the basis of the signature that is generated through work, such as reverse engineering or packet technology standard analysis for traffic in advance, such that specific network traffic can be discriminated. In order to compare a signature database and types of inflowing packets, both headers of packets and payload need to be checked (even if comparison work is performed on only a layer 7). As a result, a large amount of overhead is generated in network equipment. A separate signature is required for each network application service, and a large amount of time and cost are required during an analysis process for generating one signature.
The packet inspection is based on a regular pattern, while a heuristic methodology is based on an operation characteristic of a network application service or traffic behavior of traffic generated by the network application service. This method may be classified into two methods, “flow level behavior” and “transaction level behavior”. The flow level behavior is a method in which specific P2P traffic is detected on the basis of experimental statistics, such as averages, distributions, and deviations of “inter-arrival time, inter-packet difference, duration of flow, and packet size” of packets. The transaction level behavior is a methodology in which a characteristic is extracted from a transition status of an attribute of each packet, such as a packet size or a flow direction, to recognize P2P traffic. However, according to the above-described two heuristic methodologies, if a size of a P2P network is large, a monitoring period is long, or a large amount of geographically distributed peers are experimented, it is possible to extract statistics that are suitable for P2P traffic detection, and the network state is considerably variable according to a non-predicted behavior pattern that are caused by peers that constitute the network. As a result, it is difficult to secure the P2P traffic detection. The corresponding methodologies have technical leadership, but are only exemplified in a document research on a small P2P network that was performed by some researchers. For this reason, it is additionally required to actively and systematically verify effectiveness of the methodologies, and thus an application of the methodologies to commercially used network equipment is not considered.
As the sixth methodology, fragmentary detection rules based on “peer behavior” (in particular, a size of a UDP packet or the number of times of connection, and a connection method (IP addresses and the number of ports)) are suggested. However, the preferred embodiment of this methodology does not exist, and as a result, clear result data for detection that is implemented by the embodiment does not exist.
For reference, each of the above-described methodologies may be merged with other methodologies and individually extended to include a heuristic characteristic. Technical discriminations and definitions may be made using another method.
However, according to the above-described methodologies, it is not possible to provide universally stabilized and significant P2P traffic detection due to the different technical standards of most of commercially used P2P networks and variations generated at the time of operation. In particular, an encrypted P2P packet becomes the main reason why it becomes difficult to detect P2P traffic or a P2P application service. In general, P2P application services, such as SKYPE, BitTorrent, and JOOST, follow the technical standard that is used to encrypt and transmit all data packets including control or signal packets. For this reason, when existing simple matching methods or methodologies depending on the standardized pattern are used, it is not possible to inspect the packets, and thus it is difficult to discriminate P2P traffic. A methodology based on experimental heuristic is insufficient in effectiveness verification through a large amount of experimental examples, and analyzes only an external characteristic or type of a fragmental packet transmission rather than direct analysis on the payload. Embodiments of the methodology are not suggested.
In consideration of the above-described problems, except for the methodology based on peer behavior, most of the existing methods generally analyze the packets on the network and control the inflow of the traffic. Accordingly, as a main method of controlling P2P traffic, only a specific methodology, such as “a model based on interaction between peers and network equipment”, will be able to detect encrypted P2P packets and control it.