DETECTION OF PEER TO PEER APPLICATIONS



Similar documents
Symantec Endpoint Protection Analyzer Report

IBM QRadar Security Intelligence April 2013

Best Practices for Controlling Skype within the Enterprise. Whitepaper

Testing Packet Switched Network Performance of Mobile Wireless Networks IxChariot

PEER-TO-PEER NETWORK

Best Practices for Controlling Skype within the Enterprise > White Paper

SIP, Security and Session Border Controllers

Resource Utilization of Middleware Components in Embedded Systems

Devising a Server Protection Strategy with Trend Micro

System Security Policy Management: Advanced Audit Tasks

Host-based Intrusion Prevention System (HIPS)

Devising a Server Protection Strategy with Trend Micro

Symantec Endpoint Protection 11.0 Architecture, Sizing, and Performance Recommendations

INSIDE. Malicious Threats of Peer-to-Peer Networking

Protecting the Infrastructure: Symantec Web Gateway

Getting Started. Symantec Client Security. About Symantec Client Security. How to get started

The Role and uses of Peer-to-Peer in file-sharing. Computer Communication & Distributed Systems EDA 390

How To Manage A System Vulnerability Management Program

Stopping secure Web traffic from bypassing your content filter. BLACK BOX

Top tips for improved network security

United Tribes Technical College Acceptable Use Policies for United Tribes Computer System

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Best Practices for Running Symantec Endpoint Protection 12.1 on the Microsoft Azure Platform

GFI White Paper PCI-DSS compliance and GFI Software products

End-user Security Analytics Strengthens Protection with ArcSight

Secure Your Mobile Workplace

Windows Hard Disk Encryption

Symantec Protection Suite Small Business Edition A simple, effective and affordable solution designed for small businesses

McAfee Endpoint Protection for SMB. You grow your business. We keep it secure.

Symantec Protection Suite Small Business Edition

How To Secure An Rsa Authentication Agent

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Detecting peer-to-peer botnets

W H I T E P A P E R : T E C H N I C A L. Understanding and Configuring Symantec Endpoint Protection Group Update Providers

Side channels in cloud services, the case of deduplication in cloud storage

Data Sheet: Endpoint Security Symantec Protection Suite Enterprise Edition Trusted protection for endpoints and messaging environments

How To Control Your Network With A Firewall On A Network With An Internet Security Policy On A Pc Or Ipad (For A Web Browser)

IREBOX X. Firebox X Family of Security Products. Comprehensive Unified Threat Management Solutions That Scale With Your Business

Robust security is a requirement for many companies deploying a wireless network. However, creating a secure wireless network has often been

Virtualization Guide. McAfee Vulnerability Manager Virtualization

What Do You Mean My Cloud Data Isn t Secure?

Three short case studies

Symantec Endpoint Protection

Fact Sheet FOR PHARMA & LIFE SCIENCES

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

FIREWALL. Features SECURITY OF INFORMATION TECHNOLOGIES

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Symantec Endpoint Protection

GoToMyPC Corporate Advanced Firewall Support Features

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

P2P Traffic Manager. L7 Internet Security. IP Appliance Products

Getting Ahead of Malware

Getting Started Guide for Symantec On-Demand Protection for Outlook Web Access 3.0

Core Protection for Virtual Machines 1

Client Guide for Symantec Endpoint Protection and Symantec Network Access Control

Symantec Mobile Security

CSE 3482 Introduction to Computer Security. Denial of Service (DoS) Attacks

Symptoms Based Detection and Removal of Bot Processes

Table of Contents. Cisco Blocking Peer to Peer File Sharing Programs with the PIX Firewall

Integration with IP Phones

Introducing IBM s Advanced Threat Protection Platform

CONTENTS AT A GMi#p. Chapter I Ethical Hacking Basics I Chapter 2 Cryptography. Chapter 3 Reconnaissance: Information Gathering for the Ethical Hacker

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

Tk20 Network Infrastructure

DMZ Virtualization Using VMware vsphere 4 and the Cisco Nexus 1000V Virtual Switch

Potential Targets - Field Devices

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

Ovation Security Center Data Sheet

COPYRIGHT AND SECURITY GUIDE FOR COMPANIES AND GOVERNMENTS

How to Prevent Secure Web Traffic (HTTPS) from Crippling Your Content Filter. A Cymphonix White Paper

Endpoint Security Management

Symantec Endpoint Protection Enterprise Edition Best Practices Guidelines. Regional Product Management Team Endpoint Security

CITY UNIVERSITY OF HONG KONG Network and Platform Security Standard

Firewalls Overview and Best Practices. White Paper

McAfee Global Threat Intelligence File Reputation Service. Best Practices Guide for McAfee VirusScan Enterprise Software

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Ovation Security Center Data Sheet

S E C U R I T Y A S S E S S M E N T : B o m g a r B o x T M. Bomgar. Product Penetration Test. September 2010

Managed Antivirus Quick Start Guide

How To Control Your Computer With Watchguard Application Control

Data Sheet: Endpoint Security Symantec Endpoint Protection The next generation of antivirus technology from Symantec

How To Implement Data Loss Prevention


CORE Enterprise on a WAN

Certified Ethical Hacker Exam Version Comparison. Version Comparison

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

How To Monitor A Network With Spyware

Best Practices - Monitoring and Controlling Peer-to-Peer (P2P) Applications

Guidance Regarding Skype and Other P2P VoIP Solutions

Citrix Access Gateway Plug-in for Windows User Guide

Transcription:

DETECTION OF PEER TO PEER APPLICATIONS AN OPSWAT WHITE PAPER Author: Priti Dadlani Contributors: Benny Czarny, Steven Ginn, Toshit Antani April 2008 OPSWAT, INC. www.opswat.com

CONTENTS Introduction... 3 Methods of Detecting P2P Applications... 3 Network Based Detection... 3 Client Based Detection... 4 Client Behavioral Detection... 4 About OPSWAT... 5 2

INTRODUCTION: A peer to peer (P2P) application, such as BitTorrent, Kazaa, Napster, etc., is software where clients communicate directly with each other over a common network. The application acts both as the client as well as the server. A common use case of a P2P application is file sharing. Simple file sharing has raised a lot of controversy and questions challenging the usage of P2P applications. An issue that has been raised is the legality of file sharing. Many files that are being shared between clients do not have authorization of the copyright owner, making it illegal to transfer. Also, the bandwidth consumption of P2P applications has caused a network delay for users. Computers running P2P applications are also vulnerable to data leaks simply because important information can be easily transferred over a network that may not be tracked or monitored. P2P applications have caused concern in etwork administrators, forcing them to disable P2P applications from gaining network access. This document will outline two technologies in detecting P2P applications, client based and network based. METHODS OF DETECTING P2P APPLICATIONS: There are various methods that security vendors use in order to detect P2P technology, below are two common methods that are currently used. Network Based Detection Some P2P applications communicate and function thru a common port, common protocol, or use a common traffic pattern. A Network based approach uses both network sniffing and network scanning. Network sniffing looks for both P2P traffic patterns and packets. Network scanning looks for common ports or protocols that may be open. These methods are useful for detecting P2P applications such as Piolet. Piolet is an executable which can be dropped and run from anywhere. It requires no installation and leaves no footprint behind. An administrator is able to watch the network traffic and determine whether an application like Piolet is in use. Network scanning or sniffing to see if certain P2P patterns are present can have its limitations. New age P2P applications use what is called anonymous P2P technology. The networks used by these anonymous P2P applications (Winny, Imule, Rodi, etc.) carry no identifiers and the IP addresses of the networks are encrypted. This makes it almost impossible for P2P traffic to be traced and identified. 3

Client Based Detection Client based detection is typically performed by analyzing the footprint that the P2P application leaves behind. This includes the registry keys installed, binary files installed, MD5 signature of the running process, and the name of the running process. With client based detection it is easy to take remediation actions against the P2P application. Administrators can prevent the application from being run and can even monitor the files that are being transferred. This method of detection can detect anonymous P2P applications, as well, by using the footprint left behind. RShare is an example of a P2P application that anonymizes and encrypts the network traffic it uses. Detection of this application can be based on the registry information that gets installed or the running processes. Unfortunately, a disadvantage to this is the P2P applications footprint can be tampered with. A user can easily go in and delete the installed registry keys of the product, rename the executable, or change the MD5 signature to spoof something safe and reliable, once again leaving network administrators unaware that a P2P application is running and in use. Client Behavioral Detection Every P2P applications executable contains a binary representation of instructions that it needs in order to run correctly. Behavioral detection of P2P applications tracks the execution patterns and specific code patterns, such as state machines, protocols, and or network activity. By using the assembly based binary signatures and other behavior of the application (ports opened, files being accessed, and other techniques), security software can identify whether or not an executable in question is a valid P2P application or not. By enumerating through all the running processes and monitoring its behavior it is possible to detect a P2P application disguising itself as a valid executable such as notepad.exe. Winny is an example of an anonymous P2P application that leaves no footprint behind. Network based and pure client based detection would not be able to detect a product like this. Analyzing the assembly signature of the executable and monitoring the behavior of how this application works could give an administrator insight on if this product is running or not. There are of course drawbacks to this method of detection. The application must be analyzed on the endpoint and behavioral detection can make it difficult to guarantee a certain level of performance. 4

ABOUT OPSWAT Founded in 2002, OPSWAT (www.opswat.com) is the world leader in development tools and data services that power products managing features of security applications. OPSWAT SDKs and services enable integration with a broad range of applications from traditional security products such as antivirus, antispyware, personal firewalls and hard disk encryption applications to more conventional products such as browsers, instant messenger and peer to peer applications with security-related features. OPSWAT is headquartered in San Francisco, California, with an additional office in Herzliya, Israel. OPSWAT and the OPSWAT logo are trademarks of OPSWAT, Inc. or its affiliates. All other names mentioned herein are trademarks or registered trademarks of their respective owners. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information