Phagocytes: A Holistic Defense and Protection Against Active P2P Worms

TL;DR

This paper introduces Phagocytes, a novel immune system for P2P networks that detects, isolates, and defends against active P2P worms using monitoring, containment, and adaptive puzzles, proven effective in large-scale simulations.

Contribution

The paper presents a new immune-based defense system with Phagocytes that detect and contain active P2P worms, including a novel adaptive puzzle scheme for external attack mitigation.

Findings

Effective detection of active P2P worms in large-scale traces

Successful containment and isolation of worms using Phagocytes

Adaptive puzzles significantly reduce external worm attacks

Abstract

Active Peer-to-Peer (P2P) worms present serious threats to the global Internet by exploiting popular P2P applications to perform rapid topological self-propagation. Active P2P worms pose more deadly threats than normal scanning worms because they do not exhibit easily detectable anomalies, thus many existing defenses are no longer effective. We propose an immunity system with Phagocytes --- a small subset of elected P2P hosts that are immune with high probability and specialized in finding and "eating" worms in the P2P overlay. The Phagocytes will monitor their managed P2P hosts' connection patterns and traffic volume in an attempt to detect active P2P worm attacks. Once detected, local isolation, alert propagation and software patching will take place for containment. The Phagocytes further provide the access control and filtering mechanisms for communication establishment between the internal P2P overlay and the external hosts. We design a novel adaptive and interaction-based computational puzzle scheme at the Phagocytes to restrain external worms attacking the P2P overlay, without influencing legitimate hosts' experiences significantly. We implement a prototype system, and evaluate its performance based on realistic massive-scale P2P network traces. The evaluation results illustrate that our Phagocytes are capable of achieving a total defense against active P2P worms.