Intrusion Detection Based on P2P Software

Intrusion Detection Based on P2P Software

Zoltán Czirkos (Budapest University of Technology and Economics, Hungary) and Gábor Hosszú (Budapest University of Technology and Economics, Hungary)
DOI: 10.4018/978-1-60566-026-4.ch353
OnDemand PDF Download:


The importance of the network security problems come into prominence by the growth of the Internet. The article presents a new kind of software, which uses just the network, to protect the hosts and increase their security. The hosts running this software create an Application Level Network (ALN) over the Internet. Nodes connected to this ALN check their operating systems’ log files to detect intrusion attempts. Information collected is then shared over the ALN to increase the security of all peers, which can then make the necessary protection steps by oneself. The developed software is named Komondor (Czirkos, 2006), which is a famous Hungarian guard dog. The novelty of the system Komondor is that Komondor nodes of each host create a Peer-To-Peer (P2P) overlay network. Organization is automatic; it requires no user interaction. This network model ensures stability, which is important for quick and reliable communication between nodes. By this build-up, the system remains useful over the unstable network. The use of the peer-to-peer network model for this purpose is new in principle. Test results proved its usefulness. With its aid, real intrusion attempts were blocked. This software is intended to mask the security holes of services provided by the host, not to repair them. For this it does not need to know about the security hole in detail. It can provide some protection in advance, but only if somewhere on the network an intrusion was already detected. It does not fix the security hole, but keeps the particular attacker from further activity.
Chapter Preview


The P2P networks comprise hundreds of thousands or millions of peers. That is why they are characterized by large dynamism, with a continuous process of nodes joining or leaving the P2P overlay.

Such large scale dynamism introduces several development problems. Neither a central authority nor a fixed communication topology can be employed to control the different components. Instead, a dynamically changing overlay topology is maintained and the maintenance is completely decentralized. The overlay is defined by links among nodes that are created and deleted based on the requirements of the particular application (Montresor, 2004).

Variability of P2P networks can be leveraged by implementing virtual networks based on super-peers. In the meantime, widely-used file-sharing systems such as Kazaa have applied the use of super-peers to enhance their search performance. In the field of the super-peer networks, the main focus is on centralized design of such networks (Yang & Garcia-Molina, 2003).

Until recently, most of the P2P applications deployed on the Internet had not any sophisticated mechanism for enforcing a particular overlay topology. The consequence of this was the adoption of simple communication models, such as flooding. Currently the situation has changed; many research projects have proved the importance of selecting, and proposed constructions and maintenance of appropriate topologies for robust P2P systems (Rowstron, & Druschel, 2001). Even popular file-sharing applications have started to consider more structured topologies (Kan, 2001). By introducing the concept of super-peer, their topologies are now organized through a two-level hierarchy. Nodes that are faster and/or more reliable than the ordinary nodes take on server-like responsibilities and provide services to a set of clients. A good example for this is the case of file sharing, where a super-peer builds an index of the files shared by its clients and participates in the search protocol on their behalf, leveraging them from participating in complicated protocols and reducing the overall traffic by forwarding queries only among super-peers.

The super-peer concept allows decentralized networks to run more efficiently by exploiting heterogeneity and distributing load to machines that can handle the burden. Also, it does not inherit the flaws of the client-server model, as it allows multiple, separate points of failure, increasing the robustness of the P2P network.

The applicability of the super-peer model is not limited to file-sharing, that is, it is possible to envisage distributed game systems (Smed, Kaukoranta, T., & Hakonen, 2003). In this case, multiple locations of a simulated virtual environment can be maintained by a distributed set of super-peers that control the virtual environment on behalf of their clients. Grid management systems and distributed storages are other good possibilities for the usages of this architecture (Foster & Kesselman, 1999).

Key Terms in this Chapter

Security Management: It means the calculation of the damage caused by a certain attack in advance so one can decide if a particular security investment as buying new devices or training employees is worth it or not.

Client/Server Model: A communicating way, where one host has more functionality than the other. It differs from the P2P model ( see below ).

Overlay Network: The applications, which create an ALN (see above) work together and usually follow the P2P communication model (see below) .

Exploit: A small program which is designed specifically to attack a certain vulnerability in a system. These are dangerous, while their use requires no skills, and they are usually published shortly after a disclosure of a vulnerability.

Firewall: This is a host or router which provides a strict gateway to the Internet for a subnetwork, checking traffic and maybe dropping some network packets.

Peer-to-Peer (P2P) Model: A communication way where each node has the same authority and communication capability. They create a virtual network, overlaid on the Internet. Its members organize themselves into a topology for data transmission.

Security Policy: It means a set of rules in which the expectations and provisions of usage for the users, and the administrators also, is made up. It is worth making up before initiating medium or large sized systems.

Application Level Network (ALN): The applications, which are running in the hosts, can create a virtual network from their logical connections. This is also called overlay network ( see below ). The operations of such software entities are not able to understand without knowing their logical relations. The most cases this ALN software entities use the P2P model (see below) , not the client/server ( see below ) one for the communication.

Complete Chapter List

Search this Book: