Mejoras en la identificación de tráfico de aplicación basado en firmas
Anuncio
VII Jornadas de Ingeniería Telemática. JITEL 2008
95
!
X%=+-'/!%#!)'!,(%#$,3,1'1,2#!(%!$-43,1+!(%!
'7),1'1,2#!?'/'(+!%#!3,-&'/
!
_./$+-!K'#$+)'8'<!J(6'-(+!X';'`'<!X,a%)!O0')!8!b'#,%)!X+-'$2!
"#,*%-/,('(!N@?),1'!(%!_'*'--'H!
b%7'-$'&%#$+!(%!^6$+&4$,1'!8!c+&76$'1,2#!
c'&76/!^--+/'(,'<!UHSSQ!N'&7)+#'!
J&',)d!%(6'-(+9&';'#'e6#'*'--'9%/!
Abstract— Traffic identification has been based
traditionally on transport protocol ports, associating
always the same ports with the same applications.
Nowadays that assumption is not true and new methods
like signature identification or statistical techniques are
applied. This work presents a method based on signature
identification with some improvements. The use of regular
expressions for typical applications has been studied
deeply and its use has been improved in the aspects of
percentage identification and resources consumption. On
the other hand, a flows-record structure has been applied
in order to classify those packets that do not verify any
regular expression. Results are compared with the opensource related project L7-filter, and the improvements are
presented. Finally, detailed regular expressions for
analyzed applications are included in the paper, especially
P2P applications.
I. INTRODUCCIÓN
"#! $%&'! (%! %)%*'(+! ,#$%-./! %#! )'! &+#,$+-,0'1,2#! (%!
-%(%/!(%!('$+/!%/!)'!,(%#$,3,1'1,2#!(%)!$-43,1+!56%!1,-16)'!7+-!
%))'/! 1+#! '7),1'1,+#%/! %#! &68! (,*%-/+/! 1'&7+/9! :'!
,(%#$,3,1'1,2#! 1+#/,/$%! %#! '*%-,;6'-! '! 56.! '7),1'1,2#!
7%-$%#%1%!(%$%-&,#'(+!$-43,1+!(%!)'!-%(<!76(,%#(+!))%*'-!%/$'!
,#(%#$,3,1'1,2#! '! ;-'#6)'-,('(! (%! 3)6=+/! +! ,#1)6/+! (%!
7'56%$%/9! >-'(,1,+#')&%#$%! %/$'! )'?+-! /%! -%'),0'?'!
1+&7-+?'#(+! %)! #@&%-+! (%! 76%-$+! (%)! #,*%)! (%! $-'#/7+-$%!
1+--%/7+#(,%#$%!7+-!%)!56%!/%!A'?B'!%#*,'(+!+!-%1,?,(+!1'('!
7'56%$%<!8'!56%!1'('!'7),1'1,2#!/%!%#1+#$-'?'!A'?,$6')&%#$%!
'/+1,'('! 8! (%! &'#%-'! 6#B*+1'! '! 6#! ,(%#$,3,1'(+-! (%! 76%-$+!
C)+/!(%#+&,#'(+/!1+&+!D76%-$+/!?,%#!1+#+1,(+/EF!GHI!9!J/$'!
,(%#$,3,1'1,2#!%/!(%!6$,),('(!%#!'6(,$+-B'/!(%!-%(!C1+#+1%-!)+/!
/%-*,1,+/! (%&'#('(+/! 7+-! )+/! 6/6'-,+/F<! 1+#$-+)! (%! $-43,1+!
C7+(%-! ?)+56%'-! /%-*,1,+/! #+! (%/%'(+/! +! ,#1)6/+! '/7%1$+/!
'*'#0'(+/! (%! /%;6-,('(F<! ! 8! 1'),('(! (%! /%-*,1,+! C7+(%-!
7-,+-,0'-!6#'/!'7),1'1,+#%/!3-%#$%!'!+$-'/F9!!
K,#! %&?'-;+<! %#! )'! '1$6'),('(<! )'! %/7%1,'),0'1,2#! (%)!
/+3$L'-%! (%! 1+&6#,1'1,+#%/! 8! )'/! -%/$-,11,+#%/! ,&76%/$'/!
7+-!7-+M8/!8!3,-%L'))/!A'#!A%1A+!56%!)'!,(%#$,3,1'1,2#!?'/'('!
%#!76%-$+/!#+!/%'!3,'?)%9!K%!%/$4#!,&7+#,%#(+!#6%*'/!3+-&'/!
(%!7-+1%(%-!%#!)'/!56%!16')56,%-!7-+;-'&'!/%!76%(%!1'&63)'-!
'! #,*%)! (%! -%(! 7'-'! %*,$'-! 3,-%L'))/<! /67)'#$'-! ,(%#$,('(%/! +!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!J/$%!$-'?'=+!A'!/,(+!3,#'#1,'(+!7+-!%)!N-+8%1$+!O#$%;-'(+!J*%-;-+L!CPNQR
H
ONRSSHTUVF! 8! K>WJN! X+&%#$! CPNYRK>WJNRSZHVZZVF! (%! N-+;-'&'/! (%! )'!
"#,2#!J6-+7%'9!
%#*,'-!12(,;+! &'),1,+/+9!J/%!1'&63)'=%!)+!1+#/,;6%#!'!?'/%!
(%! 6$,),0'-! 76%-$+/! '/+1,'(+/! '! +$-'/! '7),1'1,+#%/! ?,%#!
1+#+1,('/! 8! 56%! '! %3%1$+/! 7-41$,1+/! )%/! 7%-&,$'#! 7'/'-!
,#'(*%-$,('/! 8'! 56%! )+/! 1+#$-+)%/! (%! '11%/+! /%! A'#! ?'/'(+!
$-'(,1,+#')&%#$%!%#! %)! 3,)$-'(+! 7+-! 76%-$+/! GZI! 9!>'&?,.#!/%!
?'/'#!%#!&+#$'-!$@#%)%/![>>N!56%!7%-&,$%!'$-'*%/'-!7-+M8/!
8! 3,-%L'))/! /,#! &'8+-%/! 7-+?)%&'/! GHI! 9! N'-'! 1+&7),1'-)+!
&4/!'@#<!%#!%)!1'/+!(%!'7),1'1,+#%/!NZN!%)!7-+?)%&'!%/!56%!
1'('! ,#/$'#1,'! (%)! 7-+;-'&'! 76%(%! 6$,),0'-! 6#! 76%-$+!
(,3%-%#$%!7'-'!(%!#6%*+!%*,$'-!%/$'/!&%(,('/!(%!1+#$-+)<!1+#!
)+! 56%! /%! A'1%! &4/! 1+&7),1'('! $+('*B'! )'! ,(%#$,3,1'1,2#!
1+--%1$'! (%)! $-43,1+! ?'/4#(+#+/! @#,1'&%#$%! %#! )+/!
,(%#$,3,1'(+-%/!(%!76%-$+/!GUI!9!
JM,/$%#! +$-'/! 7+/,?,),('(%/! 7'-'! )'! ,(%#$,3,1'1,2#! (%!
$-43,1+9! N+-! 6#! )'(+! $%#%&+/! /+)61,+#%/! ?'/'('/! %#! 3,-&'/<!
56%! 1+#/,/$%#! %#! ?6/1'-! (%$%-&,#'(+/! 7'$-+#%/! %#! %)!
1+#$%#,(+! (%! )+/! 7'56%$%/! '#'),0'#(+! )+/! 7-+7,+/! ('$+/!
;%#%-'(+/!7+-!%)!#,*%)!(%!'7),1'1,2#!G\I!9!]$-'!7+/,?,),('(!%/!
)'! (%! (%1+(,3,1'-! )+/! ('$+/! (%)! 7'56%$%! 7'-'! 1+&7-+?'-! /,!
/,;6%! %)! 3)6=+! (%! (%$%-&,#'(+! 7-+$+1+)+! '/+1,'(+! '! 1,%-$'!
'7),1'1,2#!GVI!9!!O#1)6/+!/%!76%(%#!%#1+#$-'-!1+&?,#'1,+#%/!
(%!'&?'/!&%$+(+)+;B'/!GQI!9!:'!*%#$'='!(%!%/$+/!&.$+(+/!%/!
/6! %)%*'('! 7-%1,/,2#! 1+#/,;6,%#(+! %)%*'(+/! 7+-1%#$'=%/! (%!
,(%#$,3,1'1,2#! 1+--%1$'9! K,#! %&?'-;+<! %/$+/! &.$+(+/!
,#$-+(61%#! &61A'! /+?-%1'-;'! (%?,(+! ')! '#4),/,/! (%$'))'(+!
56%! $,%#%#! 56%! A'1%-! (%! )+/! ('$+/! %#1'7/6)'(+/! %#! 1'('!
7'56%$%9!^(%&4/!%/$+/!&.$+(+/!#+!76%(%#!A'1%-!#'('!1+#$-'!
'56%))'/! '7),1'1,+#%/! 56%! %#1-,7$%#! /6/! ('$+/! '6#56%! %#! )'!
'1$6'),('(!%/$'/!'7),1'1,+#%/!/+#!&,#+-B'!GUI!9!
N+-! +$-+! )'(+<! -%1,%#$%&%#$%! A'#! '7'-%1,(+! 7-+76%/$'/!
(%! ,(%#$,3,1'1,2#! ?'/'('/! %#! %/$'(B/$,1+/! GZI! 56%! /,! ?,%#! #+!
7-+*%%#! $'#$'! 7-%1,/,2#! %#! )+/! -%/6)$'(+/! /6! 1+/$%!
1+&76$'1,+#')!%/!&61A+!&%#+-!8!7+-!$'#$+!(%!'7),1'1,2#!%#!
-%(%/! (%! ')$'! *%)+1,('(9! ^(%&4/! #+! /%! *%#! '3%1$'('/! 7+-! )'!
%#1-,7$'1,2#!(%!)+/!3)6=+/!7+-!)+!56%!7'-%1%!6#!1'&7+!7+-!%)!
56%!/%!76%(%!'7+/$'-!%#!%)!36$6-+9!
:'!,(%#$,3,1'1,2#!(%)!$-43,1+!(%!-%(!'!#,*%)!(%!'7),1'1,2#!
/%! A'! '7),1'(+! 7-,#1,7')&%#$%! '! )+/! 3,-%L'))/! 8! &4/!
1+#1-%$'&%#$%!'!)'!(%$%11,2#!(%)!7-+$+1+)+![>>N9!J/$%!$,7+!
(%! ,(%#$,3,1'1,2#! 1+#/$,$68%! /,#! (6('! 6#! 7'/+! &4/! %#! )'!
%*+)61,2#! (%! )+/! /,/$%&'/! 3,-%L'))/<! 8'! 56%! %#! %/$%! 1'/+!
'#'),0'#!$+(+!%)!7'56%$%!'!#,*%)!(%!'7),1'1,2#!+<!)+!56%!%/!)+!
&,/&+<!1+#$-+)'#!#+!/2)+!)+/!76%-$+/!+!)'/!/%/,+#%/<!/,#+! %)!
7-+$+1+)+!56%! /%!6$,),0'!7'-'! )'!1+&6#,1'1,2#<!%*,$'#(+!56%!
76%('#! 3')/%'-/%! /%-*,1,+/9! N+-! %=%&7)+<! /%-B'! 7+/,?)%!
7-+A,?,-! %)! '11%/+! [>>N! ,#(%7%#(,%#$%&%#$%! (%! 56%! %)!
96
VII Jornadas de Ingeniería Telemática. JITEL 2008
!
/%-*,1,+! [>>N! %/$6*,%-'! )%*'#$'(+! %#! %)! 76%-$+! fS! +! %#! %)!
76%-$+! H\V<!8'!56%!%)!3,-%L'))!'#'),0'-B'!%)!7-+$+1+)+!(%!)+/!
7'56%$%/!8!')!*%-![>>N!?)+56%'-B'!)'!1+#%M,2#9!!
J/$%! $-'?'=+! /%! 1%#$-'! %#! %)! %/$6(,+! (%! 6#! /,/$%&'! (%!
,(%#$,3,1'1,2#!(%!$-43,1+!?'/'(+!%#! 3,-&'/9!K,!?,%#!%/!(%!)+/!
&.$+(+/!&4/!%&7)%'(+/!7'-'!)'!,(%#$,3,1'1,2#!(%!$-43,1+<!#+!
%M,/$%#! 7-+76%/$'/! '?,%-$'/! 56%! 7%-&,$'#! -%7),1'-! /6!
,&7)%&%#$'1,2#! 7'-'! '7),1'-)+! '! #%1%/,('(%/! 1+#1-%$'/! #,!
$'&7+1+!-%/6)$'(+/!%MA'6/$,*+/!(%!,(%#$,3,1'1,2#!GZI!G\I!9!
J)! $-'?'=+! /%! +-;'#,0'! 1+&+! /,;6%9! J#! )'! /,;6,%#$%!
/%11,2#!/%!,#$-+(61%#!$-'?'=+/!'#$%-,+-%/!%#!,(%#$,3,1'1,2#!(%!
$-43,1+! ?'/'(+! %#! 3,-&'/9! ^! 1+#$,#6'1,2#! /%! ,#$-+(61%! %)!
36#1,+#'&,%#$+!(%!)'/!%M7-%/,+#%/!-%;6)'-%/!1+&+!#@1)%+!(%!
)'! ,(%#$,3,1'1,2#! ?'/'('! %#! 3,-&'/9! J#! )'! /%11,2#! 16'-$'! /%!
7-%/%#$'! )'! '-56,$%1$6-'! (%)! /,/$%&'! (%/'--+))'(+9! J#! )'!
/%11,2#!56,#$'!8!/%M$'!/%!%M7+#%#!-%/7%1$,*'&%#$%!)'/!$-'0'/!
(%!$-43,1+!6$,),0'('/!8!)'!&%=+-'!%#!%M7-%/,+#%/!-%;6)'-%/9!J#!
)'! /%11,2#! /.7$,&'! /%! 7-%/%#$'! %)! '#4),/,/! (%)! /,/$%&'!
7-+76%/$+9! N'-'! 3,#'),0'-! /%! 7-%/%#$'#! )'/! 1+#1)6/,+#%/! (%)!
$-'?'=+9!
II. ESTADO DEL ARTE EN INDENTIFICACIÓN DE TRÁFICO
BASADO EN FIRMAS
J#!)'!),$%-'$6-'!/%!6$,),0'#!/,/$%&'/!(%!,(%#$,3,1'1,2#!(%!
$-43,1+! ?'/'(+! %#! 3,-&'/9! K%! $-'$'! (%! ?6/1'-! 1'(%#'/!
%/7%1B3,1'/! (%! $%M$+! +! ('$+/! ?,#'-,+/! %#! %)! 7'8)+'(! (%! )+/!
7'56%$%/9! J/$'/! 1'(%#'/! %/$4#! '/+1,'('/! 6#B*+1'&%#$%! ')!
7-+$+1+)+! (%! )'! '7),1'1,2#! 8! 76%(%#! /%-! 7')'?-'/! 1)'*%<!
1+&'#(+/<!+71,+#%/!+!16')56,%-!+$-+!1+#$%#,(+!,(%#$,3,1'?)%9!
J#!GYI!7'-$%#!(%!)'!(+16&%#$'1,2#!(%!)+/!7-+$+1+)+/!8!
$-'0'/! (%! $-43,1+! -%')! 7'-'! ,(%#$,3,1'-! )'/! 3,-&'/! '! ?6/1'-! %#!
)+/!('$+/!(%!#,*%)!(%!'7),1'1,2#<!1%#$-4#(+/%!%#!'7),1'1,+#%/!
NZN9! J*')@'! 1'-'1$%-B/$,1'/! (%! 7-%1,/,2#! C3')/+/! 7+/,$,*+/! 8!
3')/+/! #%;'$,*+/F<! %/1')'?,),('(! C1+&7)%=,('(F! 8! 3+-$')%0'! C'!
7.-(,('/<!-%+-(%#'&,%#$+<!%$19F!(%!)'/!3,-&'/!%#1+#$-'('/9!:'!
?@/56%('! (%! 3,-&'/! /%! ?'/'! %#! %)! 6/+! (%! %M7-%/,+#%/!
-%;6)'-%/9! K,#! %&?'-;+<! )'/! 3,-&'/! -%/6)$'#$%/! #+! /%!
7-%/%#$'#!%#!%)!$-'?'=+9!
J#! +$-+! $-'?'=+! GfI! ! /%! -%'),0'! 6#! %/$6(,+! (%!
,(%#$,3,1'1,2#!?'/'('!%#!3,-&'/!/+?-%!6#!7%-,+(+!(%!Z!'`+/!8!
6$,),0'#(+!$-43,1+!-%')9!K,#!%&?'-;+<!)'/!3,-&'/!6$,),0'('/!/+#!
&68!/,&7)%/<! 6/'#(+!7+-!%=%&7)+!)'!?@/56%('!(%!)'!1'(%#'!
Dg_">J::^E! 7'-'! ,(%#$,3,1'-! )+/! 7'56%$%/! 56%!
1+--%/7+#(%#! '! )'! '7),1'1,2#! NZN! ;_6$%))'9! ^(%&4/! /%!
1+&7'-'! /6! %3%1$,*,('(! 1+#! A%6-B/$,1+/! ?'/'(+/! %#!
(,-%11,+#%/!ON!8!76%-$+/9!_+!'#'),0'#!)'!7+/,?,),('(!(%!3')/+/!
7+/,$,*+/!7+-!)+!56%!%)!'#4),/,/!#+!%/!1+&7)%$+9!
N'-'! '7),1'-! (,/1,7),#'/! (%! 1'),('(! (%! /%-*,1,+! '! )'/!
(,3%-%#$%/!'7),1'1,+#%/<!%#!G\I!!6$,),0'#!,(%#$,3,1'1,2#!?'/'('!
%#! 3,-&'/9! _+! %#$-'#! %#! (%$'))%/! (%! )+/! 7-+1%(,&,%#$+/!
6$,),0'(+/! %#! 16%#$+! '! 3,-&'/! 8! /%! 1%#$-'#! %#! '`'(,-!
1'-'1$%-B/$,1'/!%/$'(B/$,1'/!'!)'!,(%#$,3,1'1,2#9!
J#! 16'#$+! '!7-+76%/$'/!(%!/+3$L'-%! ),?-%! %M,/$%#$%/<!%)!
3,-%L'))! (%! #,*%)! (%! '7),1'1,2#! &4/! 1+#+1,(+! %/! %)!
^77),1'$,+#!:'8%-!N'1a%$!c)'//,3,%-!3+-!:,#6M!C:YR3,)$%-F![7]9!
J)! :YR3,)$%-! %/! 6#! 1)'/,3,1'(+-! (%! 7-+$+1+)+/! ?'/'(+! %#!
_%$3,)$%-hON$'?)%/! (%! :,#6M<! %)! 16')! ,(%#$,3,1'! 7'56%$%/! '!
#,*%)! (%! '7),1'1,2#! &%(,'#$%! %M7-%/,+#%/! -%;6)'-%/9! J/$%!
7-+8%1$+! /+7+-$'! 6#'! ;-'#! *'-,%('(! (%! 7-+$+1+)+/! (%/(%!
[>>N! '! &')L'-%! 7'/'#(+! 7+-! (,*%-/+/! $,7+/! (%! NZN! %!
,#1)6/+! ,(%#$,3,1'1,2#! (%! 3,1A%-+/9! N'-'! 1'('! 6#+! (%! %))+/!
'7+-$'! /6! 1+--%/7+#(,%#$%! %M7-%/,2#! -%;6)'-! 8! )+/! 1)'/,3,1'!
/%;@#! )'! 7-%1,/,2#! %#! )'! ,(%#$,3,1'1,2#! 8! )'! *%)+1,('(! (%! )'!
&,/&'9! :YR3,)$%-! $-'?'='! '7),1'#(+! %M7-%/,+#%/! -%;6)'-%/!
7'56%$%!'!7'56%$%!$%#,%#(+!%#!16%#$'!3)6=+/!&'#$%#,(+/!7+-!
_%$3,)$%-9! ^(%&4/! 1+--%! '! #,*%)! (%! a%-#%)! =6#$+! '!
_%$3,)$%-hON$'?)%/! 7+-! )+! 56%! %/! 1+&7)%=+! '7),1'-! /6! 12(,;+!
7'-'!+$-'/!$'-%'/!(,3%-%#$%/!'!)'!+-,;,#')9!
J#! %/$%! $-'?'=+! /%! -%'),0'! 6#'! +7$,&,0'1,2#! (%! )'/!
%M7-%/,+#%/!-%;6)'-%/!7'-'!,(%#$,3,1'1,2#!(%!'7),1'1,+#%/<!/%!
7-%/%#$'#! &%=+-'/!%#!%)! &+$+-!(%!?@/56%('/!8!/%!(%$'))'-4#!
-%/6)$'(+/! %MA'6/$,*+/! 1+&7'-'#(+! )+/! &,/&+/! 1+#! )+/! 56%!
+?$,%#%!)'!'7),1'1,2#!:YR3,)$%-9!
III. EXPRESIONES REGULARES
:'/! %M7-%/,+#%/! -%;6)'-%/! /+#! 6#'! /%-,%! (%! 1'-'1$%-%/!
56%! 3+-&'#! 6#! 7'$-2#<! #+-&')&%#$%! -%7-%/%#$'$,*+! (%! +$-+!
;-67+! (%! 1'-'1$%-%/! &'8+-<! (%! $')! 3+-&'! 56%! 7+('&+/!
1+&7'-'-!%)!7'$-2#!1+#!+$-+!1+#=6#$+!(%!1'-'1$%-%/!7'-'!*%-!
)'/!1+,#1,(%#1,'/!GHSI!9!:'!,(%#$,3,1'1,2#!(%!7'56%$%/!?'/'('!
%#! 3,-&'/! 6$,),0'! )'/! %M7-%/,+#%/! -%;6)'-%/! 1+&+! ?'/%!
36#('&%#$')9!
J#!#6%/$-+!1'/+<!/%;@#!%/$'!(%3,#,1,2#<!)'/!%M7-%/,+#%/!
-%;6)'-%/! /+#! 1'(%#'/! (%! 1'-'1$%-%/! 56%! ';-67'#!
7+/,?,),('(%/! %#! $+-#+! '! )'! ?@/56%('! (%! 6#! (%$%-&,#'(+!
7'$-2#!(%!6#!7-+$+1+)+!(%#$-+!(%!6#!1+#$%#,(+!&'8+-<!56%!%#!
#6%/$-+! 1'/+! 1+--%/7+#(%! ')! 7'8)+'(! (%)! 7'56%$%! +! (%! )+/!
7'56%$%/! '! '#'),0'-9! J/$+! /,;#,3,1'! 56%! &%(,'#$%! 6#'!
%M7-%/,2#! -%;6)'-! ?,%#! (%3,#,('! 7+(%&+/! -%'),0'-! )'!
?@/56%('! (%! 16')56,%-! 1'(%#'! 56%! 56%-'&+/<! 1+&+! 6#!
#@&%-+! (%! $%).3+#+! (%)! 56%! /'?%&+/! 7'-$%! %#! 6#'! ;6B'!
$%)%32#,1'<! ?6/1'-! %#! 6#'! 74;,#'! L%?! ');@#! ('$+! +! 7')'?-'!
(%)! 56%! /'?%&+/! 7'-$%! (%! /6! 1+#$%#,(+<! +! ,#1)6/+<! 1+&+! %/!
#6%/$-+! 1'/+<! %#1+#$-'-! 7'$-+#%/! 7-%*,'&%#$%! (%3,#,(+/! %#!
)+/!7'56%$%/!56%!'$-'*,%/'#!)'!-%(9!
J#! -%'),('(<! )'/! %M7-%/,+#%/! -%;6)'-%/! /+#! )'! ?'/%! (%!
7-+;-'&'1,2#!(%!16')56,%-!$,7+!(%!?@/56%('<!8'!/%'!/,&7)%!+!
'*'#0'('<!)+!56%!(%/%&?+1'!%#!/6/!#6&%-+/'/!'7),1'1,+#%/9!
J#!#6%/$-+!1'/+<!)'/!%M7-%/,+#%/!-%;6)'-%/!/+#!)'!A%--'&,%#$'!
56%!/%!#%1%/,$'!7'-'!';-67'-!$+('/!)'/!+71,+#%/!(%!?@/56%('!
(%)! 7'$-2#9! N+-! %=%&7)+<! %#! %)! 1'/+! -%')! (%)! 7-+$+1+)+!
;_6$%))'<! /%! 76%(%! (%1,(,-! 56%! 16')56,%-! 7'56%$%! 56%!
1+#$%#;'! ')! 1+&,%#0+! (%)! &,/&+! 6#'! (%! )'/! (+/! /,;6,%#$%/!
)B#%'/!$,%#%!6#'!')$'!7-+?'?,),('(!(%!7%-$%#%1%-!')!7-+$+1+)+!
;_6$%))'d!
gnutella
get /uri-res
:'/! %M7-%/,+#%/! -%;6)'-%/! 1+#/,;6%#! ';-67'-! %/$'/! (+/!
1'(%#'/! (%! ?@/56%('/! $+$')&%#$%! (,3%-%#1,'('/! %#! 6#'! /+)'!
/+)61,2#!(%!?@/56%('9!^!)'!*%0!7%-&,$%#!'7),1'-!+71,+#%/!(%!
?@/56%('<! 1+&+! 56%! )'! 1'(%#'! 56%! /%! (%/%'! %#1+#$-'-! /2)+!
/,-*%! /,! /%! %#16%#$-'! ')! 1+&,%#0+! (%)! 7'56%$%<! +! ,#1)6/+!
(%3,#,-! 6#! 1'-41$%-! %/7%1B3,1+! +! 6#'! 1'#$,('(! *'-,'?)%! (%!
1'-'1$%-%/!56%! /%!76%(%#!%#1+#$-'-! $-'/!)'!7')'?-'!;_6$%))'<!
1+&+!%)!1'-41$%-!A%M'(%1,&')!iMZS!+!%)!iMZP9!c+#!$+('/!%/$'/!
+71,+#%/<! )'! %M7-%/,2#! -%;6)'-! (%)! 7-+$+1+)+! ;_6$%))'!
56%('-B'!(%!)'!/,;6,%#$%!3+-&'d!
VII Jornadas de Ingeniería Telemática. JITEL 2008
97
!
^(gnutella[\x20\x2f]|get /uri-res)
J#! %/$'! %M7-%/,2#! -%;6)'-! /%! 76%(%#! %#1+#$-'-! (+/!
7'-$%/!(,3%-%#1,'('/9!J)!1'-41$%-!DjE!/,;#,3,1'!56%!7'-'!56%!)'!
%M7-%/,2#!/%!16&7)'<!?'/$'!1+#!56%!/%'!1,%-$'!6#'!/+)'!(%!)'/!
(+/!+71,+#%/!56%!/%!/,$@'#!'!/6!,056,%-('!8!(%-%1A'9!J#!%/$%!
1'/+<!)'/!(+/!+71,+#%/!/+#!)'/!56%!8'!A%&+/!1+&%#$'(+d!
%M7-%/,2#!-%;6)'-<!/2)+!'/6&,%#(+!56%!$+(+/!)+/!7'56%$%/!(%!
6#!&,/&+!3)6=+!7%-$%#%1%#!'!)'!&,/&'!'7),1'1,2#9!
K,! /%! -%1,?%#! 7'56%$%/! (%)! &,/&+! 3)6=+! /%! '1$6'),0'! %)!
$,&%/$'&79! J/$%! $,&%/$'&7! /%! 6$,),0'-4! 7'-'! '7),1'-! 6#!
$%&7+-,0'(+-! 56%! 7%-&,$'! ),?%-'-! )'/! %/$-61$6-'/! (%! 3)6=+/!
56%!#+!A'#!;%#%-'(+!$-43,1+!%#!)+/!@)$,&+/!&,#6$+/9!!
!
gnutella[\x20\x2f]
get /uri-res
J)! 1'-41$%-! DkE! 56%! '7'-%1%! ')! 1+&,%#0+! ,#(,1'! 56%!
$+(+!)+!56%!)%!/,;6%!(%?%!%/$'-!')!1+&,%#0+!(%)!7'56%$%<!7+-!
)+!56%!#+!#+/!/%-*,-4!6#!7'56%$%!56%!$%#;'!6#'!(%!%/$'/!(+/!
1'(%#'/!%#!6#'!7+/,1,2#!(,3%-%#$%9!!
IV. ARQUITECTURA DEL SISTEMA
A. Introducción
:'! '7),1'1,2#! (%/'--+))'('! 7'-'! )'! ,(%#$,3,1'1,2#! (%!
$-43,1+!(%!-%(!'!#,*%)!(%!'7),1'1,2#!&%(,'#$%!%)!6/+!(%!3,-&'/!
/%!A'!(%#+&,#'(+!l%NO9!
J)!7-+;-'&'!$,%#%!(+/!$,7+/!(%!36#1,+#'&,%#$+<!%#!*,*+!
8! 1+#! $-'0'/9! J)! &+(+! (%! 36#1,+#'&,%#$+! %#! *,*+! $+&'! %)!
1+#$-+)! (%! )'! $'-=%$'! (%! -%(<! 1'7$6-'! )+/! 7'56%$%/!56%! ))%;'#!
%#!$,%&7+!-%')!8!)+/!*'!'#'),0'#(+!/%;@#!/%!1'7$6-'#9!J)!+$-+!
&+(+!(%!36#1,+#'&,%#$+!%/!%)!'#4),/,/!(%!$-'0'/!7-%*,'&%#$%!
1'7$6-'('/<! 36#1,+#'),('(! @$,)! 7'-'! /6! %*')6'1,2#! 1+#! 6#!
$-43,1+! 1+#$-+)'(+9! X%(,'#$%! %/$%! &+(+! /%! 76%(%! -%'),0'-!
(,3%-%#$%/! ?@/56%('/! /+?-%! )'/! $-'0'/! /%;@#! )+! 56%! ,#$%-%/%!
%/$6(,'-!%#!1'('!&+&%#$+9!!
B. Identificación de paquetes
"#'! *%0! 56%! /%! A'! ,(%#$,3,1'(+! 6#! 7'56%$%! &%(,'#$%!
6#'!(%!)'/!3,-&'/!(%!)'!?,?),+$%1'!(%!%M7-%/,+#%/!-%;6)'-%/<!)+!
56%! -%'),0'! %)! /,/$%&'! %/! ;6'-('-! 6#! -%;,/$-+! (%! 7'56%$%/!
(%$%1$'(+/9! b%! %/$'! 3+-&'<! 16'#(+! /%! %#16%#$-%#! 7'56%$%/!
56%!#+!A'#!/,(+!,(%#$,3,1'(+/!7+-!#,#;6#'!%M7-%/,2#!-%;6)'-<!
%)!/,/$%&'!%/!1'7'0!(%!1)'/,3,1'-!%/$+/!7'56%$%/!7+-!/,&,),$6(!
1+#! %)! A,/$+-,')! (%! )+/! 7'56%$%/! 56%! /%! A'#! (%$%1$'(+! 7+-!
%M7-%/,2#!-%;6)'-!7-%*,'&%#$%9!J#!%)!%/56%&'!(%!)'!P,;6-'!H!
/%!&6%/$-'!%)!7-+1%/+!56%!/,;6%!1'('!7'56%$%!56%!/%!'#'),0'9!
J)! 7-+1%/'(+! /%! -%'),0'! '! #,*%)! (%! 6/6'-,+! 1+#! )'!
3)%M,?,),('(! 56%! %/+! /67+#%! 7'-'! %)! (%/'--+))+! (%!
'7),1'1,+#%/! '! &%(,('9! ^! (,3%-%#1,'! (%! :YR3,)$%-<! $+(+/! )+/!
7'56%$%/! /%! 1+&7-6%?'#! 1+#$-'! )'/! 3,-&'/! (%! )+/! (,3%-%#$%/!
7-+$+1+)+/!'!,(%#$,3,1'-!8!%#!1'/+!(%!#+!*%-,3,1'-!#,#;6#'!/%!
'16(%! '! 6$,),0'-! %)! A,/$+-,')! (%! 3)6=+/! 56%! /%! %M7),1'-4!
7+/$%-,+-&%#$%9!:'/!%M7-%/,+#%/!-%;6)'-%/!%/$4#!+7$,&,0'('/!
(%! &'#%-'!56%! )'!1'7'1,('(! (%!7-+1%/+! #%1%/'-,+!/%!-%(61%!
1+#! -%/7%1$+! '! )'! (%! :YR3,)$%-! /,#! 7%-(%-! 7+-1%#$'=%/! (%!
,(%#$,3,1'1,2#9!
"#'! *%0! 56%! /%! (%$%1$'! 6#! 7'56%$%! 7+-! %M7-%/,2#!
-%;6)'-<! )+/! 76%-$+/! 8! )'/! ON/! (%! (,1A+! 7'56%$%! C('$+/!
1'-'1$%-B/$,1+/! (%! 1'('! 3)6=+F! 56%('#! ')&'1%#'(+/! %#! 6#'!
%/$-61$6-'! (%! ('$+/! 56%! /%! 1+&%#$'-4! 7+/$%-,+-&%#$%! %#!
(%$'))%9! b,1A+/! 3)6=+/! /%! ')&'1%#'#! '! /6! *%0! =6#$+! ')!
$,&%/$'&7!(%)!7'56%$%!8!%)!,(%#$,3,1'(+-!(%)!7-+$+1+)+!')!56%!
7%-$%#%1%!(,1A+!7'56%$%9!b%!%/$'!3+-&'!/%!76%(%!,(%#$,3,1'-!
%)! -%/$+! (%! 7'56%$%/! (%)! &,/&+! 3)6=+! /,#! 56%! *%-,3,56%#! )'!
!
Figura 1 – Esquema de funcionamiento del bucle principal
C. Historial de flujos
N+-! 6#'! 7'-$%! %/! ,&7+-$'#$%! +7$,&,0'-! )'/! %M7-%/,+#%/!
-%;6)'-%/! 7+-56%! 7%-&,$,-4! -%'),0'-! )'! ,(%#$,3,1'1,2#! &4/!
-47,('&%#$%9!N+-!+$-+!)'(+<!/%!#%1%/,$'!))%*'-!16%#$'!(%!$+(+/!
)+/! 3)6=+/! %/$'?)%1,(+/! %#! 1'('! &+&%#$+! 7'-'! 7+(%-!
,(%#$,3,1'-!$+(+/!)+/!7'56%$%/!(%)!3)6=+!'6#56%!/2)+!7'-$%!(%!
%))+/! A'8'#! *%-,3,1'(+! )'! %M7-%/,2#! -%;6)'-! 1+--%/7+#(,%#$%9!
J/!)+!56%!(%#+&,#'-%&+/!A,/$+-,')!(%!3)6=+/9!
^)!$%#%-!56%!-%*,/'-!$+(+/!)+/!3)6=+/!')&'1%#'(+/!1'('!
*%0! 56%! 56%-%&+/! ,(%#$,3,1'-! 6#! 7'56%$%! #+! -%1+#+1,(+! 7+-!
%M7-%/,2#!-%;6)'-<!)'!%/$-61$6-'!56%!')&'1%#'!)+/!3)6=+/!(%?%!
%/$'-!7%#/'('!7'-'!A'1%-!?@/56%('/!%3,1,%#$%/9!
J)! $,%&7+! (%! 7%-&'#%#1,'! (%! )+/! 3)6=+/! C&+(,3,1'?)%!
7+-!%)!6/6'-,+F!7%-&,$%!%),&,#'-!$+(+/!'56%))+/!3)6=+/!56%!#+!
A'#!16-/'(+!$-43,1+!%#!1,%-$+!$,%&7+<!('#(+!1+#!%))+!%)!3)6=+!
7+-! 1%--'(+! 8! %*,$'#(+! 56%! )'! %/$-61$6-'! (%! ('$+/! 1-%01'!
,#(%3,#,('&%#$%9!J)!&+(+!(%!36#1,+#'&,%#$+!%/!&68!/,&7)%<!
?'/$'!$'#!/2)+!1+#!1+&7'-'-!%)!$,%&7+!56%!))%*'!%)!3)6=+!%#!)'!
%/$-61$6-'! 1+#! %)! $,%&7+! (%! 7%-&'#%#1,'! (%3,#,(+! 7+-! %)!
6/6'-,+9!K,!/%!*%#!#6%*+/!7'56%$%/!(%!6#!3)6=+!/%!'1$6'),0'-4!
%)! $,&%/$'&7! %#! )'! %/$-61$6-'! 8! 1+#! %))+! /%! %M$%#(%-4! %)!
$,%&7+!(%!*,('!(%)!3)6=+9!!
:'! %/$-61$6-'! 1-%'('! %/! 6#'! *'-,'#$%! (%! $'?)'! (%! A'/A9!
:'!%/$-61$6-'!(,/7+#%!(%!6#!#@&%-+!*'-,'?)%!C(%3,#,(+!7+-!%)!
6/6'-,+F! (%! 7+/,1,+#%/! (%! A'/A! /+?-%! 6#! *%1$+-! ,#(%M'(+<! 8!
%#! 1'('! 7+/,1,2#! A'8! 6#'! ),/$'! /+?-%! )'! 16')! /%! *'!
(,/$-,?68%#(+!)'!,#3+-&'1,2#!(%!)+/!3)6=+/!56%!1+),/,+#'#!%#!
%/%! &,/&+! A'/A9! N'-'! /'?%-! /+?-%! 56.! ),/$'! /%! (%?%!
')&'1%#'-!1,%-$+!3)6=+!'7),1'&+/!6#!A'/A!/+?-%!)+/!76%-$+/!8!
)'!7'-$%!&4/!*'-,'?)%!(%!)'/!(,-%11,+#%/!ON/!1+&+!&+/$-'&+/!
'!1+#$,#6'1,2#d!
98
VII Jornadas de Ingeniería Telemática. JITEL 2008
!
Hash=(Puerto origen + Puerto destino + Byte 3 IP origen * 256 +
Byte 4 IP origen + Byte 3 IP destino * 256 + Byte 4 IP destino)
Mod (Numero de listas)
Tiempo de programa dedicado al procesado de las listas
Tiempo de programa dedicado al procesado de los paquetes
µsegundos
3000
2500
2000
2500
Conexiones
c6'#$+!&%=+-!(,/$-,?6,(+/!%/$.#!)+/!3)6=+/!'!)+!)'-;+!(%!
$+('/!)'/!),/$'/<!&%=+-!/%-4!)'!%3,1,%#1,'!(%)!7-+;-'&'!7+-56%!
)'/! ),/$'/! /%-4#! &4/! 1+-$'/! 8! )'! ?@/56%('! %#! 1'('! ),/$'! %/!
/%16%#1,')<! 1+#! )+! 56%! %)! $,%&7+! (%! ?@/56%('! 1-%1%! 1+#! %)!
$'&'`+! (%! )'/! ),/$'/9! J#! )'! P,;6-'! Z! 7+(%&+/! *%-! )'!
(,/$-,?61,2#! (%! Z9SSS! 1+#%M,+#%/! (,/$-,?6,('/! '! )+! )'-;+! (%!
VS! ),/$'/! 1+#! 6#! A'/A! 56%! /2)+! $,%#%! %#! 16%#$'! )+/! 76%-$+/<!
&,%#$-'/! 56%! %#! )'! P,;6-'! U! 7+(%&+/! *%-! )'! (,/$-,?61,2#! (%!
)'/! &,/&'/! 1+#%M,+#%/! %&7)%'#(+! %)! A'/A! 56%! A%&+/!
7-+76%/$+9!J/$+/!-%/6)$'(+/!/%!A'#!+?$%#,(+!%#!')-%(%(+-!(%!
HV! &,#6$+/! (%! 6#'! 1'7$6-'! %#! *,*+! (%! *'-,+/! 7-+$+1+)+/!
16'#(+!/%!%/$'?'#!%=%16$'#(+!'7),1'1,+#%/!(%!)+/!7-+$+1+)+/!
%X6)%! 8! m,$>+--%#$9! J#! )'! 7-,&%-'! A'8! (+/! ),/$'/!
1+#/,(%-'?)%&%#$%! &4/! )'-;'/! 56%! )'/! (%&4/! )+! 56%! /67+#%!
&'8+-! $,%&7+! (%! ?@/56%('! &%(,+<! &,%#$-'/! 56%! %#! )'!
/%;6#('! )'! (,/$-,?61,2#! (%! 3)6=+/! 7+-! ),/$'! %/! 6#,3+-&%! 8! (%!
%/$'! 3+-&'! -%(61,&+/!')! &B#,&+!%)!$,%&7+! %&7)%'(+! 7+-!%)!
7-+1%/+!(%!?@/56%('9!
)'/!f!3'/%/!(%)!%/56%&'!%#!56%!/%!A'!(,*,(,(+!%)!&,/&+9!:+/!
-%/6)$'(+/!/%!+?$,%#%#!(%!)'!%=%161,2#!(%)!7-+;-'&'!/+?-%!)'/!
$-'0'/!')&'1%#'('/!(%!$-43,1+!%b+#a%8<!56%!/%!(%$'))'-4#!%#!
)'!/%11,2#!/,;6,%#$%9!
:'! P,;6-'! \! &6%/$-'! )+/! -%/6)$'(+/! +?$%#,(+/! (%! (,1A'!
%=%161,2#! 7'-'! %)! 1'/+! (%! 6#'! /+)'! ),/$'! C/,#! $'?)'! (%! A'/AF!
/+?-%!)'!1'7$6-'!(%!$-43,1+!(%!HV!&,#6$+/!'#$%-,+-9!c'('!?'--'!
*%-$,1')! %/! 6#! 7'56%$%! (,3%-%#$%! 8! $'#! /2)+! /%! A'! ;-'3,1'(+!
6#+!(%!1'('!&,)!7'-'!6#'!1+--%1$'!*,/6'),0'1,2#9!!
c+&+!/%!76%(%!*%-!%#!)'!;-43,1'<!)+/!7-,&%-+/!7'56%$%/!
C)+/! (%! )'! ,056,%-('F! 1+#/6&%#! &68! 7+1+! $,%&7+! (%!
7-+1%/'(+! $+$')9! J#! #%;-+! '7'-%1%! %)! $,%&7+! %&7)%'(+! %#!
'7),1'-! )'/! %M7-%/,+#%/! -%;6)'-%/! 8! %#! ;-,/! %)! $,%&7+! (%!
7-+1%/'(+! -%)'1,+#'(+! 1+#! )'! ?@/56%('! %#! %)! A,/$+-,')! 7'-'!
'56%))+/!7'56%$%/!56%!)+!#%1%/,$'-'#9!K,#!%&?'-;+<!1+#3+-&%!
/%!'*'#0'!%#!)'!%=%161,2#!8!)'!),/$'!/%!*'!))%#'#(+!(%!%#$-'('/!
1+--%/7+#(,%#$%/!'!#6%*+/!3)6=+/<!)'/!3'/%/!56%!(%7%#(%#!(%)!
$'&'`+!(%!)'/!),/$'/!/%! *'#!A'1,%#(+! &4/!#+$+-,'/9!['1,'! %)!
3,#')!(%!)'!%=%161,2#<!%)!$,%&7+!(%(,1'(+!'!7-+1%/'-!)'/!),/$'/!
))%;'!'!/%-!(%!&4/!(%!(+/!&,),/%;6#(+/!7+-!7'56%$%9!!
1500
2000
1000
500
1
4
7
10
13
16
19
22
25
28
31
34
37
40
43
46 49
Listas
!
1000
00
00
00
96
00
10 0
80
0
12 0
00
0
13 0
20
0
14 0
40
0
15 0
60
0
16 0
80
0
18 0
00
0
19 0
20
0
20 0
40
0
21 0
60
0
22 0
80
0
24 0
00
0
25 0
20
0
26 0
40
0
27 0
60
0
28 0
80
0
30 0
00
0
31 0
20
0
32 0
40
0
33 0
60
00
84
0
72
0
60
0
00
00
00
48
0
36
0
24
0
0
12
0
00
0
500
500
450
400
350
300
250
200
150
100
50
0
Número de paquete
Figura 4 – Tiempo de programa por paquete para una lista
200
180
160
140
120
100
80
60
40
20
00
96
00
10 0
80
0
12 0
00
0
13 0
20
0
14 0
40
0
15 0
60
0
16 0
80
0
18 0
00
0
19 0
20
0
20 0
40
0
21 0
60
0
22 0
80
0
24 0
00
0
25 0
20
0
26 0
40
0
27 0
60
0
28 0
80
0
30 0
00
0
31 0
20
0
32 0
40
0
33 0
60
00
84
0
00
00
72
0
60
0
00
00
00
48
0
36
0
24
0
!
:'! (%3,#,1,2#! (%! 6#! ?6%#! A'/A! '86('! '! (,/$-,?6,-!
1+--%1$'&%#$%! )+/! 3)6=+/! (%$%1$'(+/! %#$-%! $+('/! )'/! ),/$'/!
(,/7+#,?)%/9! K,! /%! 1+#/,;6%! &'#$%#%-! )'/! ),/$'/! (,/7+#,?)%/!
1+#! 6#! #@&%-+! -%(61,(+! (%! %#$-'('/! 1+#/%;6,-%&+/! 56%! %)!
$,%&7+! 56%! (%(,1'! %)! 7-+;-'&'! '! 7-+1%/'-! )'/! ),/$'/! C?6/1'-!
3)6=+/<! ?+--'-! 3)6=+/! 1'(61'(+/! +! '1$6'),0'-! $,&%/$'&7/F! /%!
-%(601'9! b%! %/$'! 3+-&'! (,/&,#6,-%&+/! )+/! $,%&7+/! (%!
7-+1%/'(+! (%! 1'('! 7'56%$%9! ^)! %)%*'-! %)! #@&%-+! (%! ),/$'/!
+?$%#(-B'&+/! &%=+-%/! -%/6)$'(+/! A'/$'! %)! 1'/+! 27$,&+! %#! %)!
56%! )'/! ),/$'/! 36%-'#! (%! 6#! %)%&%#$+9! K,#! %&?'-;+<! %/$+!
/67+#%!6#!1+#/6&+!(%!-%16-/+/!(%!&%&+-,'!&68!,&7+-$'#$%!
56%!)'/!),/$'/!(,#4&,1'/!/+)*%#$'#9!
N'-'! -%'),0'-! %)! %/$6(,+! (%)! $,%&7+! (%! %=%161,2#! (%)!
7-+;-'&'! 7+-! 7'56%$%/! 56%! &+/$-'&+/! %#! )'/! /,;6,%#$%/!
3,;6-'/<! /%! A'#! 1+)+1'(+! 6#+/! &'-1'(+-%/! (%! $,%&7+! 1+#!
7-%1,/,2#!(%!!/;!%#!%)!,#$%-,+-!(%)!7-+;-'&'<!%#!1'('!6#'!(%!
Tiempo de programa dedicado al procesado de las listas
Tiempo de programa dedicado al procesado de los paquetes
µsegundos
0
!
Figura 3 – Distribución sobre un hash bien definido
!
0
5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49
Listas
00
1 3
12
0
Conexiones
Figura 2 – Distribución sobre un hash mal definido
1500
0
Número de paquete
Figura 5 – Tiempo de programa por paquete para 10.000 listas
!
VII Jornadas de Ingeniería Telemática. JITEL 2008
99
!
:'! P,;6-'! V! &6%/$-'! )+/! -%/6)$'(+/! +?$%#,(+/! 7'-'! %)!
1'/+! (%! $%#%-! %)! A'/A! 1+#! HS9SSS! ),/$'/! /+?-%! )'! 1'7$6-'! (%!
$-43,1+! (%! HV! &,#6$+/! '#$%-,+-9! c'('! ?'--'! *%-$,1')! ')! ,;6')!
56%! %#! %)! 1'/+! '#$%-,+-! %/! 6#! 7'56%$%! (,3%-%#$%<! 8!
1+--%/7+#(%!')!7-,&%-+!(%!1'('!&,)!7'56%$%/9!!
J#! %/$%!1'/+!)+/!-%/6)$'(+/!/+#! &61A+! &%=+-%/9! c+&+!
7+(%&+/! *%-!%#! )'! P,;6-'!V<! )+/!-%/6)$'(+/! (%!1'('! 7'56%$%!
/%! &'#$,%#%#! ,#(%7%#(,%#$%/! 6#+/! (%! +$-+/! 8! )+/! 7-,&%-+/!
7'56%$%/! $'-('#! 7-41$,1'&%#$%! )+! &,/&+! %#! /%-! 7-+1%/'(+/!
56%!)+/!@)$,&+/9!>'&?,.#!/%!+?/%-*'!56%!$+(+/!)+/!7'56%$%/!
%/$4#!7+-!(%?'=+!(%!)+/!ZSS!!/;<!8!56%!)+/!56%!/+?-%7'/'#!)+/!
QS! !/;! /%! 1+&7-6%?'! 56%! %/! 7+-56%! /+#! 7'56%$%/! &68!
;-'#(%/! CH9VSS! ?8$%/F<! )+! 56%! /67+#%! &'8+-! $,%&7+! (%!
?@/56%('!%#!)'!%M7-%/,2#!-%;6)'-9!^(%&4/<!'A+-'!)'!3'/%!56%!
&4/! $,%&7+! )%! ))%*'! %/! 7-+1%/'-! )+/! 7'56%$%/! 1+#! %M7-%/,2#!
-%;6)'-!3-%#$%!')!7-+1%/'(+!-%)'1,+#'(+!1+#!)'/!),/$'/9!!
D. Comparativa de versiones Windows-Linux
J)! 7-+;-'&'! l%NO! A'! /,(+! (%/'--+))'(+! 7'-'! '&?'/!
7)'$'3+-&'/! n,#(+L/! 8! :,#6M9! ^&?'/! *%-/,+#%/! A'#! /,(+!
(%/'--+))'('/! %#! )%#;6'=%! coo! 8! 1+&7'-$%#! ;-'#! 7'-$%! (%!
12(,;+! 1+&@#9! :'! (,3%-%#1,'! 36#('&%#$')! %#$-%! '&?'/!
7)'$'3+-&'/! %/! )'! 6$,),0'1,2#! (%! (,3%-%#$%/! ),?-%-B'/! 7'-'! )'!
1'7$6-'!(%!7'56%$%/!Cn,#71'7!GHZI!h:,?71'7!GHUI!F!8!7'-'!)'!
%*')6'1,2#!(%!%M7-%/,+#%/!-%;6)'-%/!Cg-%$'!GH\I!hm++/$!GHVI!F!
1+&+!'7'-%1%!%#!)'!>'?)'!H9!!
K,!?,%#!%#!16'#$+!'!)'/!),?-%-B'/!(%!1'7$6-'!'7%#'/!A'8!
(,3%-%#1,'/<!%#!)'/!),?-%-B'/!(%!%M7-%/,+#%/!-%;6)'-%/!%M,/$%#!
(,3%-%#1,'/! 8! -%/6)$'#! (%! ,&7+-$'#1,'! (%?,(+! ')! ')$+! 1+/$%!
1+&76$'1,+#')! 56%! /67+#%! )'! '7),1'1,2#! (%! %M7-%/,+#%/!
-%;6)'-%/9!J#!!GHHI!7+(%&+/!%#1+#$-'-!6#'!1+&7'-'$,*'!%#$-%!
'&?'/! ),?-%-B'/! g-%$'! 8! m++/$! 56%! /%! -%/6&%! %#! )+/!
-%/6)$'(+/! (%! )'! P,;6-'! Q! '7),1'#(+! (,3%-%#$%/! %M7-%/,+#%/!
-%;6)'-%/! /+?-%! $%M$+/! %M$%#/+/9! J#! )'! &'8+-! 7'-$%! (%! )+/!
1'/+/! m++/$! -%(61%! )+/! $,%&7+/! (%! &'#%-'! /,;#,3,1'$,*'9! J#!
%3%1$+<! )'! *%-/,2#! :,#6M! (%)! 7-+;-'&'! 1+#/,;6%! $,%&7+/! (%!
7-+1%/'(+! /%#/,?)%&%#$%! ,#3%-,+-%/! '! )+/! (%! )'! *%-/,2#!
n,#(+L/<! @#,1'&%#$%! (%?,(+! '! )'/! 7%16),'-,('(%/! (%! 1'('!
),?-%-B'!(%!%*')6'1,2#!(%!%M7-%/,+#%/!-%;6)'-%/9!
!
Windows 2000 Profesional
5.00.2195 SP4
Linux Fedora Core 4
2.6.11
n,#N1'7!\9S9H!
:,?N1'7!S9T9f!
gWJ>^!Z9Q9\!
m]]K>!W%;%M!H9U\9H!
Milisegundos
BOOST
'!"!
&"!
%"!
$"!
#"!
!"!
Expresión 2
Expresión 3
Expresión 4
Expresión 5
Expresión 6
Figura 6 – Comparativa Boost-Greta para un texto extenso
!
Campo
Explicación
Type:
J/$%!1'&7+!(%3,#%!12&+!'7),1'-!)'!%M7-%/,2#!-%;6)'-d S!
/+?-%!('$+/!(%!$-'#/7+-$%!C)'!A'?,$6')F<!Z!/+?-%!('$+/!7+-!
%#1,&'!(%!%#)'1%!
Name:!
_+&?-%!(%!)'!'7),1'1,2#!+!%)!7-+$+1+)+9!
Number:!
O(%#$,3,1'(+-!(%!7-+$+1+)+9!"#!&,/&+!7-+$+1+)+!
76%(%!$%#%-!*'-,'/!%M7-%/,+#%/!-%;6)'-%/!56%!/%!
$+&'-4#!1+&+!7%-$%#%1,%#$%/!')!&,/&+!7-+$+1+)+!/,!
1+&7'-$%#!%/$%!#@&%-+9!
TCP
UDP
NOIP!
K+?-%!56.!$,7+!(%!7'56%$%/!/%!'7),1'!J#!%)!1'/+!(%!
56%!)'!%M7-%/,2#!/%'!(%!$,7+!Z<!%/$%!1'&7+!$+&'-4!%)!
*')+-!_]ON9!
Activated
Disactivated!
N'-'!$%#%-!+!#+!%#!16%#$'!%)!3,1A%-+!%#!%)!/,;6,%#$%!
7-+1%/'(+9!
Expression:!
JM7-%/,2#!-%;6)'-!'!?6/1'-9!
Tabla 2 – Estructura de los archivos de protocolo
!
Type:0
Name: bitTorrent TCP
Number:7
TCP
Activated
Expression:^\x13bittorrent protocol
V.
!
Expresión 1
:'! 1'-;'! (%! 3,-&'/! '/+1,'('/! '! '7),1'1,+#%/! /%! -%'),0'!
(%!&'#%-'!(,#4&,1'!%#!%)!7-+;-'&'9!N'-'!%))+!/%!(%3,#%#!)+!
56%! A%&+/! *%#,(+! '! ))'&'-! '-1A,*+/! (%! 7-+$+1+)+! 7+-! 1'('!
'7),1'1,2#! 56%! /%! 56,%-'! /+7+-$'-9! K%! $-'$'! (%! #+! $%#%-! 56%!
&+(,3,1'-! %)! 12(,;+! 36%#$%! (%)! 7-+;-'&'! 7'-'! /+7+-$'-!
#6%*'/!'7),1'1,+#%/!/,#+!56%!/%'!$'#!/%#1,))+!1+&+!1-%'-!6#!
'-1A,*+!(%!$%M$+!1+#!)'/!%/7%1,3,1'1,+#%/!(%!)'!'7),1'1,2#9!!
:+/! '-1A,*+/! (%! 7-+$+1+)+! 1+#$,%#%#! )+/! 1'&7+/!
&+/$-'(+/! %#! )'! >'?)'! Z<! 8! /%-4! #%1%/'-,+! 1-%'-! 6#! '-1A,*+!
1+#! %/%! 3+-&'$+! 7+-! 1'('! '7),1'1,2#! 56%! /%! (%/%%! /+7+-$'-9!
J#! )'! P,;6-'! Y! /%! &6%/$-'! 6#! %=%&7)+! (%)! '-1A,*+! (%!
7-+$+1+)+!7'-'!m,$>+--%#$9!
!
Figura 7– Ejemplo del archivo de protocolo BitTorrent para TCP
Tabla 1 – Librerías empleadas en cada versión del programa
GRETA
E. Definición de firmas extensible
!
TRAZAS DE TRÁFICO Y PROTOCOLOS SOPORTADOS
N'-'!-%'),0'-!6#!%/$6(,+!%#!7-+36#(,('(!(%!)'!1'),('(!%#!
)'! (%$%11,2#! (%! )+/! 7-+$+1+)+/<! %#! )+! 56%! -%/7%1$'! '!
7+-1%#$'=%!(%!,(%#$,3,1'1,2#!8!#+!,(%#$,3,1'1,2#<!8!(%#$-+!(%!
)'!,(%#$,3,1'1,2#!1+--%1$'!+!,#1+--%1$'<!'(%&4/!(%!)+/!$,%&7+/!
(%! 7-+1%/'(+! #%1%/'-,+/<! /%! A'1%! #%1%/'-,+! (,/7+#%-! (%!
$-'0'/! (%! $-43,1+! -%')9! ^(%&4/! %/! ,&7-%/1,#(,?)%! 1+#+1%-! '!
7-,+-,! )'/! '7),1'1,+#%/! %#! %/%! $-43,1+! -%')! 7+-! )+! 56%! #+! #+/!
/,-*%!6#'!1+)%11,2#!(%!$-'0'/!(%!$-43,1+!16')56,%-'9!
N'-'!%/$%!$-'?'=+!A%&+/!1'7$6-'(+!$-'0'/!(%!$-43,1+!-%')!
(%! *'-,+/! 1),%#$%/! 7'-'! 1'('! 7-+$+1+)+! %=%16$'#(+! 1'('! 6#'!
(%! )'/! '7),1'1,+#%/! /+7+-$'('/<! (%! &'#%-'! 56%! &%(,'#$%! )+/!
3,)$-+/! (%! $-43,1+! /%16#('-,+! 56%! 76%('#! ;%#%-'-! )'/!
&456,#'/<! 7+('&+/! %/$'-! /%;6-+/! (%! 1'7$6-'-! %#! 1'('! $-'0'!
100
VII Jornadas de Ingeniería Telemática. JITEL 2008
!
@#,1'&%#$%! $-43,1+! (%! 6#'! (%$%-&,#'('! '7),1'1,2#9! :+!
,&7+-$'#$%! A'! /,(+! +?$%#%-! $-'0'/! 1+#! $-43,1+! %/7%1B3,1+! 7+-!
7-+$+1+)+!8!#+!$'#$+!)'!1'#$,('(!(%!6/6'-,+/!+!$-43,1+!56%!#+!
,&7),1'-4! &4/! 56%! 6#! 1-%1,&,%#$+! ),#%')! %#! %)! $,%&7+! (%!
7-+1%/'(+! 1+#! %)! #@&%-+! (%! 7'56%$%/9! J#! )'! >'?)'! U! /%!
7-%/%#$'#!)'/!$-'0'/!6$,),0'('/!%#!%)!$-'?'=+9!J#!%))'!/%!76%(%!
+?/%-*'-! 56%! 7'-'! *'-,+/! 7-+$+1+)+/! /%! A'#! 6$,),0'(+!
(,3%-%#$%/! 1),%#$%/! 1+#! %)! +?=%$,*+! (%! $%#%-! %#! 16%#$'! )'/!
7%16),'-,('(%/! (%! ,&7)%&%#$'1,2#! (%)! 7-+$+1+)+! 7+-! 1'('!
1),%#$%9!!
c+&+!)'!7-,+-,('(!%#!)'!(%$%11,2#!(%!7-+$+1+)+/!%-'!)'!
(%$%11,2#!(%!)'!&'8+-B'!(%!)+/!1),%#$%/!NZN!&4/!%&7)%'(+/<!
%)! %/$6(,+! /%! A'! 1%#$-'(+! %#! (,1A+/! 7-+$+1+)+/9! N+-! %))+<! '!
7%/'-!(%!(%$%1$'-!#'('!&4/!56%!Q!7-+$+1+)+/!NZN!/%!%/!1'7'0!
(%!1+#$-+)'-!A'/$'!%)!TVp!(%)!$-43,1+!(%!-%(!;%#%-'(+!7+-!%/$%!
$,7+!(%!'7),1'1,+#%/!NZN9!
!
Protocolo
Cliente
HTTP
P,-%3+M!
JM7)+-%-!
]$-+/!
FTP
DNS
eDonkey!
gNutella!
FastTrack!
bitTorrent!
Ares!
Otros!
%b+#a%8!
%X6)%!
m%'-3),M!
:,&%L,-%!
KA'-%'0'!
m%'-/A'-%!
q'0''!
^06-%6/!
?,$>+--%#$!
?,$c+&%$!
?,$>+-#'(+!
!>+--%#$!
^-%/!
n,#Xl!
,X%/A!
Número
capturas
Tamaño
capturas
H!
H!
HT!
HS!
U!
f!
Q!
H!
\!
Z!
H!
U!
Z!
U!
H!
H!
H!
\!
Z!
H!
ZU9YVZ!am!
ZZ9QV\!am!
f9Y\\!am!
Z\V9VYT!am!
H9fV\!am!
UY9HYH!am!
V\9TYZ!am!
\Z9fTU!am!
\\9HTV!am!
HZ9VYH!am!
Z9T\Y!am!
ZS9\ZY!am!
ZU9\YU!am!
HY9SfU!am!
T9ZHT!am!
Y9HfQ!am!
\9TU\!am!
VZ9VHY!am!
Q9HH\!am!
Z9U\Z!am!
Tabla 3 – Trazas de paquetes empleadas
!
c+&+!/%!A'!1+&%#$'(+<!/%!76%(%!%#1+#$-'-!(,*%-/,('(!
(%! 1),%#$%/! 56%! /+7+-$'#! %)! &,/&+! 7-+$+1+)+! %/7%1,')&%#$%!
%#!%)!1'/+!(%!'7),1'1,+#%/!NZN9!J#!)'!>'?)'!\!/%!&6%/$-'#!)'/!
'7),1'1,+#%/! 56%! /%! 76%(%#! %#1+#$-'-! 7'-'! )+/! 7-+$+1+)+/!
/+7+-$'(+/!7+-!#6%/$-+!/,/$%&'!1+#!)'/!%M7-%/,+#%/!-%;6)'-%/!
(%/'--+))'('/9! c+&+! /%! A'! 1+&%#$'(+<! %/$%! 1+#=6#$+! (%!
'7),1'1,+#%/! /+7+-$'('/! %/! 341,)&%#$%! '&7),'?)%! (%3,#,%#(+!
%)!'-1A,*+!(%!7-+$+1+)+!7'-'!)'/!'7),1'1,+#%/!56%!/%!56,%-'#!
'`'(,-9!
VI. MEJORAS EN LAS EXPRESIONES REGULARES
b6-'#$%! %)! $-'?'=+! /%! A'! (%(,1'(+! %/7%1,')! ,#$%-./! '! )'!
+7$,&,0'1,2#!(%!)'/!%M7-%/,+#%/!-%;6)'-%/!-%/7+#/'?)%/!(%!)'!
%3%1$,*,('(! (%! )'! ,(%#$,3,1'1,2#9! J#! ');6#+/! 1'/+/! /%! A'!
7'-$,(+! (%! )'/! %M7-%/,+#%/! :YR3,)$%-! GTI! 8! %#! +$-+/! /%! A'#!
&%=+-'(+!+!(,-%1$'&%#$%!1-%'(+!'!7'-$,-!(%!)'!(+16&%#$'1,2#!
(%! )+/! 7-+$+1+)+/! 8! (%! $-'0'/! (%! $-43,1+! -%')! +?/%-*'(+! 7'-'!
)'/! '7),1'1,+#%/9! K%! A'! 1+#/%;6,(+! &%=+-'-! )+/! 7+-1%#$'=%/!
(%! ,(%#$,3,1'1,2#! /,#! 56%! 7+-! %))+! '6&%#$%! )'! $'/'! (%! 3')/+/!
7+/,$,*+/<!%/!(%1,-<!'56%))+/!7'56%$%/!56%!/%!,(%#$,3,1'#!7'-'!
6#'!'7),1'1,2#!16'#(+!%#!-%'),('(!7%-$%#%1%#!'!+$-'9!
!
Area
Protocolo
Clientes
RFCs
[>>N!
b_K!
P>N!
P,-%3+M<!JM7)+-%-<!]7%-'<!_%$/1'7%999!
%b+#a%8!
m,$>+--%#$!
P2P!
;_6$%))'!
_'7/$%-!
^-%/!
P'/$$-'1a!
Otros
c),%#$%/!P>N!
%b+#a%8ZSSS<!%X6)%<!:X6)%<!:7A'#$<!
KA'-%'0'<!MX6)%<!,X%/Ar!
^))N%%-/<!^mc<!^06-%6/<!m,$c+&%$<!!
m,$>+-#'(+<!m,$>+--%#$<!:7A'#$<!!
KA'-%'0'<!>-,?)%-<!s>+--%#$r!
m%'-KA'-%<!g#61)%6/<!g-+a/$%-<!qc%'/8<!
:,&%n,-%<!X+-7A%6/r!
_'7,;'$+-<!]7%#_'7<!n,#Xlr!
^-%/!g')'M8<!P,)%c-+1<!qc%'/8r!
;,P><!g-+a/$%-<!,X%/A<!q'0''<!qc%'/8<!
X'&&+$A<!&)X'1r!
b[cN*Q!
c,/1+!
KXm!
_m_K!
K7'##,#;!>-%%!
KKbN!
WNc!
Tabla 4 – Protocolos soportados por XePI
!
J#! )'! >'?)'! V! /%! 7-%/%#$'#! )'/! %M7-%/,+#%/! -%;6)'-%/!
3,#')%/! '/+1,'('/! '! 1'('! 7-+$+1+)+! 8! 56%! A'#! ('(+! )+/!
&%=+-%/!-%/6)$'(+/9!J#!%)!/,;6,%#$%!'7'-$'(+!/%!7-%/%#$'-4#!%)!
'#4),/,/!1+&7'-'$,*+!1+#!:YR3,)$%-9!
VII. EVALUACIÓN DE LA IDENTIFICACIÓN
>-'/!7-%/%#$'-!)+/!7-+$+1+)+/!56%!%)!/,/$%&'!%/!1'7'0!(%!
(%$%1$'-<!56%('!1+&7-+?'-!%)!1+--%1$+!36#1,+#'&,%#$+!(%!%/'!
,(%#$,3,1'1,2#9!:'!@#,1'!36%#$%!7+/,?)%!(%!1+&7'-'1,2#!%/!%)!
7-+8%1$+!:YR3,)$%-<!7+-!)+!56%!/%!A'!-%'),0'(+!6#!%/$6(,+!(%)!
36#1,+#'&,%#$+!(%!f!%M7-%/,+#%/!-%;6)'-%/!-%/7%1$+!'!)'/!56%!
/%!76%(%#!%#1+#$-'-!%#!%)!7-+8%1$+!:YR3,)$%-9!!
J#! )'! P,;6-'! f! /%! 7-%/%#$'! 6#'! ;-43,1'! 56%! &6%/$-'! %)!
7+-1%#$'=%! (%! ,(%#$,3,1'1,2#! (%! )'/! %M7-%/,+#%/! -%;6)'-%/! (%!
l%NO! 8! (%! )'/! (%! :YR3,)$%-! '7),1'('/! 7'56%$%! '! 7'56%$%! /,#!
'7),1'-! %)! A,/$+-,')! (%! 3)6=+/9! J#! (,1A'! ;-43,1'! /%! 76%(%! *%-!
1+&+!)'/!%M7-%/,+#%/!(%!l%NO!(%$%1$'#!6#'!1'#$,('(!/,&,)'-!
8!&61A'/!*%1%/!/67%-,+-!'!)'!56%!(%$%1$'#!)'/!%M7-%/,+#%/!(%!
:YR3,)$%-9! J#! ');6#+/! 1'/+/! %/'! &%=+-'! %/! /,;#,3,1'$,*'! 1+#!
-%/7%1$+!'!:YR3,)$%-<!1+&+!%#!%)!1'/+!(%!^-%/!+!;_6$%))'9!!
K,#!%&?'-;+<!1+&+!8'!/%!A'!1+&%#$'(+<!l%NO!$,%#%!6#'!
/%;6#('!+7+-$6#,('(!(%!(%$%11,2#!(%!)+/!7'56%$%/!?'/'('!%#!
%)!A,/$+-,')!(%!3)6=+/9!K,! 6#! 7'56%$%! #+! *%-,3,1'!)'!%M7-%/,2#!
-%;6)'-!8!A'!A'?,(+!+$-+/!7'56%$%/!(%!%/%!&,/&+!3)6=+!56%!/B!
A'#! /,(+! ,(%#$,3,1'(+/<! /%! /67+#%! )'! &,/&'! '7),1'1,2#! 7'-'!
$+(+/!)+/!7'56%$%/!(%)!3)6=+<!/,%&7-%!56%!))%;6%#!(%#$-+!(%)!
$,%&7+! (%! 7%-&'#%#1,'! (%)! @)$,&+! 7'56%$%! (%)! 3)6=+!
(%$%1$'(+!(,-%1$'&%#$%!7+-!)'!%M7-%/,2#!-%;6)'-9!J/$'!&%=+-'!
#+! )'! 7+/%%! :YR3,)$%-! 56%! @#,1'&%#$%! /%! ?'/'! %#! '7),1'-!
%M7-%/,+#%/! -%;6)'-%/! 7'56%$%! '! 7'56%$%9! K,! ,#1)6,&+/! %/$'!
VII Jornadas de Ingeniería Telemática. JITEL 2008
101
!
36#1,+#'),('(<! )+/! 7'56%$%/! 56%! (%$%1$'! l%NO! /+#! &4/! 56%!
)+/!56%!(%$%1$'!:Y<!1+&+!/%!76%(%!1+&7-+?'-!%#!)'!P,;6-'!T9!
!
!
100
XEPI
%
L7
90
NBNS
"bN!
DNS
"bN!
eDonkey
>cN!
"bN!
>cN!
gNutella
"bN!
bitTorrent
SSDP
>cN!
"bN!
"bN!
>cN!
FTP
ARP!
Spanning Tree
CISCO LOOP
CISCO CDP
DHCPv6
Tabla 5 – Expresiones regulares desarrolladas
!
J#!%)!1'/+!(%!b_K<!)'!&%=+-'!!#+!%/!$')!(%?,(+!'!56%!%#!
)'/! 1+#/6)$'/! (%! b_K! /%! ,#$%-1'&?,'#! Z! 7'56%$%/!
A'?,$6')&%#$%! C)'! *%-/,2#! "bNF! 8! 7+-! $'#$+! %)! A,/$+-,')! (%!
3)6=+/!#+!'7+-$'!6#'!&%=+-B'!/,;#,3,1'$,*'9!J#!%)!1'/+!(%!P>N!
/%!%/$4#!1+#/,(%-'#(+!@#,1'&%#$%!)'/!1+#%M,+#%/!(%!1+#$-+)!
8! #+! )'/! (%! ('$+/9! J)! /,/$%&'! /%! 7+(-B'! %M$%#(%-! 7'-'!
-%1+#+1%-! ! )'/! 1+#%M,+#%/! (%! ('$+/! '/+1,'('/! '! 6#'! (%!
1+#$-+)<!7%-+!%#!%/$%!1'/+!/%-B'!/63,1,%#$%!1+#!,(%#$,3,1'-!)'/!
1+#%M,+#%/! /%;@#! )'/! (,-%11,+#%/! ON! 8! 76%-$+/<! 7+-56%! )+/!
76%-$+/!(%!)'!1+#%M,2#!(%!('$+/!/%!#+$,3,1'#!%M7-%/'&%#$%!%#!
)'! 1+#%M,2#! (%! 1+#$-+)9! _+! /%-B'! #%1%/'-,+! 6#! '#4),/,/! (%!
3,-&'/!1+&+!$')9!
!
eDonkey
fastTrack
gNutella
FTP
!
100
XEPI
%
L7
90
80
70
60
50
40
30
20
10
0
eDonkey
>cN!
!
Figura 8 – Comparativa XePI-L7 de los paquetes detectados por
las expresiones regulares de los principales protocolos
fastTrack
FastTrack
0
gNutella
"bN!
10
FTP
>cN!
RPC
20
DNS
>cN!
Napster
30
DNS
"bN!
40
BitTorrent
Ares
50
BitTorrent
>cN!
"bN!
>cN!
60
Ares
SMB
70
Ares
>cN!
kGiMZSRiMY%ItA$$7hCGSHIi9GSRTIFGiMSTRiMS(RuI!
tC1+##%1$,+#dj1+#$%#$R$87%dj1+#$%#$R)%#;$Adj('$%dF!!
Ck9v\<\wjiM33FiM33KXm!
k9v\<\wiM33KXm!
kiMSUiM33GiMV'iMV(I99iMSV!!
kiM%TGiMQSiMQHiMYSiMYViMYQiMfSRiMfUIj!
kiMS(iM33vHY<HYwj'-%/iMZSGSRTI!!
kC9GiMSZiMSQIGxRuIo!GxRuIo!GSRTIGSRTIyGSRTI!
yGSRTIyGSRTIyzGiMSTRiMS(!RuIoz!CGSRTI!
jHSFjHC/%#(j;%$FGxRuIo!zGiMSTRiMS(!RuIozF!!
iM33vU<UwGiMSHiM33IiM33vU<UwGiMSHiMSZiMSU!
iMS\IiM33iMSHiMfQGiM'SiM'UiM'\iM'V!
iM'?iM?VIiM33vU<UwGiMSHiMSZiMSUiMS\I!
iM33vU<UwGiMSHiM33IiM33vU<UwGiMSHiMSZiMSU!
iMS\IiM33iMSHiMfQGiM'SiM'UiM'\iM'V!
iM'?iM?VIiM33vU<UwGiMSHiMSZiMSUiMS\I!!
k;%$!Ch9(+L#)+'(hG!RuItjh9/67%-#+(%GRuIjh9/$'$6/G!RuI
jh9#%$L+-aG!RuItjh93,)%/jh9A'/A{GSRT'R3IthG!RuItF!A$$7!
hH9Hj6/%-R';%#$da'0''jMRa'0''CR6/%-#'&%jR#%$L+-ajR
,7jR/67%-#+(%,7jRM3%-,(jRM3%-6,(j$';Fjk;,*%GSRTIGSRTI
GSRTIGSRTIGSRTIGSRTIGSRTIGSRTIyGSRTIyGSRTIy!!
k9vZ<ZwiMSHiMHS9iMSH9tiMZSiM\Q!!
k9vV<VwGiMSHiMSZI9vQ<QwGiMSHRiMU3IG'R0SRTIGCiMSHR
iMU3F'R0ItGiMSZRiMSQIG'R0IvZ<Uw9vZ<ZwGiMSHiMH1IiMPP!
kGiM%UiM1VI9vZ<ZwiM33vZ<ZwGiMSHiMSZiMSViMS'iMH\R
iMHQiMHfRiMH1iMZSiMZHiMUfiM\SRiM\UiM\QRiMVZiMV\R
iMVTiMQSiMfHiMfZiMfVRiMfYiMf?iMf%iMTZiMTUiM'\I!
kiM%UGiMS1RiMHQiMZHiMZ\iMT\iMTQRiMT1iMT%iM'SRiM'\I
kC;#6$%))'GiMZSiMZ3Ij;%$!h6-,R-%/F!!
kCCC9jiMS'FvHQ<HQwGiMSHiMUHiM\HiM\SiM33!
iMfSiMfHIiMSHiM33FjCg_bFF!!
kiMHU?,$$+--%#$!7-+$+1+)!
(HdG'-I(Zd,(ZS!!
_]>OP|iMZS9iMZSA$$7hCGSHIi9GSRTIFGiMSTRiMS(!RuI!
t[]K>GiMSTRiMS(!RuItc^c[JRc]_>W]:GiMST!
RiMS(!RuIt:]c^>O]_GiMSTRiMS(!RuItKJW}JW!!
kGiMSTRiMS(!RuIt3$7!!
kiM33iMSHiMSfiM3399iM33GiMSHiMSZI!!
kiM\ZiM\Z9iM33vU<Uw!!
kiM33iM33GiM33iMSHRiMS'IiM33v\U<\Uw!!
kiM''iM''9t1,/1+!!
k9v\S<\SwiMSZiMZUiMSZiMZU!!
80
HTTP
HTTP
Expresión regular
HTTP
Protocolo Tipo
!
Figura 9 – Comparativa XePI-L7 de los paquetes detectados
usando historial de flujo para XePI
J#!16'#$+!')!$,%&7+!(%!%=%161,2#<!/%!76%(%!1+&7-+?'-!
%#!)'!P,;6-'!HS!56%!$'#$+!l%NO!1+&+!:YR3,)$%-!/%!&6%*%#!%#!
$,%&7+/! /,&,)'-%/! '6#! 16'#(+! )'! ,(%#$,3,1'1,2#! (%! l%NO! %/!
&61A+! &'8+-9! J#! 7'-$%! %/! (%?,(+! '! 56%! )'/! %M7-%/,+#%/!
-%;6)'-%/!(%!l%NO!/+#!%#!;%#%-')!&4/!-47,('/!56%!)'/!(%!:YR
3,)$%-<!1+#!)+!56%!%)!1+/$%!%M$-'!(%!7-+1%/'(+!(%)!A,/$+-,')!(%!
3)6=+!%/!7%-3%1$'&%#$%!'/6&,?)%!%#!l%NO9!b%!A%1A+<!1+&+!/%!
A'! 1+&%#$'(+! '#$%-,+-&%#$%<! %)! 3'1$+-! (%$%-&,#'#$%! (%! )'!
*%)+1,('(!(%)!/,/$%&'!*,%#%!3,='(+!1'/,!%M1)6/,*'&%#$%!7+-!)'!
%*')6'1,2#!(%!)'/!%M7-%/,+#%/!-%;6)'-%/9!
J#! 16'#$+! '! )+/! 3')/+/! 7+/,$,*+/<! l%NO! 8! :YR3,)$%-!
+3-%1%#! -%/6)$'(+/! /,&,)'-%/<! 1+#! 3')/+/! 7+/,$,*+/! /,%&7-%!
,#3%-,+-%/! '! 6#! S<Zp<! /')*+! %#! %)! 1'/+! (%)! 7-+$+1+)+! [>>N!
1+&+! /%! 76%(%! *%-! %#! )'! P,;6-'! HH9! N'-'! [>>N! l%NO! $,%#%!
6#'!$'/'!/67%-,+-!')!U<Vp!(%!3')/+/!7+/,$,*+/!7%-+!56%!#+!/%!
1+#/,(%-'! ,&7+-$'#$%! 1+&7'-'(+! 1+#! %)! 7+-1%#$'=%! (%!
,(%#$,3,1'1,2#! 56%! 1+#/,;6%! 3-%#$%! '! :YR3,)$%-9! :'! %M7-%/,2#!
-%;6)'-!(%!:YR3,)$%-!7'-'![>>N!%/!&4/!%/$-,1$'<!1+#!)+!56%!)'!
,(%#$,3,1'1,2#! %/! &%#+-! 8! 1+#! %))+! $'&?,.#! )+/! 3')/+/!
7+/,$,*+/9! J#! $+(+!1'/+<!)'!%M7-%/,2#!-%;6)'-!(%![>>N!7'-'!
102
VII Jornadas de Ingeniería Telemática. JITEL 2008
!
l%NO! (%?%-B'! /%-! +?=%$+! (%! %/$6(,+/! 7+/$%-,+-%/! &4/!
7-+36#(+/!1+#!%)!3,#!(%!-%(61,-!)'!$'/'!(%!3')/+/!7+/,$,*+/9!!
!
210
Tiempo XePI
Segundos
Tiempo L7
180
150
120
90
60
30
eDonkey
fastTrack
gNutella
FTP
DNS
BitTorrent
Ares
HTTP
0
!
Figura 10 – Comparativa XePI-L7 del tiempo de procesado
4
XEPI
%
L7
3,5
3,)$%-9!J)!A,/$+-,')!(%!3)6=+/!7%-&,$%!))%*'-!%/$'(+!(%!$+(+/!)+/!
3)6=+/! %/$'?)%1,(+/! %#! 6#'! -%(! 1+&76%/$+/! 7+-! )+/! 7'56%$%/!
56%! 1+&7'-$%#! )'! $67)'! v,7~+-,;%#<! 76%-$+~+-,;%#<!
,7~(%/$,#+<!76%-$+~(%/$,#+w!C1+#%M,+#%/!>cN!+!3)6=+/!"bNF9!
J/$+! 7%-&,$%! ,(%#$,3,1'-! $+(+/! )+/! 7'56%$%/! (%! 6#! 3)6=+! 1+#!
$')! (%! 56%! /2)+! 6#+! (%! )+/! 7'56%$%/! A'8'! *%-,3,1'(+! 6#'! (%!
)'/! %M7-%/,+#%/! -%;6)'-%/! '/+1,'('/! '! 6#'! '7),1'1,2#9! N'-'!
'7),1'1,+#%/!1+#!3)6=+/!(%!(6-'1,2#!,&7+-$'#$%!/%!1+#/,;6%#!
&%=+-B'/! /,;#,3,1'$,*'/! %#! %)! 7+-1%#$'=%! (%! 7'56%$%/!
,(%#$,3,1'(+/! /,#! 56%! 7+-! %))+! %&7%+-%! )'! $'/'! (%! 3')/+/!
7+/,$,*+/9!
J)!(%/'--+))+!(%!%M7-%/,+#%/!-%;6)'-%/!%/!6#!7-+1%/+!(%!
%*+)61,2#! 1+#$,#6'<! 8'! 56%! 1+#/$'#$%&%#$%! /%! (%/'--+))'#!
#6%*+/! 7-+$+1+)+/! +! /%! &%=+-'#! )+/! %M,/$%#$%/9! ^(%&4/<! )'!
,(%#$,3,1'1,2#! (%! 1'('! 7'56%$%! %/! 6#! 7-+1%/+! 1+/$+/+! 8! 56%!
1'('!*%0!*'!'!-%/6)$'-!&4/!(,3B1,)!1+#!)'!1+#/$'#$%!&%=+-'!%#!
)'! *%)+1,('(! (%! )'/! -%(%/9! J/! 7+-! %))+! 56%! %M,/$%#! +$-'/!
$.1#,1'/! ?'/'(+/!%#!A%6-B/$,1+/! &68!7-+&%$%(+-'/! 7%-+!56%!
#%1%/,$'#! (%! %/$+/! &.$+(+/! ?'/'(+/! %#! 3,-&'/! 7'-'! ;%#%-'-!
)+/! ('$+/! (%! -%3%-%#1,'! +! %#$-%#'&,%#$+! (%)! /,/$%&'! 1+#!
&'8+-!7-%1,/,2#9!
3
REFERENCIAS
2,5
[1]
2
[2]
1,5
[3]
1
0,5
[4]
eDonkey
fastTrack
gNutella
FTP
DNS
BitTorrent
Ares
HTTP
0
!
[5]
>9!q'-';,'##,/<!^9!m-+,(+<!_9!m-+L#)%%<q1!c)'338<!'#(!X9!P')+6$/+/9!
O/!7Z7!(8,#;!+-!=6/$!A,(,#;y!OJJJ!g)+?%1+&!ZSS\<!b'))'/<!>l<!"K^<!
_+*%&?%-!ZSS\9!
[6]
^9! n9! X++-%! '#(! q9! N'7';,'##'a,9! >+L'-(! $A%! ^116-'$%!
O(%#$,3,1'$,+#! +3! _%$L+-a! ^77),1'$,+#/9! N-+1%%(,#;/! +3! K,M$A! N'//,*%!
'#(! ^1$,*%! X%'/6-%&%#$! n+-a/A+7! CN^X! ZSSVF<! m+/$+#<! X^<!
X'-1Ah^7-,)!ZSSV9!
[7]
K9!K%#<! ]9! K7'$/1A%1a<! '#(! b9! n'#;9! ^116-'$%<!K1')'?)%! O#R_%$L+-a!
O(%#$,3,1'$,+#! +3! NZN! >-'33,1! 6/,#;! ^77),1'$,+#! K,;#'$6-%/9!!
N-+1%%(,#;/! +3! $A%! HU$A! O#$%-#'$,+#')! n+-)(! n,(%! n%?! c+#3%-%#1%<!
779!VHZRVZH<!_|<!"K^<!X'8!ZSS\9!
[8]
^)+a!X'(A6a'-!'#(!c'-%8!n,)),'&/+#9!^!:+#;,$6(,#')!K$6(8!+3!NZN!
>-'33,1! c)'//,3,1'$,+#9! H\$A! OJJJ! O#$%-#'$,+#')! K8&7+/,6&! +#!
X+(%),#;<! ^#')8/,/<! '#(! K,&6)'$,+#! +3! c+&76$%-! '#(!
>%)%1+&&6#,1'$,+#! K8/$%&/<! X^Kc]>K! ZSSQ<! 779HYTRHff<! HHRH\!
K%7$9!ZSSQ!
Figura 11 – Comparativa XePI-L7 de los falsos positivos
VIII. CONCLUSIONES
:'! ,(%#$,3,1'1,2#! (%! $-43,1+! ?'/'('! %#! 3,-&'/! %/!
36%-$%&%#$%! (%7%#(,%#$%! (%! )'! 1'),('(! (%! )'/! %M7-%/,+#%/!
-%;6)'-%/! 6$,),0'('/! %#! )'! ,(%#$,3,1'1,2#9! c'),('(! 7+-! 6#'!
7'-$%! %#! 16'#$+! '! $'/'! (%! ,(%#$,3,1'1,2#! 56%! +?$,%#%#! 8!
$'&?,.#!%#!16'#$+!'!)'!$'/'!(%!3')/+/!7+/,$,*+/!56%!-%/6)$'#9!
N+-! +$-+! )'(+<! )'! 1'),('(! $'&?,.#! %/$'-4! -%)'1,+#'('! 1+#! %)!
$,%&7+!#%1%/'-,+!7'-'!'7),1'-!(%$%-&,#'('!%M7-%/,2#!-%;6)'-d!
#+! /%-4! @$,)! 6#'! %M7-%/,2#! &68! )%#$'! '6#56%! ,(%#$,3,56%!
7%-3%1$'&%#$%!%)!$-43,1+!7+-56%!#+!/%-B'!+7%-'$,*'9!
J#! %/$%! 1+&7-+&,/+! %/! /+?-%! %)! 56%! #'1%! l%NO! 1+&+!
/,/$%&'!(,/%`'(+!7'-'!)'!,(%#$,3,1'1,2#!?'/'('!%#!3,-&'/9!K%!
A'#! &%=+-'(+! )'/! %M7-%/,+#%/! -%;6)'-%/! (%)! 7-+8%1$+! :YR
3,)$%-! 56%! /%! $-'$'! (%! )'/! 7+1'/! 36%#$%/! (,/7+#,?)%/! (%!
%M7-%/,+#%/!(%!/63,1,%#$%!1'),('(9!:'!&%=+-'!A'!*%#,(+!7+-!%)!
'6&%#$+! %#! )'! $'/'! ,(%#$,3,1'1,2#! 1+#! *')+-%/! (%! 3')/+/!
7+/,$,*+/! (%)! &,/&+! +-(%#! %M1%7$+! 7'-'! %)! 1'/+! (%! [>>N9!
>'&?,.#!/%!A'!&%=+-'(+!%#!16'#$+!'!)+/!$,%&7+/!#%1%/'-,+/!
7'-'! '7),1'-! )'/! %M7-%/,+#%/! -%;6)'-%/! /,&7),3,1'#(+! )'!
1+&7)%=,('(!(%!?6%#'!7'-$%!(%!%))'/9!
J)! &%1'#,/&+! (%! A,/$+-,')! (%! 3)6=+/! 7)'#$%'(+! 7%-&,$%!
&%=+-'-! '@#! &4/! )+/! -%/6)$'(+/! 3-%#$%! '! 7-+76%/$'/! 56%! /%!
),&,$'#!'!'7),1'-!%M7-%/,+#%/!-%;6)'-%/!7+-!7'56%$%!1+&+!:YR
c9!P-')%,;A<!%$!')9!N'1a%$R)%*%)!$-'33,1!&%'/6-%&%#$/!3-+&!$A%!K7-,#$!ON!
?'1a?+#%9!OJJJ!_%$L+-a<!_+*%&?%-hb%1%&?%-!ZSSU9!
>9! q'-';,'##,/<! q9! N'7';,'##'a,<! '#(! X9! P')+6$/+/9! m:O_cd!
&6)$,)%*%)! $-'33,1! 1)'//,3,1'$,+#! ,#! $A%! ('-a9! KOgc]XX! c+&76$%-!
c+&&6#,1'$,+#/9!W%*,%L!}+)9UV<!!_+9\<!779!ZZTRZ\S<!]1$9!ZSSV9!
:9! K');'-%)),<! P9! g-,#;+),! '#(! >9! q'-';,'##,/9! c+&7'-,#;! $-'33,1!
1)'//,3,%-/9! KOgc]XX! c+&76$%-9! c+&&6#,1'$,+#/! W%*,%L! }+)9UY<!
_+9U<!779QVRQf<!•6)9!ZSSY9!
X9!W+6;A'#<!K9!K%#<!]9!K7'$/1A%1a<!'#(!_9!b633,%)(9!c)'//R+3R/%-*,1%!
&'77,#;! 3+-! 5+/d! '! /$'$,/$,1')! /,;#'$6-%R?'/%(! '77-+'1A! $+! ON! $-'33,1!
1)'//,3,1'$,+#9! N-+1%%(,#;/! +3! $A%! \$A! ^cX! KOgc]XX! OXc€S\!
1+#3%-%#1%9!779HUV•H\f<!_%L!|+-a<!_|<!"K^<!ZSS\9!
[9]
•9! :%*'#(+/a,<! J9! K+&&%-! '#(! X9! K$-',$9! ^77),1'$,+#! :'8%-! N'1a%$!
c)'//,3,%-!3+-!:,#6M9!A$$7dhh)YR3,)$%-9/+6-1%3+-;%9#%$!
[10] :9! q'-$$6#%#<! •RN9! cA'#+(<! g9! g-%3%#/$%$$%<! '#(! ^9! K1A,))%-9! W%;6)'-!
%M7-%//,+#/!3+-!)'#;6';%!%#;,#%%-,#;9!_'$6-')!:'#;6';%!J#;,#%%-,#;<!
}+)9Z<!_+9\<!779USVRZUf<!HTTQ9!
[11] •+A#! X'((+1a9! W%;6)'-! %M7-%//,+#! 7%-3+-&'#1%! 1+&7'-,/+#9! ZSS\9!
A$$7dhh-%/%'-1A9&,1-+/+3$91+&h7-+=%1$/h;-%$'h-%;%M~7%-39A$&)!!
[12] n,#N1'7d!>A%!n,#(+L/!N'1a%$!c'7$6-%!:,?-'-89!ZSSf9!
A$$7dhhLLL9L,#71'79+-;!
[13] >17(6&7h),?71'79!ZSSY9!A$$7dhhLLL9$17(6&79+-;!
[14] >A%!g-%$'!W%;6)'-!JM7-%//,+#!>%&7)'$%!^-1A,*%9!X,1-+/+3$!ZSSY9!
A$$7dhh-%/%'-1A9&,1-+/+3$91+&h7-+=%1$/h;-%$'!
[15] •+A#!X'((+1a9!m++/$Rl7-%//,*%9ZSSf9!A$$7dhhLLL9?++/$9+-;!
