An FPGA-Based System for Tracking Digital Information Transmitted Via Peer-to-Peer Protocols

This paper presents a Field Programmable Gate Array (FPGA)-based tool designed to process file transfers using the BitTorrent Peer-to-Peer (P2P) protocol and VoIP phone calls made using the Session Initiation Protocol (SIP). The tool searches selected control messages in real time and compares the unique identifier of the shared file or phone number against a list of known contraband files or phone numbers. Results show the FPGA tool processes P2P packets of interest 92% faster than a software-only configuration and is 97.6% accurate at capturing and processing messages at a traffic load of 89.6 Mbps

An FPGA-Based System for Tracking Digital Information Transmitted via Peer-to-Peer Protocols

This thesis addresses the problem of identifying and tracking digital information that is shared using peer-to-peer file transfer and Voice over IP (VoIP) protocols. The goal of the research is to develop a system for detecting and tracking the illicit dissemination of sensitive government information using file sharing applications within a target network, and tracking terrorist cells or criminal organizations that are covertly communicating using VoIP applications. A digital forensic tool is developed using an FPGA-based embedded software application. The tool is designed to process file transfers using the BitTorrent peer-to-peer protocol and VoIP phone calls made using the Session Initiation Protocol (SIP). The tool searches a network for selected peer-to-peer control messages using payload analysis and compares the unique identifier of the file being shared or phone number being used against a list of known contraband files or phone numbers. If the identifier is found on the list, the control packet is added to a log file for later forensic analysis. Results show that the FPGA tool processes peer-to-peer packets of interest 92% faster than a software-only configuration and is 99.0% accurate at capturing and processing BitTorrent Handshake messages under a network traffic load of at least 89.6 Mbps. When SIP is added to the system, the probability of intercept for BitTorrent Handshake messages remains at 99.0% and the probability of intercept for SIP control packets is 97.6% under a network traffic load of at least 89.6 Mbps, demonstrating that the tool can be expanded to process additional peer-to-peer protocols with minimal impact on overall performance

Nonintrusive tracing in the Internet

Intruders that log in through a series of machines when conducting an attack are hard to trace because of the complex architecture of the Internet. The thumbprinting method provides an efficient way of tracing such intruders by determining whether two connections are part of the same connection chain. Because many connections are transient and therefore short in length, choosing the best time interval to thumbprint over can be an issue. In this paper, we provide a way to shorten the time interval used for thumbprinting. We then study some special properties of the thumbprinting function. We also study another mechanism for tracing intruders in the Internet based on a timestamping approach, which passively monitors flows between source and destination pairs. Given a potentially suspicious source, we identify its true destination. We compute the error probability of our algorithm and show that its value decreases exponentially as the observation time increases. Our simulation results show that our approach performs well

Air Force Institute of Technology Research Report 2011

This report summarizes the research activities of the Air Force Institute of Technology’s Graduate School of Engineering and Management. It describes research interests and faculty expertise; lists student theses/dissertations; identifies research sponsors and contributions; and outlines the procedures for contacting the school. Included in the report are: faculty publications, conference presentations, consultations, and funded research projects. Research was conducted in the areas of Aeronautical and Astronautical Engineering, Electrical Engineering and Electro-Optics, Computer Engineering and Computer Science, Systems and Engineering Management, Operational Sciences, Mathematics, Statistics and Engineering Physics

Performance Evaluation of a Field Programmable Gate Array-Based System for Detecting and Tracking Peer-to-Peer Protocols on a Gigabit Ethernet Network

Recent years have seen a massive increase in illegal, suspicious, and malicious traffic traversing government and military computer networks. Some examples include illegal file distribution and disclosure of sensitive information using the BitTorrent file sharing protocol, criminals and terrorists using Voice over Internet Protocol (VoIP) technologies to communicate, and foreign entities exfiltrating sensitive data from government, military, and Department of Defense contractor networks. As a result of these growing threats, the TRacking and Analysis for Peer-to-Peer (TRAPP) system was developed in 2008 to detect BitTorrent and VoIP traffic of interest. The TRAPP system, designed on a Xilinx Virtex-II Pro Field Programmable Gate Array (FPGA) proved valuable and effective in detecting traffic of interest on a 100 Mbps network. Using concepts and technology developed for the TRAPP system, the TRAPP-2 system is developed on a Xilinx ML510 FPGA. The goals of this research are to evaluate the performance of the TRAPP-2 system as a solution to detect and track malicious packets traversing a gigabit Ethernet network. The TRAPP-2 system detects a BitTorrent, Session Initiation Protocol (SIP), or Domain Name System (DNS) packet, extracts the payload, compares the data against a hash list, and if the packet is suspicious, logs the entire packet for future analysis. Results show that the TRAPP-2 system captures 95.56% of BitTorrent, 20.78% of SIP INVITE, 37.11% of SIP BYE, and 91.89% of DNS packets of interest while under a 93.7% network utilization (937 Mbps). For another experiment, the contraband hash list size is increased from 1,000 to 131,072,000 unique items. The experiment reveals that each doubling of the hash list size results in a mean increase of approximately 16 central processing unit cycles. These results demonstrate the TRAPP-2 system’s ability to detect traffic of interest under a saturated network utilization while maintaining large contraband hash lists

Air Force Institute of Technology Research Report 2009

This report summarizes the research activities of the Air Force Institute of Technology’s Graduate School of Engineering and Management. It describes research interests and faculty expertise; lists student theses/dissertations; identifies research sponsors and contributions; and outlines the procedures for contacting the school. Included in the report are: faculty publications, conference presentations, consultations, and funded research projects. Research was conducted in the areas of Aeronautical and Astronautical Engineering, Electrical Engineering and Electro-Optics, Computer Engineering and Computer Science, Systems and Engineering Management, Operational Sciences, Mathematics, Statistics and Engineering Physics