P2P Honeypot to Prevent Illegal or Harmful Contents From Spreading in P2P network Hogyun Lee and Taekyong Nam Electronics and Telecommunications Research Institute {hglee, tynam}@etri.re.kr Abstract ⎯ In this paper we propose the P2P Honeypot that prevents illegal or harmful files from spreading in P2P network. We apply the idea of Honeypot to P2P network. We build fake P2P service farms and monitor and trace users who spread or gain illegal or harmful files in P2P network. If we can apply this system widely, we can expect illegal or harmful files to be wiped out in P2P network. Keywords ⎯ Honeypot, Peer to Peer network, Contents Filtering 1. Introduction P2P network is a network technology that has made a great stride from early 1990. It began with Napster in USA and Soribada in South Korea. The existing network model (client and server model) needs a central control of server but P2P network connects each node directly. So P2P can decentralize network traffic and utilize network efficiently and spread information very quickly. But users started to distribute illegal mp3 or harmful videos in P2P network because there are no surveillances. The illegal/harmful contents problem became an issue and many prevention measures are proposed[1]. The prevention measures are divided two. The one is an approach based on social engineering and the other is an approach based on technology. Until now an approach based on social engineering has been adopted for most cases. The approaches based on social engineering prohibit a certain P2P service by law or trace and indict some peoples who spread illegal files. The approaches based on technology are as follow. The first one is that every user who uses P2P network installs agent software in his computer. The agent software monitors the P2P traffics and prevents the P2P traffics if user uploads or downloads illegal files. This approach must install and manage agent software on every personal computers but it is almost impossible. The second one is that contents monitoring system is installed on network border and the system monitors all P2P traffic. This approach must install contents monitoring systems on every network border and too much cost is needed and the development of contents monitoring system that can detect all P2P traffic in real time is very difficult. So in this paper, we propose the new technical approach to prevent illegal and harmful contents from spreading in P2P network. It adopts the idea of Honeypot and monitor and trace illegal users. The proposed approach can gather forensic evidence that a user spreads illegal files. So this approach can be expected to prevent illegal contents from spreading. This paper is composed as follows. The second section depicts related works about Honeypot. The third section explains framework devised for preventing illegal files from spreading. The fourth section describes the experiment results of the algorithm to detect illegal or harmful contents. The fifth section is a conclusion. 2. Related Work The basic idea of this paper is the Honeypot system for intrusion detection. The Honeypot is a kind of bait that deceives crackers. The Honeypot system tricks crackers into identifying the fake system as real system[2]. The Honeypot is generally virtual system that emulates real service system. This virtual system looks like normal service on standard ports and it can be good bait to crackers. If cracker swallows the bait, the Honeypot system stores forensic evidences with its monitor and trace module. With Honeypot system, a administrator can protect his computer server and trace crackers and gather the latest trend of cracking. The Honeypot was proposed by David Clock who was a MIT professor in early 1990. And it was carried out by Lance Spitzner who was security expert working for SUN micro system in 1999. It can trace cracker and depend actively and prevent the attack of crackers. So it was used widely. Figure 1. Honeypot system diagram ISBN 978-89-5519-131-8 93560 - 497 - Feb. 12-14, 2007 ICACT2007