A methodology for P2P file-sharing traffic detection

Since the widespread adoption of peer-to-peer (P2P) networking during the late '90s, P2P applications have multiplied. Their diffusion and adoption are witnessed by the fact that P2P traffic accounts for a significant fraction of Internet traffic. Further, there are concerns regarding the use of these applications, for instance when they are employed to share copyright protected material. Hence, in many situations there would be many reasons to detect P2P traffic. In the late '90s, P2P traffic was easily recognizable since P2P protocols used application-specific TCP or UDP port numbers. However, P2P applications were quickly empowered with the ability to use arbitrary ports in an attempt to go undetected. Nowadays, P2P applications explicitly try to camouflage the originated traffic in an attempt to go undetected. Despite the presence of rules to detect P2P traffic, no methodology exists to extract them from applications without the use of reverse engineering. In this paper we develop a methodology to detect P2P traffic. It is based on the analysis of the protocol used by a P2P application, extraction of specific patterns unique to the protocol, coding of such a pattern in rules to be fed to an intrusion detection system (IDS), and validation of the pattern via network traffic monitoring with SNORT (an open source IDS) fed with the devised rules. In particular, we present a characterization of P2P traffic originated by the OpenNap and WPN protocols (implemented in the WinMx application) and FastTrack protocol (used by KaZaA) obtained using our methodology, that shows the viability of our proposal. Finally, we conclude the paper exposing our undergoing efforts in the extension of the methodology to exploit differences between centralized and decentralized P2P protocols, as well as the characterization of encrypted traffic, and highlight a new research direction in the identification of P2P traffic.

[1]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[2]  David R. Karger,et al.  Wide-area cooperative storage with CFS , 2001, SOSP.

[3]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[4]  Krishna P. Gummadi,et al.  An analysis of Internet content delivery systems , 2002, OPSR.

[5]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[6]  Anja Feldmann,et al.  An analysis of Internet chat systems , 2003, IMC '03.

[7]  Sushil Jajodia,et al.  Secure Dynamic Fragment and Replica Allocation in Large-Scale Distributed File Systems , 2003, IEEE Trans. Parallel Distributed Syst..

[8]  Krishna P. Gummadi,et al.  Measurement, modeling, and analysis of a peer-to-peer file-sharing workload , 2003, SOSP '03.

[9]  Rafeeq Ur Rehman,et al.  Intrusion Detection with SNORT (Bruce Perens' Open Source Series): Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID , 2003 .

[10]  Adam Wierzbicki,et al.  Deconstructing the Kazaa network , 2003, Proceedings the Third IEEE Workshop on Internet Applications. WIAPP 2003.

[11]  Anjali Gupta,et al.  One Hop Lookups for Peer-to-Peer Overlays , 2003, HotOS.

[12]  Mary K. Vernon,et al.  Characterizing the query behavior in peer-to-peer file sharing systems , 2004, IMC '04.

[13]  Jia Wang,et al.  Analyzing peer-to-peer traffic across large networks , 2004, IEEE/ACM Trans. Netw..

[14]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[15]  Angelo Spognardi,et al.  A methodology for P2P file-sharing traffic detection , 2005 .