In this paper, we propose a novel P2P node detection method by analyzing network traffic and extracting packets which contain query messages. Most previous methods detect P2P nodes by using signatures of known applications or taking advantages of traffic features in P2P nodes. However, they cannot detect hosts running unknown P2P applications while keeping low false positive rate. To address the problem, we focus on the resource discovery mechanism where query messages are routed and transmitted through several nodes to locate hosts providing certain files. Then, we attempt to detect hosts that appear to receive and transmit queries with other hosts. To do so, our approach monitors the traffic of targets and searches for pairs of inbound/outbound packets which are likely to contain same queries by computing their similarities. Through evaluation experiments with two popular P2P based file sharing software, LimeWire and Winny, we show this approach detects P2P nodes within a few hundreds of seconds with a few false alerts in a week.
[1]
Oliver Spatscheck,et al.
Accurate, scalable in-network identification of p2p traffic using application signatures
,
2004,
WWW '04.
[2]
Panayiotis Mavrommatis,et al.
Identifying Known and Unknown Peer-to-Peer Traffic
,
2006,
Fifth IEEE International Symposium on Network Computing and Applications (NCA'06).
[3]
Yin Zhang,et al.
Detecting Stepping Stones
,
2000,
USENIX Security Symposium.
[4]
Chalermek Intanagonwiwat,et al.
Bittorrent peer identification based on behaviors of a choke algorithm
,
2008,
AINTEC '08.
[5]
C. Papadopoulos,et al.
Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing
,
2007,
2007 IEEE Global Internet Symposium.
[6]
Jia Wang,et al.
Analyzing peer-to-peer traffic across large networks
,
2004,
IEEE/ACM Trans. Netw..