On Metrics to Distinguish Skype Flows from HTTP Traffic

Skype is a Voice over IP (VoIP) Internet application that is gaining huge popularity in recent years. A key point to Skype popularity is its capability to dynamically adapt itself to operate behind firewalls or network proxies. A common way adopted by Skype to delude these network devices is to use port 80, normally expected to comprise HTTP traffic. In this paper, we propose metrics and investigate statistical tests intended to clearly distinguish Skype flows from HTTP traffic. We validate our study using real-world experimental datasets gathered at a commercial Internet Service Provider (ISP). Our experimental results suggest that the proposed methodology may be seen as a promising building block towards a system to detect general protocol anomalies in HTTP traffic.

[1]  Marco Mellia,et al.  Revealing skype traffic: when randomness plays with you , 2007, SIGCOMM 2007.

[2]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.1 , 1997, RFC.

[3]  Renata Teixeira,et al.  Traffic classification on the fly , 2006, CCRV.

[4]  Stefan Savage,et al.  Unexpected means of protocol inference , 2006, IMC '06.

[5]  Chase Cotton,et al.  Packet-level traffic measurements from the Sprint IP backbone , 2003, IEEE Netw..

[6]  Donald F. Towsley,et al.  Characterizing and Detecting Skype-Relayed Traffic , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[7]  Dario Rossi,et al.  Tracking Down Skype Traffic , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[8]  W. G. Cochran The $\chi^2$ Test of Goodness of Fit , 1952 .

[9]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[10]  Mark Crovella,et al.  Characteristics of WWW Client-based Traces , 1995 .

[11]  Paul Barford,et al.  Generating representative Web workloads for network and server performance evaluation , 1998, SIGMETRICS '98/PERFORMANCE '98.

[12]  Ronaldo M. Salles,et al.  Detecting Skype flows in Web traffic , 2008, NOMS 2008 - 2008 IEEE Network Operations and Management Symposium.

[13]  D Manyu,et al.  Hypertext transfer protocol , 2009 .

[14]  Hyoung-Kee Choi,et al.  A behavioral model of Web traffic , 1999, Proceedings. Seventh International Conference on Network Protocols.

[15]  Carey Williamson,et al.  A Synthetic Workload Model for Internet Mosaic Traffic , 1995 .

[16]  Sven Ehlert,et al.  Analysis and Signature of Skype VoIP Session Traffic , 2006 .

[17]  Ronaldo M. Salles,et al.  On Metrics to Distinguish Skype flows from HTTP traffic , 2007, LANOMS.

[18]  Qiang Chen,et al.  Probabilistic techniques for intrusion detection based on computer audit data , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[19]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[20]  Bruce A. Mah,et al.  An empirical model of HTTP network traffic , 1997, Proceedings of INFOCOM '97.

[21]  F. Massey The Kolmogorov-Smirnov Test for Goodness of Fit , 1951 .

[22]  Konstantina Papagiannaki,et al.  Toward the Accurate Identification of Network Applications , 2005, PAM.

[23]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[24]  Bengt Ahlgren,et al.  Using empirical distributions to characterize Web client traffic and to generate synthetic traffic , 2000, Globecom '00 - IEEE. Global Telecommunications Conference. Conference Record (Cat. No.00CH37137).

[25]  Ravi Jain,et al.  An Experimental Study of the Skype Peer-to-Peer VoIP System , 2005, IPTPS.

[26]  Henning Schulzrinne,et al.  An Analysis of the Skype Peer-to-Peer Internet Telephony Protocol , 2004, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[27]  A. Reyes-Lecuona,et al.  traffic model for wireless system simulations , 2001 .

[28]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[29]  Juan M. Est,et al.  Measuring normality in HTTP traffic for anomaly-based intrusion detection , 2004 .

[30]  Michalis Faloutsos,et al.  Is P2P dying or just hiding? [P2P traffic measurement] , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..