Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing

Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing

Bartlett, Genevieve and Heidemann, John and Papadopoulos, Christos
USC/Information Sciences Institute

Genevieve Bartlett, John Heidemann and Christos Papadopoulos 2007. Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing. Proceedings of the 10th IEEE Global Internet Symposium (Anchorage, Alaska, USA, May 2007).

Abstract

Blind techniques to detect network applications—approaches that do not consider packet contents—are increasingly desirable because they have fewer legal and privacy concerns, and they can be robust to application changes and intentional cloaking. In this paper we identify several behaviors that are \emphinherent to peer-to-peer (P2P) traffic and demonstrate that they can detect both BitTorrent and Gnutella hosts using only packet header and timing information. We identify three basic behaviors: failed connections, the ratio of incoming and outgoing connections, and the use of unprivileged ports. We show that while individual behaviors are sometimes effective, they work best when used together. We quantify the effectiveness of our approach using two day-long traces, from 2005 and 2006, showing that they are quite accurate: BitTorrent hosts are detected with an 83% true positive rate and only a 2% false positive rate, and Gnutella hosts with a 75% true positive rate and a 4% false postivie rate. Our system is suitable for on-line use, with 75% of BitTorrent hosts detected in less than 10 minutes of trace data.

Reference

@inproceedings{Bartlett07a,
  author = {Bartlett, Genevieve and Heidemann, John and Papadopoulos, Christos},
  title = {Inherent Behaviors for On-line Detection of
           Peer-to-Peer File Sharing},
  booktitle = {Proceedings of the 10th IEEE Global Internet Symposium},
  year = {2007},
  sortdate = {2007-05-01},
  month = may,
  publisher = {IEEE},
  address = {Anchorage, Alaska, USA},
  xxxpages = {xxx},
  location = {johnh: pafile},
  note = {An extended version of this paper is available as ISI-TR-2006-627},
  keywords = {peer-to-peer, traffic classification, encryption},
  project = {ant, lander, predict},
  jsubject = {traffic_detection},
  url = {http://www.isi.edu/%7ejohnh/PAPERS/Bartlett07a.html},
  pdfurl = {http://www.isi.edu/%7ejohnh/PAPERS/Bartlett07a.pdf},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {IEEE},
  copyrightterms = {
  	Personal use of this material is permitted.  However,
  	permission to reprint/republish this material for advertising
  	or promotional purposes or for creating new collective works
          for resale or redistribution to servers or lists,
  	or to reuse any copyrighted component of this work in other works
  	must be obtained from the IEEE.
  }
}

Copyright

Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.