Finding Peer-to-Peer File-Sharing Using Coarse Network Behaviors

  • Michael P. Collins
  • Michael K. Reiter
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)


A user who wants to use a service forbidden by their site’s usage policy can masquerade their packets in order to evade detection. One masquerade technique sends prohibited traffic on TCP ports commonly used by permitted services, such as port 80. Users who hide their traffic in this way pose a special challenge, since filtering by port number risks interfering with legitimate services using the same port. We propose a set of tests for identifying masqueraded peer-to-peer file-sharing based on traffic summaries (flows). Our approach is based on the hypothesis that these applications have observable behavior that can be differentiated without relying on deep packet examination. We develop tests for these behaviors that, when combined, provide an accurate method for identifying these masqueraded services without relying on payload or port number. We test this approach by demonstrating that our integrated detection mechanism can identify BitTorrent with a 72% true positive rate and virtually no observed false positives in control services (FTP-Data, HTTP, SMTP).


True Positive Rate Port Number Control Service File Transfer Destination Address 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Claffy, K., Braun, H., Polyzos, G.: A parameterizable methodology for internet traffic flow profiling. IEEE Journal of Selected Areas in Communications 13(8), 1481–1494 (1995)CrossRefGoogle Scholar
  2. 2.
    Early, J., Brodley, C., Rosenberg, C.: Behavioral authentication of server flows. In: Proceedings of the 19th Annual Computer Security Applications Conference (2003)Google Scholar
  3. 3.
    Hernandez-Campos, F., Nobel, A., Smith, F., Jeffay, K.: Understanding patterns of TCP connection usage with statistical clustering. In: Proceedings of the 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems (2005)Google Scholar
  4. 4.
    Izal, M., Urvoy-Keller, G., Biersack, E.W., Felber, P.A., Al Hamra, A., Garcés-Erice, L.: Dissecting bittorrent: Five months in a torrent’s lifetime. In: Proceedings of the 5th Annual Passive and Active Measurement Workshop (2004)Google Scholar
  5. 5.
    Karagiannis, T., Broido, A., Brownlee, N., Claffy, K., Faloutsos, M.: Is p2p dying or just hiding? In: Proceedings of IEEE Globecom 2004 - Global Internet and Next Generation Networks (2004)Google Scholar
  6. 6.
    Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: multilevel traffic classification in the dark. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (2005)Google Scholar
  7. 7.
    Karbhari, P., Ammar, M., Dhamdhere, A., Raj, H., Riley, G., Zegura, E.: Bootstrapping in gnutella: A measurement study. In: Proceedings of the 5th Annual Passive and Active Measurement Workshop (2004)Google Scholar
  8. 8.
    Kim, M., Kang, H., Hong, J.: Towards peer-to-peer traffic analysis using flows. In: Self-Managing Distributed Systems, 14th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management (2003)Google Scholar
  9. 9.
    Kruegel, C., Toth, T., Kirda, E.: Service specific anomaly detection for network intrusion detection. In: Proceedings of the 2002 ACM Symposium on Applied Computing (2002)Google Scholar
  10. 10.
    McGregor, A., Hall, M., Lorier, P., Brunskill, J.: Flow clustering using machine learning techniques. In: Proceedings of the 5th International Workshop on Passive and Active Network Measurement (2004)Google Scholar
  11. 11.
    De Montigny-Leboeuf, A.: Flow attributes for use in traffic characterization. Technical Report CRC-TN-2005-003, Communications Research Centre Canada (December 2005)Google Scholar
  12. 12.
    Moore, A., Zuev, D., Crogan, M.: Discriminators for use in flow-based classification. Technical Report RR-05-13, Department of Computer Science, Queen Mary, University of London (August 2005)Google Scholar
  13. 13.
    Nickless, W., Navarro, J., Winkler, L.: Combining CISCO netflow exports with relational database technology for usage statistics, intrusion detection, and network forensics. In: Proceedings of the 14th Annual Large Systems Administration (LISA) Conference (2000)Google Scholar
  14. 14.
    Ohzahata, S., Hagiwara, Y., Terada, M., Kawashima, K.: A traffic identification method and evaluations for a pure p2p application. In: Proceedings of the 6th Annual Passive and Active Measurement Workshop (2005)Google Scholar
  15. 15.
    Partridge, C.: A Proposed Flow Specification. RFC 1363 (Informational) (September 1992)Google Scholar
  16. 16.
    Pentikousis, K., Badr, H.: Quantifying the deployment of TCP options, a comparative study. IEEE Communications Letters 8(10), 647–649 (2004)CrossRefGoogle Scholar
  17. 17.
    Pouwelse, J., Garbacki, P., Epema, D., Sips, H.: A measurement study of the BitTorrent peer-to-peer file-sharing system. Technical Report PDS-2004-007, Delft University of Technology (April 2004)Google Scholar
  18. 18.
    Romig, S., Fullmer, M., Luman, R.: The OSU flow-tools package and CISCO netflow logs. In: Proceedings of the 14th Annual Large Systems Administration (LISA) Conference (2000)Google Scholar
  19. 19.
    Saroiu, S., Gummadi, P., Gribble, S.: A measurement study of peer-to-peer file sharing systems. In: Proceedings of Multimedia Computing and Networking (2002)Google Scholar
  20. 20.
    Sen, S., Spatscheck, O., Wang, D.: Accurate, scalable in-network identification of p2p traffic using application signatures. In: Proceedings of the 13th International Conference on World Wide Web (2004)Google Scholar
  21. 21.
    Soule, A., Salamatia, K., Taft, N., Emilion, R., Papagiannaki, K.: Flow classification by histograms: or how to go on safari in the internet. In: Proceedings of the 2004 Joint International Conference on Measurement and Modeling of Computer Systems (2004)Google Scholar
  22. 22.
    Taylor, C., Alves-Foss, J.: An empirical analysis of NATE: network analysis of anomalous traffic events. In: Proceedings of the 10th New Security Paradigms Workshop (2002)Google Scholar
  23. 23.
    Tutschku, K.: A measurement-based traffic profile of the eDonkey filesharing service. In: Proceedings of the 5th Annual Passive and Active Measurement Workshop (2004)Google Scholar
  24. 24.
    Wright, C., Monrose, F., Masson, G.: HMM profiles for network traffic classification. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Michael P. Collins
    • 1
  • Michael K. Reiter
    • 2
  1. 1.CERT/Network Situational Awareness, Software Engineering InstituteCarnegie Mellon University 
  2. 2.Electrical & Computer Engineering Department, Computer Science Department, and CyLabCarnegie Mellon University 

Personalised recommendations