In this paper we present an algorithm that is able to progressively discover nodes cooperating in a P2P network. Starting from a single known node, we can easily identify other nodes in the peer-to-peer network, through the analysis of widely available and standardized IPFIX (NetFlow) data. Instead of relying on the analysis of content characteristics or packet properties, we monitor connections of known nodes in the network and then progressively discover other nodes through the analysis of their mutual contacts. We show that our method is able to discover all cooperating nodes in many P2P networks. The use of standardized input data allows for easy deployment onto real networks. Moreover, because this approach requires only short processing times, it scales very well in larger and higher speed networks.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Acosta, W., Chandra, S.: Trace Driven Analysis of the Long Term Evolution of Gnutella Peer-to-Peer Traffic. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 42–51. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  2. 2.
    Bartlett, G., Heidemann, J., Papadopoulos, C.: Inherent behaviors for on-line detection of peer-to-peer file sharing. In: IEEE Global Internet Symposium, pp. 55–60 (May 2007)Google Scholar
  3. 3.
    Constantinou, F., Mavrommatis, P.: Identifying known and unknown peer-to-peer traffic. In: Fifth IEEE International Symposium on Network Computing and Applications, NCA 2006, pp. 93–102 (July 2006)Google Scholar
  4. 4.
    Coskun, B., Dietrich, S., Memon, N.: Friends of an enemy: identifying local members of peer-to-peer botnets using mutual contacts. In: Proceedings of the 26th Annual Computer Security Applications Conference on ACSAC 2010, pp. 131–140. ACM, New York (2010)Google Scholar
  5. 5.
    Falkner, J., Piatek, M., John, J.P., Krishnamurthy, A., Anderson, T.: Profiling a million user dht. In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 2007, pp. 129–134. ACM, New York (2007)Google Scholar
  6. 6.
    Giroire, F., Chandrashekar, J., Taft, N., Schooler, E., Papagiannaki, D.: Exploiting Temporal Persistence to Detect Covert Botnet Channels. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 326–345. Springer, Heidelberg (2009)Google Scholar
  7. 7.
    Grizzard, J.B., Sharma, V., Nunnery, C., Kang, B.B., Dagon, D.: Peer-to-peer botnets: overview and case study. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, HotBots 2007, p. 1. USENIX Association, Berkeley (2007)Google Scholar
  8. 8.
    Ha, D.T., Yan, G., Eidenbenz, S., Ngo, H.Q.: On the effectiveness of structural detection and defense against p2p-based botnets. In: DSN, pp. 297–306. IEEE (2009)Google Scholar
  9. 9.
    Haq, I.U., Ali, S., Khan, H., Khayam, S.A.: What Is the Impact of P2P Traffic on Anomaly Detection? In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 1–17. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  10. 10.
    Iliofotou, M., Kim, H.-C., Faloutsos, M., Mitzenmacher, M., Pappu, P., Varghese, G.: Graption: A graph-based p2p traffic classification framework for the internet backbone. Comput. Netw. 55(8), 1909–1920 (2011)CrossRefGoogle Scholar
  11. 11.
    Iliofotou, M., Pappu, P., Faloutsos, M., Mitzenmacher, M., Singh, S., Varghese, G.: Network monitoring using traffic dispersion graphs (tdgs). In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 2007, pp. 315–320. ACM, New York (2007)Google Scholar
  12. 12.
    Kryczka, M., Cuevas, R., Guerrero, C., Azcorra, A.: Unrevealing the structure of live bittorrent swarms: Methodology and analysis. In: 2011 IEEE International Conference on Peer-to-Peer Computing (P2P), August 31-September 2, pp. 230–239 (2011)Google Scholar
  13. 13.
    Li, C., Chen, C.: Topology analysis of gnutella by large scale mining. In: International Conference on Communication Technology, ICCT 2006, pp. 1–4 (November 2006)Google Scholar
  14. 14.
    Liu, X., Li, Y., Li, Z., Cheng, X.: Social Network Analysis on KAD and Its Application. In: Du, X., Fan, W., Wang, J., Peng, Z., Sharaf, M.A. (eds.) APWeb 2011. LNCS, vol. 6612, pp. 327–332. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  15. 15.
    Evangelos, P.: Markatos, Tracing a large-scale peer to peer system: An hour in the life of gnutella. In: Proceedings of the 2nd IEEE/ACM International Symposium on Cluster Computing and the Grid, CCGRID 2002, p. 65. IEEE Computer Society, Washington, DC (2002)Google Scholar
  16. 16.
    McNamee, K.: Malware analysis report - botnet: Zeroaccess/sirefef (February 2012),
  17. 17.
    Móczár, Z., Molnár, S.: Characterization of BitTorrent Traffic in a Broadband Access Network. In: Szabó, R., Zhu, H., Imre, S., Chaparadza, R. (eds.) AccessNets/Selfmagicnets 2010. LNICST, vol. 63, pp. 176–183. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  18. 18.
    Qi, J., Zhang, H., Ji, Z., Yun, L.: Analyzing bittorrent traffic across large network. In: 2008 International Conference on Cyberworlds, pp. 759–764 (September 2008)Google Scholar
  19. 19.
    Steiner, M., En-Najjary, T., Biersack, E.W.: A global view of kad. In: Proceedings of the 7th ACM SIGCOMM Conference on Internet Measurement, IMC 2007, pp. 117–122. ACM, New York (2007)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2013

Authors and Affiliations

  • Jan Jusko
    • 1
    • 2
  • Martin Rehak
    • 1
    • 2
  1. 1.Faculty of Electrical EngineeringCzech Technical University in PragueCzech Republic
  2. 2.Cognitive-Security s.r.o.PragueCzech Republic

Personalised recommendations