2009-11-10例会讲义

General solution of P2P traffic

capture and P2P identification
methodology test

State Key Laboratory of Networking and Switching Technology

Beijing University of Posts and Telecommunications

2009-11-11 1
Contents

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 2
Contents

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 3
The state of the art
™ Port-base approaches[1]
ƒ Port number may be dynamic
™ Deep Packet Inspection(DPI) [2][3]

ƒ Advantages:
• can recognize particular P2P applications
• can achieve high detection accuracy
ƒ Drawbacks:
• cannot identify applications with unknown signatures.
• cannot be used on encrypted traffic.
• examining user payloads raises privacy and legal concerns
• The high computation overhead for checking signatures
™ Approaches based on P2P traffic behavior [4]-[10]

ƒ Advantages:
• Can identify unknown p2p application.
• Can identify encrypted p2p application
ƒ Drawbacks:
• Cannot recognize particular P2P applications
• False Positive

2009-11-11 4
REFERENCES
™ [1]S. Sen and J. Wang, “Analyzing peer-to-peer traffic across large networks,” IEEE/ACM
Transactions on Networking (TON), vol. 12, no. 2, pp. 219–232, 2004.
™ [2]S. Sen, O. Spatscheck, and D. Wang, “Accurate, scalable innetwork identification of p2p traffic
using application signatures,” in WWW ’04: Proceedings of the 13th international conference on
World Wide Web, New York,
™ [3]Bleul H., Rathgeb E. P., Zilling S. Advanced P2P multiprotocol traffic analysis based on
application level signature detection. in 12th International Telecommunications Network
Strategy and Planning Symposium. New Delhi, India: Institute of Electrical ,arid Electronics
Engineers Inc. United States, 2007. 408-418
™ [4]F. Constantinou and P. Mavrommatis, “Identifying known and unknown peer-to-peer traffic,” in
NCA ’06: Proceedings of the Fifth IEEE International Symposium on Network Computing and
Applications, Cambridge, MA, USA, 2006, pp. 93–102.
™ [5] T. Karagiannis, A. Broido, M. Faloutsos, and K. claffy, “Transport layer identification of p2p
traffic,” in IMC ’04: Proceedings of the 4th ACM SIGCOMM conference on Internet measurement,
Taormina, Sicily, Italy, 2004, pp. 121–134. NY, USA, 2004, pp. 512–521.
™ [6] X. Lu, H. Duan, and X. Li, “Identification of p2p traffic based on the content redistribution
characteristic,” in ISCIT’07: Proceedings of the International Symposium on Communications and
Information Technologies, Sydney, Australia, 2007, pp. 596–601.
™ [7] M. Perenyi, A. G. Trang Dinh Dang, and S. Molnar, “Identification and analysis of peer-to-peer
traffic,” Journal of Communication, vol. 1, no. 7, pp. 36–46, 2006.
™ [8]Mong-Fong H., Chun-Wei C., Chin-Shun et al. Identification and Analysis of P2P Traffic- An
Example of BitTorrent. in First International Conference on Innovative Co
™ [9]DedinskiI L, H D. M., L H., et al. Cross-Layer Peer-to-Peer Traffic Identification and Optimization
Based on Active Networking. in the Seventh Annual International Working Conference on Active
and Programmable Networks. French Riviera: IEEE, 2005. 111-12 mputing, Information and Contr
™ [10]杨岳湘，王锐，唐川.基于双重特征的P2P流量检测方法.通信学报，2006,27(11A):135-138 ol. Beijing,
China: IEEE, 2006. 266-269
™ ……

2009-11-11 5
Contents

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 6
Contents

2 Solution of capturing P2P traffic

1 Capturing packet for P2P Applications analysis

2 Capturing packet for test and evaluation

2009-11-11 7
Capturing packet for P2P Applications analysis

™ Features: Controllable IP
address, P2P applications
and cross traffic etc.

™ >10 Controlled PC

™ Capture Tools:
Tcpdump,Wireshark etc.

™ Trace data format: pcap

(tcpdump)

™ Goal: analysis the protocol,

application Signatures,…
of our concerned P2P
Applications

2009-11-11 8
Capturing packet for test and evaluation

™ Features: Real P2P traffic

with cross traffic
™ Capture method: Switch
Port Mirroring
™ Tool: Special
Measurement server with
DAG Network Monitoring
Card of Endace Inc. that
providing 100% packet
capture
™ Trace data format: pcap
(tcpdump)
™ Goal: providing base trace
data for test and evaluation
of identification technique
Trace data post-processing (classify application)

™ For Example:
Contents

1 The state of the art in P2P identification

2 Solution of capturing P2P traffic

3 Solution of testing identification technique

2009-11-11 11
Test and evaluation method
™ Baseline: signature-based payload methodology

™ 1: Identify P2P application with signature-based

payload methodology

™ 2: Identify P2P application with behavior-based

(or Transport Layer) identification methodology
that we will propose

™ 3: Comparison them with False Positives and

False Negative

2009-11-11 12
Evaluation metric

™False Positive (FP): erroneously

identifies non-P2P traffic as P2P traffic

™False Negative(FN): fails to identify P2P

traffic as such

2009-11-11 13
About signature-based payload methodology

™We will use the method in paper:

ƒ S. Sen, O. Spatscheck, and D. Wang, “Accurate, scalable in-
network identification of p2p traffic using application signatures,”
in WWW ’04: Proceedings of the 13th international conference on
World Wide Web, New York, 2004