Xiaoyu Ma,Feiyan Chen

DOI: https://doi.org/10.4028/www.scientific.net/amr.433-440.5193

2012-01-01

Advanced Materials Research

Abstract:The P2P streaming media technology is popular and promising in recent years, to ensure the correctness of the identification method, and improve the identification rate and accuracy of the network traffic, this paper proposes a identification principle and algorithm of the P2P network traffic, and gives the overall structure of the system, Finally, puts up the system test environment. The experimental results show that the identification method of the network traffic proposed in this paper can effectively improve the identification rate and accuracy of the network traffic, the scheme has the value of further research and promotion.

Mingjiang Ye,Jianping Wu,Ke Xu,Dah Ming Chiu

DOI: https://doi.org/10.1016/j.comcom.2010.01.005

2009-01-01

Abstract:Classifying network traffic according to its applications is important to a broad range of network areas. Since new applications, especially P2P applications, no longer use well-known fixed port numbers, the native port based traffic classification technique has become much less effective. In this paper, we propose a novel approach to identify P2P traffic by leveraging on the data transfer behaviour of P2P applications. The behaviour investigated in the paper is that downloaded data from a P2P host will be uploaded to other hosts later. To find the shared data of downloading flows and uploading flows online, the content based partitioning schema is used to partition the flows into data blocks. Flows sharing the same data blocks are identified as P2P flows. The effectiveness of this method is demonstrated by experiments on various P2P applications. The results show that the algorithm can identify P2P applications very accurately while only keeping a small set of data blocks. The method is generic and can be applied to most P2P applications.

Pinghui Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.1109/camad.2009.5161471

2009-01-01

Abstract:Peer-to-Peer (P2P) protocol is widely used in many network applications and P2P traffic is becoming dominating in the current Internet and may cause serious congestion. Recently, P2P applications tend to intentionally disguise their traffic flows by using arbitrary ports, which leads the accurate identification of P2P traffic to become a very difficult job and hot research topic in network traffic control. In this paper, we employ the longest common subsequence to identify the key packets from the traffic flows, and present a new method to identify the P2P flows based on the signatures of key packets with only direction and payload length in the first few packets of a flow. We test the new method with four popular P2P applications in the actual network environment and the results show that the new method has high accuracy and efficiency since only a few packets in each flow needs to be analyzed. The new method is suitable for real time traffic management and monitoring.

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Tao Qin,Lei Wang,Zhaoli Liu,Xiaohong Guan

DOI: https://doi.org/10.1016/j.knosys.2015.03.002

IF: 8.139

2015-01-01

Knowledge-Based Systems

Abstract:Application identification plays an essential role in network management such as intrusion detection and security monitoring. But the continuous growth of bandwidth and massive amount of packets pose serious challenges for efficacious and accurate application identification. In this paper, we develop a new method to reduce the number of packets being processed while achieving the goal of accurate P2P and VoIP application identification. Firstly, we employ the Bi-flow model to aggregate traffic packets into Bi-flow, which can capture the exchange behavior characteristics between different terminals. Then we employ the signature of Packet Size Distribution (PSD) to capture flow dynamics, which is defined as the payload length distribution probability of the packets in one Bi-flow. Secondly, we collect PSD of several different P2P and VoIP applications and the analysis results show that PSD of different applications are different with each other, which can be used as features to perform traffic identification. We also find the PSD characteristics of one Bi-flow can be captured by its first few packets, which demonstrate our methods can identify the Bi-flow quickly after its establishment. We employ the Renyi cross entropy to perform identification by calculating the similarity between PSD of the Bi-flow being identified and that of specific application. If the similarity is higher than a selected threshold, the Bi-flow being identified is classified to the specific application. Finally, as the PSD is a type of probability feature which is not sensitive to packet lose, we integrate the Poisson sampling method into our framework to process the massive data in backbone networks. Experimental results using the artificial and actual traces collected from monitoring platform in the Northwest Center of CERNET (China Education and Research Network) verify the accuracy and robustness of our method.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1007/s11767-007-0110-4

2009-01-01

Abstract:Accurate and real-time classification of network traffic is significant to network operation and management such as QoS differentiation, traffic shaping and security surveillance. However, with many newly emerged P2P applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, traditional classification approaches turn to be ineffective. In this paper, we present a layered hybrid system to classify current Internet traffic, motivated by variety of network activities and their requirements of traffic classification. The proposed method could achieve fast and accurate traffic classification with low overheads and robustness to accommodate both known and unknown/encrypted applications. Furthermore, it is feasible to be used in the context of real-time traffic classification. Our experimental results show the distinct advantages of the proposed classification system, compared with the one-step Machine Learning (ML) approach.

Hui Liu,Wenfeng Feng,Yongfeng Huang,Xing Li

DOI: https://doi.org/10.1109/nas.2007.6

2007-01-01

Abstract:The use of peer-to-peer (P2P) applications is growing dramatically, which results in several serious problems such as the network congestion and traffic hindrance. In this paper, a method is', proposed to identify the P2P traffic based on the machine learning. The novelty of the proposed method is that it utilizes only the size of packets exchanged between IPs within seconds. By investigating the ratio between the upload and download traffic volume of several P2P applications, a characteristic library is constructed. Then the unknown network traffic can be recognized online using this library. The distinguished features of the proposed method lie in that fast computation, high identification accuracy, and resource-saving capability. Finally, experiment results show the satisfactory performance of the proposed method.

JunPeng Mao,YanLi Cui,JianHua Huang,JianBiao Zhang

DOI: https://doi.org/10.1109/cmc.2009.286

2009-01-01

Abstract:Convenient, rapid, efficient and anonymous characteristic of P2P technology, enables P2P network gathering enormous users very quickly, and P2P traffic has occupied 60~80% bandwidth of Internet. Such giant traffic has formed a threat to the service quality of other Internet application and the security of Internet itself. However, most study about P2P traffic focuses on traffic monitoring and characteristic identifying technique. Rare study analyzes P2P traffic behavior from P2P mechanism itself. This paper construct P2P network queuing model, analyzes the influence of related factors to the load-scale of concrete resource. Main conclusion including, compared with other factors, average degree of node and TTL value is the most key factor to load-scale. Load-scale increases with node quantity, initial number of objected resource and resource’s total quantity, however, when those quantity reach to some critical threshold, the influence of those factors become quite weak to load-scale of resource.

JunPeng Mao,Yanli Cui,JianHua Huang,JianBiao Zhang

DOI: https://doi.org/10.1109/isise.2008.58

2008-01-01

Abstract:How much service performance of searching and transmitting Is provided by P2P network for a concrete resource? How much success ratio and recall ratio of resource's searching of existing P2P network is? Rare research is deepened about those questions. This paper, for unstructured P2P network, construct P2P network queuing model, provide calculating method of service performance of concrete resource, analyze success ratio and recall ratio of resource's searching, by experiment simulation, discuss the influence of resource's popularity, Peer's quantity, initial number of objected resource, Peer's average degree and TTL value of protocol to the searching result of concrete resource. We conclude, during the resource searching process, the number of searching result linearly increases with initial number of objected resource, and exponentially increases with Peer's average degree and TTL value, but decreases nonlinearly with Peer's quantity.

Jun Li,Shunyi Zhang,Cuilian Li,Junrong Yan

DOI: https://doi.org/10.1002/nem.735

2010-01-01

International Journal of Network Management

Abstract:Accurate and real-time classifi cation of network traffic is significant to a number of network operation and management tasks such as quality of service differentiation, traffic shaping and security surveillance. However, with emerging P2P applications using dynamic port numbers, IP masquerading techniques and payload encryption, accurate and intelligent traffic classification continues to be a big challenge despite a wide range of research work on the topic. Since each classification method has its disadvantages and hardly could meet the specific requirement of Internet traffic classification, this paper innovatively presents a composite traffic classification system. The proposed lightweight system can accurately and effectively identify Internet traffic with good scalability to accommodate both known and unknown/encrypted applications. Furthermore, It promises to satisfy various Internet uses and is feasible for use in real-time line speed applications. Our experimental results show the distinct advantages of the proposed classification system.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Zhu Li,Ruixi Yuan,Xiaohong Guan

DOI: https://doi.org/10.1007/978-3-540-73111-5_8

2007-01-01

Abstract:Timely traffic identification is critical in network security monitoring and traffic engineering. Traditional methods using well-known ports, protocols and precise signature matching are no longer accurate with the proliferation of new applications. Recently, applying pattern recognition methods to classify network application traffic based on the flow parameters (e.g. port, flow duration, etc.) has become increasing popular. However, many methods developed in the previous works are either too complex to be applied in real-time, or suffer from lower accuracy due to the insufficient knowledge of the application. In this paper, we first give an overview on the developments of pattern recognition methods as traffic classification tools. We then develop two separate pattern recognition methods: one with supervised learning, and one with un-supervised learning, and apply them to classify traffic captured from a campus backbone network. The supervised learning method (an optimized SVM method) yields approximately 99.41 % accuracy for the collected traffic. The un-supervised learning method (an entropy based clustering method) gets the average accuracy of 92.41% for the top 20 traffic generating hosts during the same time period. Performance test on a single PC with 3GHz Pentium 4 processors and 1 GB of memory show that both methods can handle more than 10000 network flows per second, close to real time requirements for many situations.

LI Ming,JIA Bo

DOI: https://doi.org/10.3969/j.issn.1001-9146.2011.04.040

2011-01-01

Abstract:Real-time using neural network to quickly identify the advantages of learning and presents a wavelet neural network and statistical characteristics of the combination of P2P traffic identification method.In real network environment,through the establishment of the network classification model,statistical analysis and extract a variety of flow characteristics,the wavelet neural network P2P application traffic characteristics of various learning and recognition,improve the accuracy of P2P traffic identification,improving the previous one Recognition of the complexity.

Qianli Zhang,Yunlong Ma,Pei Zhang,Jilong Wang,Xing Li

DOI: https://doi.org/10.1109/icicip.2014.7010349

2014-01-01

Abstract:Though it is commonly assumed that Internet traffic is dominated by TCP, there has been an increasing demand for UDP based P2P applications. UDP is widely used in new P2P networks because it can provides better support for NAT traversal. Since many of these applications use private protocols, UDP traffic is often hard to analyze, especially if the available data is only netflow records. In this paper, a component based method is proposed to analyze UDP traffic. Since flows in each component share the same application, P2P traffic can be identified without packet level information.

Dongyan Zhang,Chao Zheng,Hongli Zhang,Hongliang Yu

DOI: https://doi.org/10.1109/iciw.2010.36

2010-01-01

Abstract:More and more applications are adopting peer-to-peer (P2P) technology. Skype is a P2P based, popular VoIP software. The software works almost seamlessly across Network Address Translations (NATs) and firewalls and has better voice quality than most IM applications. The communication protocol and source code of Skype are undisclosed. It uses high strength encryption and random port number selection, which render the traditional flow identification solutions invalid. In this paper, we first obtain the Skype clients and super nodes by analyzing the process of login and calling in different network environments. Then we propose a method to identify Skype traffic based on Skype nodes and flow features. Our proposed method makes the previously hard-to-detect Skype traffic, especially voice service traffic, much easier to identify. We design an identification system utilizing the proposed method and implement the system in a LAN network. We also successfully identified Skype traffic in one of the largest Internet Providers over a period of 93 hours, during which over 30TB data were transmitted. Through experiments, we show that our proposed approach and implementations can indeed identify Skype traffic with higher accuracy and effectiveness.

Ziming Zhao,Zhaoxuan Li,Fan Zhang,Tingting Li,Jianwei Yin

DOI: https://doi.org/10.1145/3672202.3673720

2024-01-01

Abstract:Cyber attacks are increasingly becoming prevalent and influence the Internet ecosystem. Particularly, botnets crafted by adversaries cause significant damage to Internet infrastructure. In the last decade, the boom of P2P protocols broadened and amplified the attack surface, manifested as the built botnet usually containing over 100K nodes. However, the existing state-of-the-art graph-based method exhibits many misclassifications when existing legitimate P2P communication. In this paper, we propose an intelligent node retrieval process based on reinforcement learning to calibrate more misidentifications with as few retrievals as possible. The empirical evaluations that contain >100,000 communication nodes from the real-world IP backbone topology and involve 7 common P2P protocols show our proposal realizes superior outcomes for misidentification calibrations.

Yu Chen,Xiayu Ping,Tao Wei

DOI: https://doi.org/10.1109/ICITIS.2010.5689522

2010-01-01

Abstract:The principal technique employed in application traffic classification, a task of identifying the applications underlying network traffic, has evolved from based on port number to deep packet inspection to payload-independent classification. We propose a novel approach in the last category. The principal idea of our method is that we associate an application with temporal patterns of the command exchange modes (subsequences of packets) of TCP flows generated by the application. Since these patterns are local by nature, our approach might be able to identify an application even if only a portion of a full flow is observable. We have applied such method to classify a number of popular P2P applications and to detect suspicious botnet traffic. To identify these kinds of traffic, we not only utilize flow patterns, but also incorporate some statistics on multi-flow and host levels. We have tested our algorithm on P2P traffic collected from our institute's computer network and on botnet traffic collected from a national-wide distributed honeynet. The early results are quite encouraging. © 2010 IEEE.

Paola Bermolen,Marco Mellia,Michela Meo,Dario Rossi,Silvio Valenti

DOI: https://doi.org/10.1016/j.comnet.2010.12.004

IF: 5.493

2011-04-01

Computer Networks

Abstract:Peer-to-Peer streaming (P2P-TV) applications offer the capability to watch real time video over the Internet at low cost. Some applications have started to become popular, raising the concern of Network Operators that fear the large amount of traffic they might generate. Unfortunately, most of P2P-TV applications are based on proprietary and unknown protocols, and this makes the detection of such traffic challenging per se. In this paper, we propose a novel methodology to accurately classify P2P-TV traffic and to identify the specific P2P-TV application which generated it. Our proposal relies only on the count of packets and bytes exchanged among peers during small time-windows: the rationale is that these two counts convey a wealth of useful information, concerning several aspects of the application and its inner workings, such as signaling activities and video chunk size.Our classification framework, which uses Support Vector Machines, accurately identifies P2P-TV traffic as well as traffic that is generated by other kinds of applications, so that the number of false classification events is negligible. By means of a large experimental campaign, which uses both testbed and real network traffic, we show that it is actually possible to reliably discriminate between different P2P-TV applications by simply counting packets.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

YU Hao,XU Mingwei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.04.041

2009-01-01

Abstract:P2P flows occupy 60%-70% of the entire network traffic with transfers of non-licensed content and security problems affecting HTTP,EMAIL,and other traditional applications.ISP and network operators need to manage P2P traffic to ensure the performance of traditional applications.To accomplish this goal,the system must first identify the P2P traffic.Current identification technology can be generally divided into three categories as packet level methods,flow level methods,and node level methods.This paper surveys the advantages and disadvantages of the current P2P flow identification methods.A variety of methods are combined to more effectively detect P2P flow.The survey also indicates new directions in P2P detection.

Zhongqiang Chen,Alex Delis,Peter Wei

DOI: https://doi.org/10.1142/s0218843008001750

2008-01-01

International Journal of Cooperative Information Systems

Abstract:Sessions generated by Instant Messaging and Peer-to-Peer systems (IM/P2Ps) not only consume considerable bandwidth and computing resources but also dramatically change the characteristics of data flows affecting both the operation and performance of networks. Most IM/P2Ps have known security loopholes and vulnerabilities making them an ideal platform for the dissemination of viruses, worms, and other malware. The lack of access control and weak authentication on shared resources further exacerbates the situation. Should IM/P2Ps be deployed in production environments, performance of conventional applications may significantly deteriorate and enterprise data may be contaminated. It is therefore imperative to identify, monitor and finally manage IM/P2P traffic. Unfortunately, this task cannot be easily attained as IM/P2Ps resort to advanced techniques to hide their traces including multiple channels to deliver services, port hopping, message encapsulation and encryption. In this paper, we propose an extensible framework that not only helps to identify and classify IM/P2P-generated sessions in real time but also assists in the manipulation of such traffic. Consisting of four modules namely, session manager, traffic assembler, IM/P2P dissector, and traffic arbitrator, our proposed framework uses multiple techniques to improve its traffic classification accuracy and performance. Through fine-tuned splay and interval trees that help organize IM/P2P sessions and packets in data streams, we accomplish stateful inspection, traffic re-assembly, data stream correlation, and application layer analysis that combined will boost the framework's identification precision. More importantly, we introduce IM/P2Ps "plug-and-play" protocol analyzers that inspect data streams according to their syntax and semantics; these analyzers render our framework easily extensible. Identified IM/P2P sessions can be shaped, blocked, or disconnected, and corresponding traffic can be stored for forensic analysis and threat evaluation. Experiments with our prototype show high IM/P2Ps detection accuracy rates under diverse settings and excellent overall performance in both controlled and real-world environments.