LIU Bin,LI Zhi-tang,LI Jia

DOI: https://doi.org/10.3321/j.issn:0438-0479.2007.z2.035

2007-01-01

Abstract:P2P(Peer-to-peer) technology is a new communication model.It is developing rapidly in these years,and widely used in the sharing of network resources,instant communications,etc..While P2P is promoting Internet's development,it is also bringing about many issues such as too much bandwidth occupying and network security problems.Since more and more P2P applications are using dynamic random port numbers,the traditional port matching technology is becoming useless.Being different from the C/S(Client/Server) structured networks,in a P2P network,each peer is playing both the server and the client dual roles.While it initiates connections to other peers,it also opens listening ports for other peers connecting to it.Besides,while it downloads data from other peers,it uploads at the same time.Basing on these facts,this paper designed and implemented a new P2P traffic detection technology based on flow characteristics.

Mingjiang Ye,Jianping Wu,Ke Xu,Dah Ming Chiu

DOI: https://doi.org/10.1016/j.comcom.2010.01.005

2009-01-01

Abstract:Classifying network traffic according to its applications is important to a broad range of network areas. Since new applications, especially P2P applications, no longer use well-known fixed port numbers, the native port based traffic classification technique has become much less effective. In this paper, we propose a novel approach to identify P2P traffic by leveraging on the data transfer behaviour of P2P applications. The behaviour investigated in the paper is that downloaded data from a P2P host will be uploaded to other hosts later. To find the shared data of downloading flows and uploading flows online, the content based partitioning schema is used to partition the flows into data blocks. Flows sharing the same data blocks are identified as P2P flows. The effectiveness of this method is demonstrated by experiments on various P2P applications. The results show that the algorithm can identify P2P applications very accurately while only keeping a small set of data blocks. The method is generic and can be applied to most P2P applications.

Xiaoyu Ma,Feiyan Chen

DOI: https://doi.org/10.4028/www.scientific.net/amr.433-440.5193

2012-01-01

Advanced Materials Research

Abstract:The P2P streaming media technology is popular and promising in recent years, to ensure the correctness of the identification method, and improve the identification rate and accuracy of the network traffic, this paper proposes a identification principle and algorithm of the P2P network traffic, and gives the overall structure of the system, Finally, puts up the system test environment. The experimental results show that the identification method of the network traffic proposed in this paper can effectively improve the identification rate and accuracy of the network traffic, the scheme has the value of further research and promotion.

Gang Wang,Wei Ding,Shi Dong

DOI: https://doi.org/10.1109/ICON.2011.6168484

2011-01-01

Networks

Abstract:In this paper, we select several prevalent Peer-to-peer (P2P) network TV as research objects, and analyze their differences in port usage and packet size distribution thoroughly, based on their traffic from local captured files. By observing and summarizing the above characteristics, we discover that (i) a network TV application employs only one port to generate most of UDP traffic in one communication period, and (ii) the UDP packet sizes in various network TVs differ significantly. Thus, a methodology that can classify P2P application's UDP traffic accurately and effectively is proposed. Through identifying and verifying the PPStream (PPS) application traffic which is called trace data collected from the backbone channel of CERNET (China Education and Research NETwork) border Jiangsu Province, we are able to classify more than 96% of the traffic with accuracy of over 97%. At the end of the paper, by marking the trace data through our methodology, we list the results with the term of traffic proportion about the selected P2P applications.

XU Bo,CHEN Ming,HU Chao,SUN Rui-jin

DOI: https://doi.org/10.3969/j.issn.1007-5321.2010.02.020

2010-01-01

Abstract:To obtain peer to peer(P2P)flow information accurately in a realtime and low-cost way,NetFlow based P2P flows analysis system called netFlow-based P2P flows analysis system(NPFAS)is proposed,it loosely integrates systems for flow aggregation,flow identification and flow analysis respectively in a distributed manner.By utilizing the key information of P2P flows provided by P2P identification systems,NPFAS can extract P2P flow statistical information from NetFlow records generated by NetFlow-enabled devices and analyze it by some existing analysis systems.NPFAS provides a feasible solution for analyzing P2P flows based on the Linux-Intel framework.Experiments of the prototype system have verified feasibility and availability of NPFAS.

Pinghui Wang,Xiaohong Guan,Tao Qin

DOI: https://doi.org/10.1109/camad.2009.5161471

2009-01-01

Abstract:Peer-to-Peer (P2P) protocol is widely used in many network applications and P2P traffic is becoming dominating in the current Internet and may cause serious congestion. Recently, P2P applications tend to intentionally disguise their traffic flows by using arbitrary ports, which leads the accurate identification of P2P traffic to become a very difficult job and hot research topic in network traffic control. In this paper, we employ the longest common subsequence to identify the key packets from the traffic flows, and present a new method to identify the P2P flows based on the signatures of key packets with only direction and payload length in the first few packets of a flow. We test the new method with four popular P2P applications in the actual network environment and the results show that the new method has high accuracy and efficiency since only a few packets in each flow needs to be analyzed. The new method is suitable for real time traffic management and monitoring.

Qianli Zhang,Yunlong Ma,Jilong Wang,Xing Li

DOI: https://doi.org/10.1109/apnoms.2014.6996569

2014-01-01

Abstract:Comparing to TCP traffic, the composition of UDP traffic is still unclear. Although it is observed that a large fraction of UDP traffic appears to be P2P applications, application level classification of UDP traffic is still very hard since most of these applications are private protocols based. In this paper, a novel method is proposed to classify UDP traffic. Based on the assumption that traffic from two communicating half-tuples identified by the <; IP address, portnumber > is from the same application, all half-tuples can be grouped into several connected subgraphs. The port numbers which are adopted by most links or half-tuples in each subgroup can thus be used to characterize the application types of the whole subgroup. Experiment results show that this approach is feasible and can classify UDP traffic only using flow level information. The port numbers adopted by most links or half-tuples are surprisingly stable among different time periods, for example, for Youku application remain the same for more than 90% of periods in all the 1429 periods.

Byeong-Geol Choi,Siyoung Lee,Yeong-Il Seo,Zhibin Yu,Jae Bok Jun,Sung‐Hoon Kim

2010-01-01

Abstract:Nowadays, transmission bandwidth for network traffic is increasing and the type is varied such as peer-to-peer (PZP), real-time video, and so on, because distributed computing environment is spread and various network-based applications are developed. However, as PZP traffic occupies much volume among Internet backbone traffics, transmission bandwidth and quality of service(QoS) of other network applications such as web, ftp, and real-time video cannot be guaranteed. In previous research, the port-based technique which checks well-known port number and the Deep Packet Inspection(DPI) technique which checks the payload of packets were suggested for solving the problem of the P2P traffics, however there were difficulties to apply those methods to detection of P2P traffics because P2P applications are not used well-known port number and payload of packets may be encrypted. A proposed algorithm for identifying P2P heavy traffics based on flow transport parameters and behavioral characteristics can solve the problem of the port-based technique and the DPI technique. The focus of this paper is to identify P2P heavy traffic flows rather than all P2P traffics. P2P traffics are consist of two steps i)searching the opposite peer which have some contents ii) downloading the contents from one or more peers. We define P2P flow patterns on these P2P applications' features and then implement the system to classify P2P heavy traffics.

YU Hao,XU Mingwei

DOI: https://doi.org/10.3321/j.issn:1000-0054.2009.04.041

2009-01-01

Abstract:P2P flows occupy 60%-70% of the entire network traffic with transfers of non-licensed content and security problems affecting HTTP,EMAIL,and other traditional applications.ISP and network operators need to manage P2P traffic to ensure the performance of traditional applications.To accomplish this goal,the system must first identify the P2P traffic.Current identification technology can be generally divided into three categories as packet level methods,flow level methods,and node level methods.This paper surveys the advantages and disadvantages of the current P2P flow identification methods.A variety of methods are combined to more effectively detect P2P flow.The survey also indicates new directions in P2P detection.

Tao Qin,Lei Wang,Dan Zhao,Min Zhu

DOI: https://doi.org/10.1007/s12083-015-0350-2

IF: 3.488

2016-01-01

Peer-to-Peer Networking and Applications

Abstract:Peer-to-Peer system has achieved great success with millions of end users in the past several years. P2P traffic has occupied about 60-80 % of the total traffic volumes, which greatly consumes network bandwidth and causes congestions. To achieve the goal of efficacious P2P system management in the monitored network, in this paper we develop a framework named CUFTI (Core Users Finding and Traffic Identification). The core users are referred as long-lived peers, and we focus on life-time characteristics of coexisting peers within each snapshot of the overlay. Based on the analysis results of user's behaviour in PPlive system, we develop an accurate model to forecast the peer's residual life-time and identify the long-lived peers. Furthermore, we develop a flow identification model for P2P traffic management of those core users. Based on the analysis results of actual traffic traces, we find the P2P traffic flows are composed of data and control packets. Most of the control packets appear at the beginning and end of each flow to establish and close the communication between peers. We employ the direction and payload length of the control packets at the beginning of the flow as features to perform flow identification. Experimental results based on traces collected from the Northwest Region Center of CERN ET (China Education and Research Network) show that the newly developed methods outperforms other existing methods with lower false negative rate (FNR) and false positive rate (FPR).

Lu Xing,Duan Haixin,Li Xing

DOI: https://doi.org/10.1109/ISCIT.2007.4392088

2007-01-01

Abstract:Identification of P2P traffic is very useful for many network management tasks such as application-specific traffic engineering, network planning and monitoring. However, this is a challenging issue because many P2P applications use dynamic port numbers, and deriving signatures that can he used for reliable detection manually is time consuming and difficult. In this paper, we propose a novel approach to detect P2P traffic without any application-specific signatures. It is based on the content redistribution characteristic of P2P protocol: every peer acts both as a server and a client, so it will redistribute the content received to other peers. To evaluate our approach, we use traces collected in our campus network and a signature-based classifier is also implemented. Experiment results show that the approach can be used to identify known and unknown P2P traffic with very low false positive rate, and achieves high accuracy when detecting P2P streaming traffic.

Hongling Jiang,Xiuli Shao

DOI: https://doi.org/10.1007/s12083-012-0150-x

IF: 3.488

2012-01-01

Peer-to-Peer Networking and Applications

Abstract:Botnets are widely used by attackers and they have evolved from centralized structures to distributed structures. Most of the modern P2P bots launch attacks in a stealthy way and the detection approaches based on the malicious traffic of bots are inefficient. In this paper, an approach that aims to detect Peer-to-Peer (P2P) botnets is proposed. Unlike previous works, the approach is independent of any malicious traffic generated by bots and does not require bots’ information provided by external systems. It detects P2P bots by focusing on the instinct characteristics of their Command and Control (C&C) communications, which are identified by discovering flow dependencies in C&C traffic. After discovering the flow dependencies, our approach distinguishes P2P bots and normal hosts by clustering technique. Experimental results on real-world network traces merged with synthetic P2P botnet traces indicate that 1) flow dependency can be used to detect P2P botnets, and 2) the proposed approach can detect P2P botnets with a high detection rate and a low false positive rate.

Feng Liu,Zhitang Li,Junfeng Yu

DOI: https://doi.org/10.1109/ieec.2009.38

2009-01-01

Abstract:These years, P2P applications are very popular on the Internet and take a big part of the Internet traffic workload. Identifying the P2P traffic and understanding their behavior is an important field. However, previous P2P traffic identification methods by examining user payload or well-defined port numbers no longer adapt to current P2P applications. In this paper, we develop a statistical methodology by analyzing packet length and the P2P basic characteristic, P2P nodes can serve as a server and client at the same time, to identify P2P flows at the transport layer without relying on the port numbers and packet payload.

Jun Li,Shunyi Zhang,Yanqing Lu,Junrong Yan

DOI: https://doi.org/10.1109/glocom.2008.ecp.475

2008-01-01

Abstract:Accurate and fast identification of network traffic is an important element of many network management tasks such as QoS provisioning and security monitoring. However, as many newly-emerged Peer-to-Peer (P2P) applications using dynamic port numbers, masquerading techniques, and payload encryption to avoid detection, the classical approaches based on port mapping and payload analysis are ineffective. An alternative approach is to classify traffic by distinguishing the behavior of an application within the first few packets of TCP connection. We pursue this approach and demonstrate that information of few packets is enough to effectively identify P2P traffic. In our work, C4.5 decision tree and REPTree are evaluated and compared with the previously used clustering method K-Means. Experimental results show that our approaches outperform K- Means algorithm in accuracy. In addition, the proposed approaches can accommodate known and unknown P2P traffic and even encrypted traffic in fast and accurate way, which ensures the real-time applications on the Internet traffic surveillance and QoS provisioning.

Liu Bin,Li Zhitang,Tu Hao

DOI: https://doi.org/10.1117/12.773782

2007-01-01

Abstract:P2P applications for file-sharing and video streaming have become tremendously popular in recent years, and it is now accounting for a significant share of the total network traffic. As P2P applications nowadays tend to use arbitrary ports to camouflage their communications, traditional methods like port-based identification have become highly inaccurate. In this paper, we propose a measurement system to detect and measure the real-time P2P traffic more reliably. The measurement methodology is based on using application level signatures implemented by netfilter extension as well as packet classifier. We further present the results from a P2P traffic analysis at a campus network, which show that this P2P traffic measurement system can provide the performance and scalability required for practical applications.

CHEN Bao-gang,ZHANG Ling,XU Yong,HU Jin-long,HUANG Song

2007-01-01

Journal of Computer Applications

Abstract:To understand the characteristics of peer-to-peer (P2P) traffic in network, a P2P file sharing application traffic was analyzed. The analytical results show that traffic of Maze has the following characteristics: the traffic is burst; the locality is less evident than that of WWW and FTP; the flow size follows the distribution different from WWW; flow duration time is longer than that of WWW and FTP distinctly; and the proportion of big flows in Maze traffic is higher than that of WWW and FTP.

LI Wen,LIANG Gang

DOI: https://doi.org/10.3969/j.issn.0490-6756.2011.02.013

2011-01-01

Abstract:With the development of P2P applications,some technology has emerged,such as random ports,tunneling,encryption and so on,which decreased the identification rate of traditional detection methods.A dynamic P2P detection method based on network traffic was proposed to this problem,and traffic threshold which selected detection algorithms dynamically was adopted to improve adaptability and detection performance,with analyzing the influence of network traffic on false positive rate and false negative rate of different detection algorithms.What's more,load balancing was applied to adjustment of traffic threshold to realize a variable step-size adaptive algorithm,and the experiments proved that it made P2P identification in diverse networks stable and efficient.

YUE Yan-hui,LI Zhi-tang,LIU Bin

DOI: https://doi.org/10.3969/j.issn.1001-3695.2008.04.081

2008-01-01

Abstract:The paper analysed the characteristics of P2P traffic and discussed the current research concerning P2P traffic identification and measurement.Based on the analysis of IPP2P module which could identify P2P traffic through searching the application layer data by suitable patterns,a P2P traffic measurement system based on Netfilter was proposed.This measurement system matched P2P protocol signature in kernel to identify P2P data,then did the statistics of the data by connection tracking technology with high performance to achieve the real-time measurement of P2P traffic.

NIU Wei-na,ZHANG Xiao-song,SUN En-bo,YANG Guo-wu,ZHAO Ling-yuan

DOI: https://doi.org/10.3969/j.issn.1001-0548.2017.06.019

2017-01-01

Abstract:The botnet has been one of the most common threats to the network security since it exploits multiple malicious codes like worm, Trojans, Rootkit, etc. toperform thedenial-of-service attack, send phishing links, and provide malicious services. Peer-to-peer (P2P) botnet is more difficult to be detected compared with IRC, HTTP and other types of botnets because it has typical features of the centralization and distribution. To solve these problems, we propose an effective two-stage traffic classification method to detect P2P botnet traffic based on both non-P2P traffic filtering mechanism and machine learning techniques on conversation features. At the first stage, the non-P2P packages are filtered to reduce the amount of network traffic, according to well-known ports, DNS query, and flow counting. At the second stage, the conversation features based on data flow features and flow similarity are extracted. Finally, the P2P botnet is detected by using Random Forest based on the decision tree model. Experimental evaluations on UNB ISCX botnet dataset shows that our two-stage detection method has a higher accuracy than traditional P2P botnet detection methods.

YANG Yue-Xiang,WANG Rui,TANG Chuan,LI Qiang

DOI: https://doi.org/10.3321/j.issn:1000-436X.2006.z1.031

2006-01-01

Abstract:P2P traffic has become one of the most significant portions of the network traffic. Accurate identification of P2P traffic makes great sense for efficient network management and reasonable utility of network resources. Firstly a statistic feature that can be used for identifying P2P traffic in a specific network topology was proposed, and then a novel P2P traffic identification method was introduced based on twofold features. This method not only improved the weak app-level classification ability of statistic-based methods, but also acquired the ability of identifying payload-encrypted and unknown traffic which was hard for payload-based methods to fulfill. Experimental results show that the proposed method has low cost and proper accuracy in comparison with the traditional payload-based method.