Comparing paedophile activity in different P2P systems

Peer-to-peer (P2P) systems are widely used to exchange content over the Internet. Knowledge on paedophile activity in such networks remains limited while it has important social consequences. Moreover, though there are different P2P systems in use, previous academic works on this topic focused on one system at a time and their results are not directly comparable. We design a methodology for comparing \kad and \edonkey, two P2P systems among the most prominent ones and with different anonymity levels. We monitor two \edonkey servers and the \kad network during several days and record hundreds of thousands of keyword-based queries. We detect paedophile-related queries with a previously validated tool and we propose, for the first time, a large-scale comparison of paedophile activity in two different P2P systems. We conclude that there are significantly fewer paedophile queries in \kad than in \edonkey (approximately 0.09% \vs 0.25%).Comment: Submitte

Removing bias due to finite measurement of dynamic systems: case study on P2P systems

Mesurer avec pr\'ecision la dynamique des graphes de terrain est une t\^ache difficile, car les propri\'et\'es observ\'ees peuvent \^etre biais\'ees pour diff\'erentes raisons, en particulier le fait que la p\'eriode de mesure soit finie. Dans ce papier, nous introduisons une m\'ethodologie g\'en\'erale qui nous permet de savoir si la fen\^etre d'observation est suffisamment longue pour caract\'eriser une propri\'et\'e donn\'ee dans n'importe quel syst\`eme dynamique. Nous appliquons cette m\'ethodologie \`a l'\'etude des dur\'ees de sessions et des dur\'ees de vie des fichiers sur deux jeux de donn\'ees P2P. Nous montrons que le comportement des propri\'et\'es est diff\'erent : pour les dur\'ees de sessions, notre m\'ethodologie nous permet de caract\'eriser avec pr\'ecision la forme de leur distribution. Par contre, pour les dur\'ees de vie des fichiers, nous montrons que cette propri\'et\'e ne peut pas \^etre caract\'eris\'ee, soit parce qu'elle n'est pas stationnaire, soit parce que la dur\'ee de notre mesure est trop courte

Internal links and pairs as a new tool for the analysis of bipartite complex networks

Many real-world complex networks are best modeled as bipartite (or 2-mode) graphs, where nodes are divided into two sets with links connecting one side to the other. However, there is currently a lack of methods to analyze properly such graphs as most existing measures and methods are suited to classical graphs. A usual but limited approach consists in deriving 1-mode graphs (called projections) from the underlying bipartite structure, though it causes important loss of information and data storage issues. We introduce here internal links and pairs as a new notion useful for such analysis: it gives insights on the information lost by projecting the bipartite graph. We illustrate the relevance of theses concepts on several real-world instances illustrating how it enables to discriminate behaviors among various cases when we compare them to a benchmark of random networks. Then, we show that we can draw benefit from this concept for both modeling complex networks and storing them in a compact format

Evidence Collection for Forensic Investigation in Peer to Peer Systems

Abstract Peer to Peer(P2P) file sharing networks are amongst the best free sources of information on the internet. Voluntary participation and lack of control makes them a very attractive option to share data anonymously. However a small group of people take advantage of the freedom provided by these networks and share content that is prohibited by law. Apart from copyrighted content, there are cases where people share les related to Child Pornography which is a criminal offense. Law enforcement attempts to track down these offenders by obtaining a court order for search and seizure of computers at a suspect location. These seized computers are forensically examined using storage and memory-forensics tools. However before the search warrant is issued strong evidence must be presented to provide a reason for suspiscion. Deficient investigation in the intial stages might lead to mis-identification of the source and steer the investigation in a wrong direction. Initial evidence collection on peer to peer le sharing networks is a challenge due to the lack of a central point of control and highly dynamic nature of the networks. The goal of this work is to create a working prototype of an initial evidence collection tool for forensics in P2P networks. The prototype is based on the idea that P2P networks could be monitored by introducing modified peer nodes onto the network for a certain time period and recording relevant information about nodes that possess criminally offensive content. Logging information sent by a suspicious node along with timestamps and unique identication information would provide a strong, verfiiable initial evidence. This work presents one such working prototype in alignment with the goals stated above

A Content Delivery Model for Online Video

Online video accounts for a large and growing portion of all Internet traffic. In order to cut bandwidth costs, it is necessary to use the available bandwidth of users to offload video downloads. Assuming that users can only keep and distribute one video at any given time, it is necessary to determine the global user cache distribution with the goal of achieving maximum peer traffic. The system model contains three different parties: viewers, idlers and servers. Viewers are those peers who are currently viewing a video. Idlers are those peers who are currently not viewing a video but are available to upload to others. Finally, servers can upload any video to any user and has infinite capacity. Every video maintains a first-in-first-out viewer queue which contains all the viewers for that video. Each viewer downloads from the peer that arrived before it, with the earliest arriving peer downloading from the server. Thus, the server must upload to one peer whenever the viewer queue is not empty. The aim of the idlers is to act as a server for a particular video, thereby eliminating all server traffic for that video. By using the popularity of videos, the number of idlers and some assumptions on the viewer arrival process, the optimal global video distribution in the user caches can be determined

Content Monitoring in BitTorrent Systems

BitTorrent is one of the most used file sharing protocols on the Internet today. Its efficiency is based on the fact that when users download a part of a file, they simultaneously upload other parts of the file to other users. This allows users to efficiently distribute large files to each other, without the need of a centralized server. The most popular torrent site is the Pirate Bay with more than 5,700,000 registered users. The motivation for this research is to find information about the use of BitTorrent, especially on the Pirate Bay website. This will be helpful for system administrators and researchers. We collected data on all of the torrents uploaded to the Pirate Bay from 25th of December, 2010 to 28th of October, 2011. Using this data we found out that a small percentage of users are responsible for a large portion of the uploaded torrents. There are over 81,000 distinct users, but the top nine publishers have published more than 16% of the torrents. We examined the publishing behaviour of the top publishers. The top usernames were publishing so much content that it became obvious that there are groups of people behind the usernames. Most of the content published is video files with a 52% share. We found out that torrents are uploaded to the Pirate Bay website at a fast rate. About 92% of the consecutive uploads have happened within 100 seconds or less from each other. However, the publishing activity varies a lot. These deviations in the publishing activity may be caused by down time of the Pirate Bay website, fluctuations in the publishing activity of the top publishers, national holidays or weekdays. One would think that the publishing activity with so many independent users would be quite level, but surprisingly this is not the case. About 85% of the files of the torrents are less than 1.5 GB in size. We also discovered that torrents of popular feature films were uploaded to the Pirate Bay very fast after their release and the top publishers appear to be competing on who releases the torrents first. It seems like the impact of the top publishers is quite significant in the publishing of torrents

Application acceleration for wireless and mobile data networks

This work studies application acceleration for wireless and mobile data networks. The problem of accelerating application can be addressed along multiple dimensions. The first dimension is advanced network protocol design, i.e., optimizing underlying network protocols, particulary transport layer protocol and link layer protocol. Despite advanced network protocol design, in this work we observe that certain application behaviors can fundamentally limit the performance achievable when operating over wireless and mobile data networks. The performance difference is caused by the complex application behaviors of these non-FTP applications. Explicitly dealing with application behaviors can improve application performance for new environments. Along this overcoming application behavior dimension, we accelerate applications by studying specific types of applications including Client-server, Peer-to-peer and Location-based applications. In exploring along this dimension, we identify a set of application behaviors that significantly affect application performance. To accommodate these application behaviors, we firstly extract general design principles that can apply to any applications whenever possible. These design principles can also be integrated into new application designs. We also consider specific applications by applying these design principles and build prototypes to demonstrate the effectiveness of the solutions. In the context of application acceleration, even though all the challenges belong to the two aforementioned dimensions of advanced network protocol design and overcoming application behavior are addressed, application performance can still be limited by the underlying network capability, particularly physical bandwidth. In this work, we study the possibility of speeding up data delivery by eliminating traffic redundancy present in application traffics. Specifically, we first study the traffic redundancy along multiple dimensions using traces obtained from multiple real wireless network deployments. Based on the insights obtained from the analysis, we propose Wireless Memory (WM), a two-ended AP-client solution to effectively exploit traffic redundancy in wireless and mobile environments. Application acceleration can be achieved along two other dimensions: network provision ing and quality of service (QoS). Network provisioning allocates network resources such as physical bandwidth or wireless spectrum, while QoS provides different priority to different applications, users, or data flows. These two dimensions have their respective limitations in the context of application acceleration. In this work, we focus on the two dimensions of overcoming application behavior and Eliminating traffic redundancy to improve application performance. The contribution of this work is as follows. First, we study the problem of application acceleration for wireless and mobile data networks, and we characterize the dimensions along which to address the problem. Second, we identify that application behaviors can significantly affect application performance, and we propose a set of design principles to deal with the behaviors. We also build prototypes to conduct system research. Third, we consider traffic redundancy elimination and propose a wireless memory approach.Ph.D.Committee Chair: Sivakumar, Raghupathy; Committee Member: Ammar, Mostafa; Committee Member: Fekri, Faramarz; Committee Member: Ji, Chuanyi; Committee Member: Ramachandran, Umakishor

Forensic investigations on child pornography file sharing using file sharing software on peer-to-peer networks

La prova informatica richiede l’adozione di precauzioni come in un qualsiasi altro accertamento scientifico. Si fornisce una panoramica sugli aspetti metodologici e applicativi dell’informatica forense alla luce del recente standard ISO/IEC 27037:2012 in tema di trattamento del reperto informatico nelle fasi di identificazione, raccolta, acquisizione e conservazione del dato digitale. Tali metodologie si attengono scrupolosamente alle esigenze di integrità e autenticità richieste dalle norme in materia di informatica forense, in particolare della Legge 48/2008 di ratifica della Convenzione di Budapest sul Cybercrime. In merito al reato di pedopornografia si offre una rassegna della normativa comunitaria e nazionale, ponendo l’enfasi sugli aspetti rilevanti ai fini dell’analisi forense. Rilevato che il file sharing su reti peer-to-peer è il canale sul quale maggiormente si concentra lo scambio di materiale illecito, si fornisce una panoramica dei protocolli e dei sistemi maggiormente diffusi, ponendo enfasi sulla rete eDonkey e il software eMule che trovano ampia diffusione tra gli utenti italiani. Si accenna alle problematiche che si incontrano nelle attività di indagine e di repressione del fenomeno, di competenza delle forze di polizia, per poi concentrarsi e fornire il contributo rilevante in tema di analisi forensi di sistemi informatici sequestrati a soggetti indagati (o imputati) di reato di pedopornografia: la progettazione e l’implementazione di eMuleForensic consente di svolgere in maniera estremamente precisa e rapida le operazioni di analisi degli eventi che si verificano utilizzando il software di file sharing eMule; il software è disponibile sia in rete all’url http://www.emuleforensic.com, sia come tool all’interno della distribuzione forense DEFT. Infine si fornisce una proposta di protocollo operativo per l’analisi forense di sistemi informatici coinvolti in indagini forensi di pedopornografia.Digital evidences require precautions as in any other scientific investigation. We provide an overview about methodology and application of computer forensics based on the recent ISO / IEC 27037:2012 relating to the processing of finding information in the stages of identification, collection, acquisition and preservation of digital data. These methods comply with the requirements of integrity and authenticity of the rules of computer forensics, in particular the Law 48/2008 about the ratification of the Budapest Convention on Cybercrime. Concering the child pornography crime, we offer an overview of EU and national legislation, with emphasis on relevant aspects for computer forensic analysis. We provide an overview of the peer-to-peer protocols and systems used for file sharing, with an emphasis on the eDonkey and eMule software that are widely spread in Italy. The design and implementation of eMuleForensic allows the computer forenser to perform a highly accurate and rapid operations analysis of the events that occur using eMule; the software is available in the url http://www.emuleforensic.com network, both as a forensic tool in the distribution DEFT. Finally, we provide a proposal for an operating protocol for forensic analysis of computer systems involved in forensic investigations on child pornography

Caring About the Plumbing: On the Importance of Architectures in Social Studies of (Peer-to-Peer) Technology

International audienceThis article discusses the relevance, for scholars working on social studies of network media, of "caring about the plumbing" (to paraphrase Bricklin, 2001), i.e., addressing elements of application architecture and design as an integral part of their subject of study. In particular, by discussing peer-to-peer (P2P) systems as a technical networking model and a dynamic of social interaction that are inextricably intertwined, the article introduces how the perspective outlined above is particularly useful to adopt when studying a promising area of innovation: that of "alternative" or "legitimate" (Verma, 2004) applications of P2P networks to search engines, social networks, video streaming and other Internet-based services. The article seeks to show how the Internet's current trajectories of innovation increasingly suggest that particular forms of architectural distribution and decentralization (or their lack), impact specific procedures, practices and uses. Architectures should be understood an "alternative way of influencing economic systems" (van Schewick, 2010), indeed, the very fabric of user behavior and interaction. Most notably, the P2P "alternative" to Internet-based services shows how the status of every Internet user as a consumer, a sharer, a producer and possibly a manager of digital content is informed by, and shapes in return, the technical structure and organization of the services (s)he has access to: their mandatory passage points, places of storage and trade, required intersections. In conclusion, this article is a call to study the technical architecture of networking applications as a "relational property" (Star & Ruhleder, 1996), and integral part of human organization. It suggests that such an approach provides an added value to the study of those communities, groups and practices that, by leveraging socio-technical dynamics of distribution, decentralization, collaboration and peer production, are currently questioning more traditional or institutionalized models of content creation, search and sharing