2 research outputs found
Inferring undesirable behavior from P2P traffic analysis
While peer-to-peer (P2P) systems have emerged in popularity in recent years, their large-scale and complexity make them difficult to reason about. In this paper, we argue that systematic analysis of traffic characteristics of P2P systems can reveal a wealth of information about their behavior, and highlight potential undesirable activities that such systems may exhibit. As a first step to this end, we present an offline and semi-automated approach to detect undesirable behavior. Our analysis is applied on real traffic traces collected from a Point-of-Presence (PoP) of a national-wide ISP in which over 70% of the total traffic is due to eMule, a popular P2P file-sharing system. Flow-level measurements are aggregated into "samples" referring to the activity of each host during a time interval. We then employ a clustering technique to automatically and coarsely identify similar behavior across samples, and extensively use domain knowledge to interpret and analyze the resulting clusters. Our analysis shows several examples of undesirable behavior including evidence of DDoS attacks exploiting live P2P clients, significant amounts of unwanted traffic that may harm network performance, and instances where the performance of participating peers may be subverted due to maliciously deployed servers. Identification of such patterns can benefit network operators, P2P system developers, and actual end-user
Inferring undesirable behavior from P2P traffic analysis
While peer-to-peer (P2P) systems have emerged in popularity in
recent years, their large-scale and complexity make them difficult
to reason about. In this paper, we argue that systematic analysis
of traffic characteristics of P2P systems can reveal a wealth of information
about their behavior, and highlight potential undesirable
activities that such systems may exhibit. As a first step to this end,
we present an offline and semi-automated approach to detect undesirable
behavior. Our analysis is applied on real traffic traces
collected from a Point-of-Presence (PoP) of a national-wide ISP in
which over 70% of the total traffic is due to eMule, a popular
P2P file-sharing system. Flow-level measurements are aggregated
into “samples” referring to the activity of each host during a time
interval. We then employ a clustering technique to automatically
and coarsely identify similar behavior across samples, and extensively
use domain knowledge to interpret and analyze the resulting
clusters. Our analysis shows several examples of undesirable
behavior including evidence of DDoS attacks exploiting live P2P
clients, significant amounts of unwanted traffic that may harm network
performance, and instances where the performance of participating
peers may be subverted due to maliciously deployed servers.
Identification of such patterns can benefit network operators, P2P
system developers, and actual end-users