A methodology for P2P file-sharing traffic detection

Since the widespread adoption of peer-to-peer (P2P) networking during the late '90s, P2P applications have multiplied. Their diffusion and adoption are witnessed by the fact that P2P traffic accounts for a significant fraction of Internet traffic. Further, there are concerns regarding the use of these applications, for instance when they are employed to share copyright protected material. Hence, in many situations there would be many reasons to detect P2P traffic. In the late '90s, P2P traffic was easily recognizable since P2P protocols used application-specific TCP or UDP port numbers. However, P2P applications were quickly empowered with the ability to use arbitrary ports in an attempt to go undetected. Nowadays, P2P applications explicitly try to camouflage the originated traffic in an attempt to go undetected. Despite the presence of rules to detect P2P traffic, no methodology exists to extract them from applications without the use of reverse engineering. In this paper we develop a methodology to detect P2P traffic. It is based on the analysis of the protocol used by a P2P application, extraction of specific patterns unique to the protocol, coding of such a pattern in rules to be fed to an Intrusion Detection System (IDS), and validation of the pattern via network traffic monitoring with SNORT (an open source IDS) fed with the devised rules. In particular, we present a characterization of P2P traffic originated by the OpenNap and WPN protocols (implemented in the WinMx application) and FastTrack protocol (used by KaZaA) obtained using our methodology, that shows the viability of our proposal. Finally, we conclude the paper exposing our undergoing efforts in the extension of the methodology to exploit differences between centralized and decentralized P2P protocols, as well as the characterization of encrypted traffic, and highlight a new research direction in the identification of P2P traffic.