Peer to Peer (P2P) Traffic Classification

1
Peer to Peer (P2P) Traffic Classification

• Alok Madhukar -- M.Sc. Thesis Defence
• Supervisor Dr. Carey Williamson

2
Why measure P2P traffic?

• Usage analysis obtaining meaningful data from
  an IP network
• Traffic engineering
• Optimize and control network utilization to
  address problems such as congestion, poor QoS,
  high latency
• Content-based charging

3
Why is it hard?

• Moving target rapid evolution of P2P apps
• Early P2P applications (e.g., Napster)
• Used well-known port numbers
• Easy to monitor
• Recent P2P applications (e.g., KaZaA)
• Dynamic (random) port numbers
• Harder to detect
• Current P2P applications
• Dynamic ports HTTP masquerading chunked
  transfers bidirectional transfers encrypted
  payloads...

4
Research Questions

• What proportion of todays Internet traffic is
  P2P?
• How effective is Internet traffic classification
  using well-known ports?
• How effective are other recent techniques for P2P
  traffic classification?

5
My Work

• Comparative evaluation of the effectiveness of
  P2P traffic classification techniques
• Port classification (well-known ports)
• Payload analysis Sen et al. WWW 2004
• Transport-layer analysis Karagiannis IMC 2004
• Design of custom tools for each technique
• Using empirical network traces from the
  University of Calgary Internet connection
• 2 years of trace data

6
Data Collection

• Use tcpdump as network monitor on U of C campus
  Internet connection
• Data collection started in September 2003
• TCP/IP packet headers (SYN/FIN/RST)
• 2 years of data available for analysis

Internet
Two 1.4 GHz PIII, 2 GB RAM, 140 GB Hard Disk
100 Mbps Full Duplex
Campus Router
1 Gbps Half Duplex
Monitor
UoC
7
Network Activity (Sept 2003 July 2005)
Sep Oct Nov Dec Jan Feb Mar Apr May
Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr
May Jun Jul
2003 2004

2005
8
Port Analysis Results
SSH
HTTP(c)
SMTP
Unknown
MSSQL-S
HTTP(s)
Sep Oct Nov Dec Jan Feb Mar Apr May
Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr
May Jun Jul
2003 2004

2005
9
Port Analysis - Observations

• HTTP traffic varies from 20 - 60
• HTTP traffic is most pronounced during normal
  working hours (9am to 5pm)
• 30-70 of the traffic cannot be classified using
  well-known port analysis
• The unknown traffic dominates at night time and
  on weekends
• The unknown traffic has increased from 20-30
  in Sept 2003July 2004 to 30-70 in Aug
  2004-July 2005

10
Payload Signature Analysis

• Based on Sen et al. WWW 2004
• Advantages
• - Accurate (validated on short trace)
• Disadvantages
• - Privacy issues
• - Needs full payload (not available)
• - Encryption makes this impossible
• - Frequent updates needed

11
Transport-Layer Method

• Based on Karagiannis et al. IMC 2004
• Unique IP-Port Pair Heuristic Examine the
  structural characteristics for the number of
  unique hosts and unique ports used by
  communicating partners
• Validated on same short trace

12
Results of Transport-Layer Method
Jan Feb Mar Apr May
Jun Jul Aug Sep Oct
Nov Dec
13
Summary and Conclusions

• Peer-to-peer (P2P) traffic measurement is
  important (and challenging!)
• Port analysis is incapable of classifying peer to
  peer applications today
• Application signatures are accurate, but require
  examination of user payload, which might not
  always be possible
• Transport-layer heuristics can effectively
  estimate aggregate P2P traffic
• Better methods are required for P2P application
  classification and traffic measurement as P2P
  apps evolve