http://www.isi.edu/~johnh/tags/Bartlett06a/ John Heidemann http://www.isi.edu/~johnh/PAPERS/Bartlett06a/ http://www.isi.edu/~johnh/PAPERS/Bartlett06a/ 2006 Bartlett06a papers Mon, 18 Jul 2011 16:44:27 -0700 2011-07-19T00:16:03Z Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing (extended) Genevieve Bartlett, John Heidemann, and Christos Papadopoulos USC/Information Sciences Institute <a name="abstract"> Abstract </a> Blind techniques to detect network applications--approaches that do not consider packet contents--are increasingly desirable because they have fewer legal and privacy concerns, and they can be robust to application changes and intentional cloaking. In this paper we identify several behaviors that are inherent to peer-to-peer (P2P) traffic and demonstrate that they can detect both BitTorrent and Gnutella hosts using only packet header and timing information. We identify three basic behaviors: failed connections, the ratio of incoming and outgoing connections, and the use of unprivileged ports. We show that while individual behaviors are sometimes effective, they work best when used together. We quantify the effectiveness of our approach using two day-long traces, from 2005 and 2006, showing that they are quite accurate: BitTorrent hosts are detected with an&nbsp;83% true positive rate and only a&nbsp;2% false positive rate, and Gnutella hosts with a&nbsp;75% true positive rate and a&nbsp;4% false postivie rate. Our system is suitable for on-line use, with&nbsp;75% of BitTorrent hosts detected in less than 10 minutes of trace data. Availability This paper is available in several formats: <a href="http://www.isi.edu/~johnh/tags/Bartlett06a/../../PAPERS/Bartlett06a/index.html">abstract web page</a> with pointers and cites, <a href="http://www.isi.edu/~johnh/tags/Bartlett06a/../../PAPERS/Bartlett06a.pdf">PDF</a>, paper copies can be obtained by <a href="mailto:johnh@isi.edu">mail to the authors</a>. Copyright terms for this paper appear below. Reference <a name="reference">Bartlett06a</a> Genevieve Bartlett, John Heidemann, and Christos Papadopoulos. Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing (extended). Technical Report ISI-TR-2006-627, USC/Information Sciences Institute, December, 2006. &lt;<a href="http://www.isi.edu/~johnh/PAPERS/Bartlett06a.html">http://www.isi.edu/~johnh/PAPERS/Bartlett06a.html</a>&gt;. <a name="bibtex"> @techreport{Bartlett06a, author = "Genevieve Bartlett and John Heidemann and Christos Papadopoulos", title = "Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing (extended)", institution = "USC/Information Sciences Institute", year = "2006", number = "ISI-TR-2006-627", month = "December", url = "http://www.isi.edu/~johnh/PAPERS/Bartlett06a.html", pdfurl = "http://www.isi.edu/~johnh/PAPERS/Bartlett06a.pdf", myorganization = "USC/Information Sciences Institute", copyrightholder = "authors", } </a> Copyright This paper is copyright &copy; 2006 by its authors. Permission to make digital or hard copies of part or all of this work for personal use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that new copies bear this notice and the full citation on the first page. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission of the authors.