Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing (extended). Bartlett, G., Heidemann, J., & Papadopoulos, C. Technical Report ISI-TR-2006-627, USC/Information Sciences Institute, December, 2006. Paper abstract bibtex Blind techniques to detect network applications—approaches that do not consider packet contents—are increasingly desirable because they have fewer legal and privacy concerns, and they can be robust to application changes and intentional cloaking. In this paper we identify several behaviors that are \emphinherent to peer-to-peer (P2P) traffic and demonstrate that they can detect both BitTorrent and Gnutella hosts using only packet header and timing information. We identify three basic behaviors: failed connections, the ratio of incoming and outgoing connections, and the use of unprivileged ports. We show that while individual behaviors are sometimes effective, they work best when used together. We quantify the effectiveness of our approach using two day-long traces, from 2005 and 2006, showing that they are quite accurate: BitTorrent hosts are detected with an 83% true positive rate and only an 4% false positive rate, and Gnutella hosts with a 75% true positive rate and a 4% false postivie rate. Our system is suitable for on-line use, with 75% of BitTorrent hosts detected in less than 10 minutes of trace data.
@TechReport{Bartlett06a,
author = "Genevieve Bartlett and John Heidemann and Christos Papadopoulos",
title = "Inherent Behaviors for On-line Detection of
Peer-to-Peer File Sharing (extended)",
institution = "USC/Information Sciences Institute",
year = 2006,
sortdate = "2006-12-01",
number = "ISI-TR-2006-627",
month = dec,
jlocation = "johnh: pafile",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett06a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett06a.pdf",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "authors",
project = "ant, lander, predict",
jsubject = "traffic_detection",
abstract = "
Blind techniques to detect network applications---approaches that do
not consider packet contents---are increasingly desirable because they
have fewer legal and privacy concerns, and they can be robust to
application changes and intentional cloaking. In this paper we
identify several behaviors that are \emph{inherent} to peer-to-peer
(P2P) traffic and demonstrate that they can detect both BitTorrent and
Gnutella hosts using only packet header and timing information. We
identify three basic behaviors: failed connections, the ratio of
incoming and outgoing connections, and the use of unprivileged ports.
We show that while individual behaviors are sometimes effective, they
work best when used together. We quantify the effectiveness of our
approach using two day-long traces, from 2005 and 2006, showing that
they are quite accurate: BitTorrent hosts are detected with an 83\%
true positive rate and only an 4\% false positive rate, and Gnutella
hosts with a 75\% true positive rate and a 4\% false postivie rate.
Our system is suitable for on-line use, with 75\% of BitTorrent hosts
detected in less than 10 minutes of trace data.
",
}
Downloads: 0
{"_id":"b4NAfmDhPrgmrcFkA","bibbaseid":"bartlett-heidemann-papadopoulos-inherentbehaviorsforonlinedetectionofpeertopeerfilesharingextended-2006","author_short":["Bartlett, G.","Heidemann, J.","Papadopoulos, C."],"bibdata":{"bibtype":"techreport","type":"techreport","author":[{"firstnames":["Genevieve"],"propositions":[],"lastnames":["Bartlett"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Christos"],"propositions":[],"lastnames":["Papadopoulos"],"suffixes":[]}],"title":"Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing (extended)","institution":"USC/Information Sciences Institute","year":"2006","sortdate":"2006-12-01","number":"ISI-TR-2006-627","month":"December","jlocation":"johnh: pafile","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett06a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett06a.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","project":"ant, lander, predict","jsubject":"traffic_detection","abstract":"Blind techniques to detect network applications—approaches that do not consider packet contents—are increasingly desirable because they have fewer legal and privacy concerns, and they can be robust to application changes and intentional cloaking. In this paper we identify several behaviors that are \\emphinherent to peer-to-peer (P2P) traffic and demonstrate that they can detect both BitTorrent and Gnutella hosts using only packet header and timing information. We identify three basic behaviors: failed connections, the ratio of incoming and outgoing connections, and the use of unprivileged ports. We show that while individual behaviors are sometimes effective, they work best when used together. We quantify the effectiveness of our approach using two day-long traces, from 2005 and 2006, showing that they are quite accurate: BitTorrent hosts are detected with an 83% true positive rate and only an 4% false positive rate, and Gnutella hosts with a 75% true positive rate and a 4% false postivie rate. Our system is suitable for on-line use, with 75% of BitTorrent hosts detected in less than 10 minutes of trace data. ","bibtex":"@TechReport{Bartlett06a,\n\tauthor = \"Genevieve Bartlett and John Heidemann and Christos Papadopoulos\",\n\ttitle = \t\"Inherent Behaviors for On-line Detection of\n Peer-to-Peer File Sharing (extended)\",\n\tinstitution = \t\"USC/Information Sciences Institute\",\n\tyear = \t\t2006,\n\tsortdate = \t\t\"2006-12-01\",\n\tnumber =\t\"ISI-TR-2006-627\",\n\tmonth =\t\tdec,\n\tjlocation =\t\"johnh: pafile\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett06a.html\",\n\tpdfurl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett06a.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tproject = \"ant, lander, predict\",\n\tjsubject = \"traffic_detection\",\n\tabstract = \"\nBlind techniques to detect network applications---approaches that do\nnot consider packet contents---are increasingly desirable because they\nhave fewer legal and privacy concerns, and they can be robust to\napplication changes and intentional cloaking. In this paper we\nidentify several behaviors that are \\emph{inherent} to peer-to-peer\n(P2P) traffic and demonstrate that they can detect both BitTorrent and\nGnutella hosts using only packet header and timing information. We\nidentify three basic behaviors: failed connections, the ratio of\nincoming and outgoing connections, and the use of unprivileged ports.\nWe show that while individual behaviors are sometimes effective, they\nwork best when used together. We quantify the effectiveness of our\napproach using two day-long traces, from 2005 and 2006, showing that\nthey are quite accurate: BitTorrent hosts are detected with an 83\\%\ntrue positive rate and only an 4\\% false positive rate, and Gnutella\nhosts with a 75\\% true positive rate and a 4\\% false postivie rate.\nOur system is suitable for on-line use, with 75\\% of BitTorrent hosts\ndetected in less than 10 minutes of trace data.\n\",\n}\n\n","author_short":["Bartlett, G.","Heidemann, J.","Papadopoulos, C."],"bibbaseid":"bartlett-heidemann-papadopoulos-inherentbehaviorsforonlinedetectionofpeertopeerfilesharingextended-2006","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett06a.html"},"metadata":{"authorlinks":{}}},"bibtype":"techreport","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":[],"search_terms":["inherent","behaviors","line","detection","peer","peer","file","sharing","extended","bartlett","heidemann","papadopoulos"],"title":"Inherent Behaviors for On-line Detection of Peer-to-Peer File Sharing (extended)","year":2006}