Cocktail method for BitTorrent traffic identification in real time

Abstract

Peer-to-peer (P2P) applications generate a large volume of traffic and seriously affect quality of normal network services. Accurate identification of P2P traffic is especially important for network management. The simplest method is based on port mapping. But dynamic port technique makes it ineffective. Signature-based approach is useless when facing encrypted traffic. Recently, some approaches use more complex machine learning and data mining algorithms relying on flow statistics or host behaviors. Due to the sophisticated algorithms, they need a time-consuming process for training or calculating, they can hardly be used in real-time identification. In this paper, we propose a cocktail approach consists of three sub-methods to identify BitTorrent (BT) traffic. We apply application signatures to identify unencrypted traffic. And for those encrypted flows, we propose the message-based method according to the features of the message stream encryption (MSE) protocol. At last, we propose a pre-identification method based on signaling analysis. It can predict BT flows and distinguish them even at the first packet with SYN flag only. And we use modified Vuze clients to label BT traffic in real traffic traces, which help us to make high accuracy benchmark datasets to evaluate our approach. The results illustrate the effectiveness of our approach, especially for those un- or semi- established flows, which have no obvious signatures or flow statistics.