Identification of BitTorrent Traffic for High Speed Network Using Packet Sampling and Application Signatures

It is very difficult to identify peer-to-peer (P2P) traffic in high speed network environment because well-known port numbers are no longer reliable and application signatures are not efficient enough. In this paper, a BitTorrent traffic identification method for high speed network using packet sampling and application signatures is presented. Models of false negatives and false positives are developed to analyze the effects of packet sampling probability and application signatures probability on accuracy. The method is implemented with Snort by developing a flow state differentiating preprocessor. The experiment results show that the efficiency and accuracy of the method are exciting and the method can be applied to high speed network. The low limit of processing efficiency is over 800 Mbps on a personal computer hardware platform. Assuming that the method is applied to processing packets, the false negatives rate is about 0.6% with 0.5 sampling probability, about 5.9% with 0.1 sampling probability, and about 10.5% with 0.05 sampling probability. Assuming that the method is applied to analyzing flows, the false negatives rate is about 0.06% with 0.5 sampling probability, about 0.33% with 0.1 sampling probability, and about 1.1% with 0.05 sampling probability. The method shows excellent false positives with no packet falsely identified. The experiment results also show that the false negatives and false positives models are very accurate.