ISSN 1000-1239 CN 11-1777/TP

• Paper • Previous Articles     Next Articles

Identification of BitTorrent Traffic for High Speed Network Using Packet Sampling and Application Signatures

Guo Zhenbin and Qiu Zhengding   

  1. (Institute of Information Science, Beijing Jiaotong University, Beijing 100044)
  • Online:2008-02-15

Abstract: It is very difficult to identify peer-to-peer (P2P) traffic in high speed network environment because well-known port numbers are no longer reliable and application signatures are not efficient enough. In this paper, a BitTorrent traffic identification method for high speed network using packet sampling and application signatures is presented. Models of false negatives and false positives are developed to analyze the effects of packet sampling probability and application signatures probability on accuracy. The method is implemented with Snort by developing a flow state differentiating preprocessor. The experiment results show that the efficiency and accuracy of the method are exciting and the method can be applied to high speed network. The low limit of processing efficiency is over 800 Mbps on a personal computer hardware platform. Assuming that the method is applied to processing packets, the false negatives rate is about 0.6% with 0.5 sampling probability, about 5.9% with 0.1 sampling probability, and about 10.5% with 0.05 sampling probability. Assuming that the method is applied to analyzing flows, the false negatives rate is about 0.06% with 0.5 sampling probability, about 0.33% with 0.1 sampling probability, and about 1.1% with 0.05 sampling probability. The method shows excellent false positives with no packet falsely identified. The experiment results also show that the false negatives and false positives models are very accurate.

Key words: high speed network, traffic identification, peer-to-peer, BitTorrent, packet sampling, application signature