URL: ftp://ftp.isi.edu/isi-pubs/tr-627.pdf Entry Dates: 2009-02-06 Abstract: Blind techniques to detect network applications-approaches that do not consider packet contents-are increasingly desirable because they have fewer legal and privacy concerns, and they can be robust to application changes and intentional cloaking. In this paper we identify several behaviors that are inherent to peer-to-peer (P2P) traffic and demonstrate that they can detect both BitTorrent and Gnutella hosts using only packet header and timing information. We identify three basic behaviors: failed connections, the ratio of incoming and outgoing connections, and the use of unprivileged ports. We quantify the effectiveness of our approach using two day-long traces, achieve up to an 83% true positive rate with only a 2% false positive rate. Our system is suitable for on-line use, with 75% of new P2P peers detected in less than 10 minutes of trace data. Results:

• datasets: two day-long traces; two(out of five) links at Los Nettos, a regional ISP in the Los Angeles area serving both commercial and academic institutions; each 24 hours long on August 31 2005 and October 3 2006;
• use only packet header and timing information, not consider packet contents;
• identify three basic bhaviors: failed connections, the ratio of incoming and outgoing connections, and the use of unprivileged ports.
• achieve up to an 83% true positive rate with only a 2% false positive rate; suitable for on-line use, with 75% of new P2P peers detected in less than 10 minutes of trace data;