Identification peer-to-peer traffic for high speed networks using packet sampling and application signatures

It is very difficult to identify peer-to-peer (P2P) traffic in high speed network environment because well-known port numbers are no longer reliable and application signatures are not efficient enough. In this paper, we present a P2P traffic identification method for high speed networks using packet sampling and application signatures. Models of false negatives and false positives are developed to analyze the effects of packet sampling probability (which is the probability of a packet to be captured when the packet passes through the monitor location) and application signatures probability (which is the probability of a packet containing application signature) on accuracy. We implemented the method with Snort by developing a flow state differentiating preprocessor. We have applied the method to identify BitTorrent traffic with 13 application signatures. The experiment results show that the efficiency and accuracy of the method are exciting and the method can be applied to high speed networks. The experiment results also show that the false negatives and false positives models are very accurate.