Classifying P2P activity in Netflow records: A case study on BitTorrent

The ability to accurately classify various types of Internet traffic within a network using Netflow traces represents a major challenge as there is no payload information available with Netflow. P2P applications represent a very large portion of the internet traffic and are becoming more difficult to classify, as some of these applications tend to use port masquerading techniques and encrypted payloads, rendering the traditional classification approaches obsolete. In this paper, a simple yet effective classification method is proposed using a set of heuristics based on the discriminating features and the operation nature of P2P applications. We mainly focus on identifying BitTorrent activities using Netflow records. The presented scheme has been tested with a collection of real data sets. The results of the classification have shown to be accurate even when applied to data sets with complex Internet traffic. The results of the proposed scheme were tested against two other existing approaches and were observed to have improved classification accuracy - BitTorrent traffic was identified with 91-95% accuracy for the five data sets tested.