Identifying BT-like P2P Traffic by the Discreteness of Remote Hosts

By analyzing application protocols and traffic, we find that the most striking distinguish between BitTorrent (BT)-like peer-to-peer (P2P) applications' traffic and traditional as well as other P2P (such as Skype) applications' traffic of a single user may be the dissimilarity in the distribution of remote hosts involved. Therefore, we propose a method based on discreteness of remote hosts (RHD) to identify BT-like traffic. In this method, traffic for each user host in a stub network need be monitored at the border of the stub network and classified into flows. At intervals concurrent TCP and UDP flows for a single host should be grouped respectively by what stub network the remote host of each flow belongs to, and then calculate instant RHDs for TCP and UDP flows respectively. For any user host, if the sum of two average RHDs for a period of time exceeds specific threshold, then we can deduce that the host has used BT-like P2P application. The method proposed here is a simple traffic characteristic-based traffic classification method. It is more suitable for identifying protean BT-like P2P application than usual content-based methods such as those based on port numbers or application signatures. Experiments results reveal that our method can effectively recognize BT-like traffic and may be particularly appropriate for use to restrict BT-like traffic during working hours if needed.