The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows:
• A NAT-ed LAN consisting of 7 machines running only Skype with all Automatic Updates and other services disabled, with 2 of the machines dedicated to generating VoIP calls and 2 machines generating instant messages to mimic real world user behavior
• 2 machines with Intel i7 four core processors and 8 GB of RAM running only Skype with all Automatic Updates and other services
disabled and the university firewall disabled in order to increase the chance of these machines being promoted to supernodes in the Skype P2P network
• All machines not making calls or sending instant messages simply have Skype open and running to generate control traffic
The features of the connected IPs used for analysis are:
• Number of bytes per packet• Inter-packet delay
Calling All Nodes: Classifying SkypeControl Protocol
Brett MeyerComputer Science Department
The University of [email protected]
Introduction• The rise in popularity of P2P applications in the
past several years has also led to a corresponding rise in malware which employs this same overlay network technique, most considerably botnets.
• Detecting valid P2P programs in a network trace is a foremost concern in network security research.
Background/Related Work
• Previous work has attempted to classify voice, video and instant message data transmitted
through the Skype application• No attempts have been made thus far to
classify the P2P overlay control protocol by itself.• Most Skype users do not constantly make calls
while they have the application open, but leave Skype running in the background, and only
make calls or send instant messages periodically.
Approach
• Skype uses a highly robust proprietary encryption mechanism to hide all of the data transmitted from the application.
• The feature selected to facilitate classification is the keep-alive message that the Skype network must send between the nodes in order to maintain the overlay network.
Discussion
• Skype traffic is being collected from the testbed environment and analyzed for the statistical
qualities of the likely keep-alive transmissions.• In the next phase of this research, a similar
testbed will be created for 4 additional P2P applications in order to generate training, testing, and evaluation sets for classification.
Contributions
• Dataset consisting of real-world Skype control, messaging, and call transactions
• Dataset consisting of real-world P2P application behaviors
• Statistical method for modeling Skype control protocol behavior
References
1. BASET, S. A., AND SCHULZRINNE, H. An analysis of the skype peer-to-peer internet telephony protocol. In IEEE Infocom ’06 (Barcelona, Spain, April 2006).
2. BONFIGLIO, D., MELLIA, M., MEO, M., ROSSI, D., AND TOFANELLI, P. Revealing skype traffic: When randomness plays with you. In ACMSIGCOMM’07 (Kyoto, Japan, August 2006).
3. GUHA, S., DASWANI, N., AND JAIN, R. An experimental study of the skype peer-to-peer voip system. In 5th International Workshop on Peer-to-Peer Systems (Santa Barbara, California, Feburary 2006).
4. HAQ, I. U., ALI, S., KHAN, H., AND KHAYAM, S. A. What is the impact of p2p traffic on anomaly detection? Recent Advances in Intrusion Detection: Lecture Notes in Computer Science 6307/2010 (2010), 1–17.
5. ROSSI, D., MELLIA, M., AND MEO, M. Understanding skype signaling. Computer Networks (November 2008).
