PeerSorter: Classifying Generic P2P Traffic in Real-time

The rapid development of Peer-to-Peer (P2P) technology brings challenges to quality of service (QoS), network planning and access control. An accurate classification of P2P traffic is vital for addressing those challenges. Traditional port-based and payload-based methods fail to cope with emerging port disguise and payload encryption techniques. In this paper, we present PeerSorter, a system for the classification of generic P2P traffic in real-time. PeerSorter is featured by four characteristics. Firstly, it can accurately classify nearly all kinds of legitimate P2P applications as well as various P2P botnets, by building application profiles of their significant network activity patterns. Moreover, PeerSorter is capable of real-time processing, because of its simplicity of mechanism and small classification time windows. In addition, PeerSorter can be readily extended by adding profiles of new P2P applications. Finally, PeerSorter can work well even in the scenario where the classification target is running along with other bandwidth consumer (including P2P applications) at the same time. We evaluate the performance of PeerSorter on traffic datasets of a large variety of P2P applications, including two popular P2P botnets. The experimental results demonstrate that we can classify all the considered types of P2P traffic with an average true positive rate of 97.83% and an average false positive rate below 0.04% within 2 minutes.