[go: up one dir, main page]

WO2008065496A2 - Method and apparatus for peer-to-peer network traffic analysis - Google Patents

Method and apparatus for peer-to-peer network traffic analysis Download PDF

Info

Publication number
WO2008065496A2
WO2008065496A2 PCT/IB2007/003545 IB2007003545W WO2008065496A2 WO 2008065496 A2 WO2008065496 A2 WO 2008065496A2 IB 2007003545 W IB2007003545 W IB 2007003545W WO 2008065496 A2 WO2008065496 A2 WO 2008065496A2
Authority
WO
WIPO (PCT)
Prior art keywords
peer
nodes
supernode
identifying
list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IB2007/003545
Other languages
French (fr)
Other versions
WO2008065496A3 (en
Inventor
Jukka Rissanen
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nokia Inc
Original Assignee
Nokia Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/907,780 external-priority patent/US20090106364A1/en
Application filed by Nokia Inc filed Critical Nokia Inc
Priority to CN200780044054.6A priority Critical patent/CN101558604B/en
Publication of WO2008065496A2 publication Critical patent/WO2008065496A2/en
Publication of WO2008065496A3 publication Critical patent/WO2008065496A3/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • H04L67/1061Peer-to-peer [P2P] networks using node-based peer discovery mechanisms

Definitions

  • the invention generally relates to network traffic analysis to the discovery of peer-to-peer (P2P) network connections from a number of existing network connections.
  • P2P network traffic is known to cause congestion in certain computer networks. Identification and handling of such traffic in mobile networks such as General Packet Radio Service (GPRS) can be helpful in maximizing efficiency of network resources.
  • GPRS General Packet Radio Service
  • Network connections in computer networks such as Transmission Control Protocol / Internet Protocol (TCP/IP) networks are typically identified by a 5-tuple, such as network protocol used, source address, source port, destination address, and destination port. These five characteristics or 5-tuple can be sufficient to uniquely identify the network connection.
  • these five settings can be identified and handled in various ways.
  • HTTP Hypertext Transport Protocol
  • protocol TCP/IP
  • destination port 80 and other settings in the 5-tuple can vary.
  • the content of the traffic in terms of bytes of data in the flow, can also be used to identify the applicable protocol, but traffic can sometimes be encrypted. Such encryption can make it difficult to learn the type of data being transferred, and therefore complicate network analysis.
  • One embodiment of the present invention can be a method.
  • the method can include identifying peer-to-peer connection patterns.
  • the method can also include marking traffic identified by the patterns as peer-to- peer traffic.
  • the method can further include identifying a destination address of the traffic as a peer-to-peer host.
  • the method can additionally include marking the peer-to-peer host as a supemode.
  • the method can also include treating network connections to the supernode as peer-to-peer network connections.
  • the method can further include identifying peer-to-peer nodes that are no longer receiving peer-to- peer traffic and, once a node is identified that does not receive peer-to-peer traffic, terminating treating the node as a peer-to-peer client.
  • the apparatus can include a first identifying unit configured to identify peer- to-peer traffic based upon connection patterns.
  • the apparatus can also include a marking unit configured to mark the traffic as peer-to-peer traffic.
  • the apparatus can further include a hosting unit configured to specify a destination host of the traffic as a peer-to-peer host, and to mark the host as a supernode, wherein the hosting unit is configured to treat all traffic to the supernode and all network connections to the supemode as peer-to-peer network connections.
  • the "hosting unit” employs the term “hosting” not because the unit hosts (engages in an act of hosting something), but because the unit can, for example, classify a node as a host.
  • the apparatus can further include a second identifying unit configured to identify a peer-to- peer designated node that is no longer receiving peer-to-peer traffic, and to remove the designation of the node as a peer-to-peer client.
  • a further embodiment of the present invention is another method. This method can include identifying a supernode of a peer-to-peer network using intelligent heuristics. The method can also include identifying additional nodes of the peer-to-peer network using feedback. The method can further include marking the supernode and additional nodes as peer-to- peer nodes in a list. In certain embodiments, the method can additionally include updating the list using an intelligent update.
  • An additional embodiment of the present invention is another apparatus.
  • the apparatus can include a first identifying unit configured to identify a supernode of a peer-to-peer network using intelligent heuristics.
  • the apparatus can also include a second identifying unit configured to identify additional nodes of the peer-to-peer network using feedback.
  • the apparatus can further include a marking unit configured to mark the supernode and additional nodes as peer-to-peer nodes in a list.
  • the apparatus can additionally include updating the list using an intelligent update.
  • Yet another embodiment of the present invention can be a computer program tangibly embodied on a computer readable medium encoding instructions for performing various functions.
  • the computer program can include instructions for identifying a supernode of a peer-to-peer network using intelligent heuristics.
  • the computer program can also include instructions for identifying additional nodes of the peer-to-peer network using feedback.
  • the computer program can further include instructions for marking the supernode and additional nodes as peer-to-peer nodes in a list.
  • the computer program can additionally include instructions for updating the list using an intelligent update.
  • An additional embodiment of the present invention can be yet another apparatus.
  • the apparatus can include identifying means for identifying a supernode of a peer-to-peer network using intelligent heuristics and for identifying additional nodes of the peer-to-peer network using feedback.
  • the apparatus can also include marking means for marking the supernode and additional nodes as peer-to-peer nodes in a list.
  • the apparatus can further include updating means for updating the list using an intelligent update.
  • Figure 1 illustrates a flow chart according to an embodiment of the invention
  • FIG. 2 is a general illustration of a P2P network, in which a plurality of nodes can have virtual direct connections to each other through a hub or a switch;
  • Figure 3 illustrates a block diagram of an apparatus that is configured to implement the invention.
  • Figure 4 is a flow chart illustrating another embodiment of the invention.
  • An example method according to the present invention can be one that performs network analysis to identify P2P traffic, and block, charge, or otherwise perform specific handling of the P2P traffic to maximize efficient use of valuable network resources.
  • P2P networks such as, for example, SkypeTM
  • traffic is encrypted and there is no central server to which P2P clients connect on a continual basis.
  • Such configurations can make it difficult to identify the 5-tuple that identifies the utilization of P2P protocol.
  • Some P2P networks can treat certain P2P nodes as special; for example, if a node has an enough network capacity, then P2P traffic can, in some cases, be routed through this node.
  • Such a node is typically called a supernode due to its carrying, or capacity for carrying a large amount of data and/or traffic.
  • Certain embodiments of the present invention can identify the P2P 5- tuple in network traffic analysis using intelligent heuristics with feedback.
  • a P2P client which can be referred to as node A, can be identified by the fact that it creates a significant number of connections to other peers within a short window of time, which can in many cases be less then 1 second.
  • Certain methods and systems according to the invention can identify this connection pattern, and mark the traffic as P2P traffic.
  • Certain embodiments of the invention can identify, for example, two characteristics in the 5-tuple, the protocol and source address. Consequently, the network connection can be classified as P2P traffic. This stage of the analysis can be referred to as the intelligent heuristics phase.
  • node B the destination host or other peer, which can be (for convenience) referred to as node B, in the P2P network can be treated as a potential P2P host/client. If there are numerous connections to node B then node B can also be marked as a supernode, and network connections to it can all be treated as P2P network connections. This stage of the analysis can be referred to as the feedback phase.
  • Certain embodiments of the present invention can also identify P2P nodes that are no longer receiving P2P traffic.
  • computer networks can use dynamic Internet Protocol (IP) address assignment.
  • IP Internet Protocol
  • Certain embodiments of the invention can identify that an existing P2P client/host, for example, node A, has not received any P2P data or traffic for some time. Such embodiments of the invention, therefore, would stop treating node A as a P2P client. This can be referred to as the intelligent update phase of the analysis.
  • certain embodiments of the present invention can identify P2P 5-tuple information from network traffic using intelligent heuristics, feedback, and intelligent updates. Such identification can enable P2P network traffic classification, and enable the treatment of P2P traffic in a manner that is different from other network traffic.
  • Such embodiments can help significantly increase efficient use of network resources, and potentially avoid exhausting valuable network resources.
  • Existing network analysis methods and systems are not capable of identifying and analyzing P2P network traffic in a manner that is favorably comparable to embodiments of the present invention.
  • Some methods and apparatuses according to embodiments of the invention are capable of detecting that a node initiates at least a predetermined number of connections to other nodes within a predetermined time, and classifying such initiating nodes as P2P nodes and/or obtaining P2P 5-ruples. Certain embodiments of the invention can also detect whether the nodes so connected have more than a predetermined number of connections to further nodes. [0025] Certain embodiments of the present invention can then classify such nodes as P2P nodes.
  • the predetermined time window for identifying whether a predetermined number of connections are being made can be, for example, one second, and the predetermined number of connections can be, for example, five connections during this one second period of time. Certain embodiments of the invention would enable such parameters to be configurable.
  • Various embodiments of the present invention can be implemented in numerous types of networks and systems, including computer networks having a number of P2P nodes disposed therein, and cellular / IP Multimedia Subsystem (IMS) networks where cellular or mobile user equipment communicates through base stations or directly, in which user terminals can be or include nodes and/or base stations can be or include nodes.
  • IMS IP Multimedia Subsystem
  • Particular embodiments of the present invention can also be implemented as computer software embodied on a computer readable medium, with the software being able to run on a processor, and controlling the processor to perform the steps of, for example, the methods that are discussed above.
  • Such software can also cause a processor to be configured as the various hardware elements discussed herein.
  • certain embodiments of the present invention may, for example, be embodied as traffic analyzer and/or firewall computer hardware, computer software, or a hybrid thereof.
  • certain embodiments of the present invention can be implemented, for example, on a general purpose computer or an Application Specific Integrated Circuit (ASIC).
  • ASIC Application Specific Integrated Circuit
  • Figure 1 illustrates a flow chart according to an embodiment of the invention.
  • a check 110 is made to see if a P2P client initiates a predetermined number of connections in a given time period. If the answer is yes, the initiating node is identified 120 as a P2P node. Then a check 130 is made to determine whether other nodes connected to the initiating nodes have a sufficient volume of connections over a given period of time. If yes (e.g. if they do have a volume sufficient to trigger an inference that they are supernodes), these other nodes are classified 140 as P2P nodes.
  • the embodiment illustrated in Figure 1, and various other embodiments of the invention can then monitor 150 traffic to a P2P node, to determine whether P2P traffic is still being transmitted with respect to the node. If no P2P traffic is received for a predetermined period of time, then the node is no longer treated 160 as a P2P node.
  • FIG. 2 is a general illustration of a P2P network, in which a plurality of nodes can have virtual direct connections to each other through a hub or a switch (the hub or switch is not shown).
  • a network can be distinguishable from a client-server network, in which all nodes of a network are logically connected to a common file server for file services.
  • nodes share files directly with one another rather than uploading the files to a central file server for subsequent retrieval.
  • the nodes of Figure 2 can include various types of user equipment including cellular telephones, base stations, computers, laptop computers, stationary computers, and the like.
  • Node A, Node B, Node C, Node D, and Node E can, for example, be mobile communication devices that are capable of communicating with each other via, for example a mobile switching center (MSC), a base station (BS), or similar technology.
  • the nodes can be nodes of a LAN connected by a single router or switch in a physical star topology. There is no requirement that all of the nodes be part of the same physical network.
  • Figure 3 illustrates a block diagram of an apparatus that is configured to implement the invention.
  • the apparatus can include an initiating unit 310 that monitors initiated connections by client node.
  • An identifying unit 320 can identify the initiating node as a P2P node, and a marking unit 330 can mark the traffic as P2P traffic.
  • the identifying unit 320 can rely on various indicia of P2P traffic, such as the number of connections generated within a particular time frame. Other techniques for distinguishing P2P traffic from, for example, ordinary web browsing HTTP traffic can also be used. These units can perform the intelligent heuristics phase of the analysis.
  • Another identifying unit 340 can then identify other P2P nodes based upon the number of connections to the other P2P nodes meeting specific criteria and refer back to the marking unit 330 to mark the other P2P nodes. These units can perform the feedback phase of the analysis.
  • a de-classifying unit 350 can monitor P2P traffic to nodes that have been identified as P2P nodes, and can remove the P2P designations from P2P nodes that are no longer receiving P2P traffic.
  • the de-classifying unit 350 can cooperate with the identifying unit 320, the marking unit 330, and the other identifying unit 340 to perform its operations. These units can perform the intelligent update phase of the analysis.
  • FIG. 4 is a flow chart illustrating another embodiment of the invention.
  • a P2P client creates a predetermined number of connections in a given amount of time.
  • traffic from the P2P client is marked as P2P traffic.
  • a connection is classified as a P2P connection.
  • a destination host can be identified based on the 5-tuple. If the connection volume meets predetermined criteria regarding connection volume over a period of time, the destination host is classified as a P2P host or a supernode, at 405.
  • P2P nodes are de-classified into non-P2P nodes when P2P traffic falls below a predetermined threshold, or falls to zero.
  • the process illustrated in Figure 4 can be performed repeatedly, and the steps described should not necessarily be viewed as having to be performed in the order illustrated simply because they are illustrated in that order.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method and an apparatus can be provided for identifying and separately treating peer-to-peer traffic in a network. For example, the method can include identifying a supernode of a peer-to-peer network using intelligent heuristics. The method can also include identifying additional nodes of the peer-to-peer network using feedback. The method can further include marking the supernode and additional nodes as peer-to-peer nodes in a list. In certain embodiments, the method can additionally include updating the list using an intelligent update.

Description

TITLE OF THE INVENTION:
METHOD AND APPARATUS FOR PEER-TO-PEER NETWORK
TRAFFIC ANALYSIS
CROSS REFERENCE TO RELATED APPLICATIONS: [0001] The present application is related to and claims the priority of Provisional U.S. Patent Application No. 60/661,447, filed November 29, 2006, the entirety of which is hereby incorporated by reference.
BACKGROUND OF THE INVENTION: Field of the Invention:
[0002] The invention generally relates to network traffic analysis to the discovery of peer-to-peer (P2P) network connections from a number of existing network connections. P2P network traffic is known to cause congestion in certain computer networks. Identification and handling of such traffic in mobile networks such as General Packet Radio Service (GPRS) can be helpful in maximizing efficiency of network resources.
Description of the Related Art:
[0003] Network connections in computer networks such as Transmission Control Protocol / Internet Protocol (TCP/IP) networks are typically identified by a 5-tuple, such as network protocol used, source address, source port, destination address, and destination port. These five characteristics or 5-tuple can be sufficient to uniquely identify the network connection. In performing network traffic analysis, these five settings can be identified and handled in various ways. For example, Hypertext Transport Protocol (HTTP) traffic is identified as protocol = TCP/IP, destination port 80, and other settings in the 5-tuple can vary. Thus, it can be seen that, if two settings of the 5-tuple are known, then the type of traffic can be identified and classified. The content of the traffic, in terms of bytes of data in the flow, can also be used to identify the applicable protocol, but traffic can sometimes be encrypted. Such encryption can make it difficult to learn the type of data being transferred, and therefore complicate network analysis.
SUMMARY OF THE INVENTION:
[0004] One embodiment of the present invention can be a method. The method can include identifying peer-to-peer connection patterns. The method can also include marking traffic identified by the patterns as peer-to- peer traffic. The method can further include identifying a destination address of the traffic as a peer-to-peer host. The method can additionally include marking the peer-to-peer host as a supemode. The method can also include treating network connections to the supernode as peer-to-peer network connections. In certain embodiments, the method can further include identifying peer-to-peer nodes that are no longer receiving peer-to- peer traffic and, once a node is identified that does not receive peer-to-peer traffic, terminating treating the node as a peer-to-peer client.
[0005] Another embodiment of the present application can be an apparatus. The apparatus can include a first identifying unit configured to identify peer- to-peer traffic based upon connection patterns. The apparatus can also include a marking unit configured to mark the traffic as peer-to-peer traffic. The apparatus can further include a hosting unit configured to specify a destination host of the traffic as a peer-to-peer host, and to mark the host as a supernode, wherein the hosting unit is configured to treat all traffic to the supernode and all network connections to the supemode as peer-to-peer network connections. It should be noted that, as used in the present application, the "hosting unit" employs the term "hosting" not because the unit hosts (engages in an act of hosting something), but because the unit can, for example, classify a node as a host. In certain embodiments, the apparatus can further include a second identifying unit configured to identify a peer-to- peer designated node that is no longer receiving peer-to-peer traffic, and to remove the designation of the node as a peer-to-peer client. [0006] A further embodiment of the present invention is another method. This method can include identifying a supernode of a peer-to-peer network using intelligent heuristics. The method can also include identifying additional nodes of the peer-to-peer network using feedback. The method can further include marking the supernode and additional nodes as peer-to- peer nodes in a list. In certain embodiments, the method can additionally include updating the list using an intelligent update.
[0007] An additional embodiment of the present invention is another apparatus. The apparatus can include a first identifying unit configured to identify a supernode of a peer-to-peer network using intelligent heuristics. The apparatus can also include a second identifying unit configured to identify additional nodes of the peer-to-peer network using feedback. The apparatus can further include a marking unit configured to mark the supernode and additional nodes as peer-to-peer nodes in a list. In certain embodiments, the apparatus can additionally include updating the list using an intelligent update.
[0008] Yet another embodiment of the present invention can be a computer program tangibly embodied on a computer readable medium encoding instructions for performing various functions. The computer program can include instructions for identifying a supernode of a peer-to-peer network using intelligent heuristics. The computer program can also include instructions for identifying additional nodes of the peer-to-peer network using feedback. The computer program can further include instructions for marking the supernode and additional nodes as peer-to-peer nodes in a list. In certain embodiments, the computer program can additionally include instructions for updating the list using an intelligent update.
[0009] An additional embodiment of the present invention can be yet another apparatus. The apparatus can include identifying means for identifying a supernode of a peer-to-peer network using intelligent heuristics and for identifying additional nodes of the peer-to-peer network using feedback. The apparatus can also include marking means for marking the supernode and additional nodes as peer-to-peer nodes in a list. In certain embodiments of the present invention, the apparatus can further include updating means for updating the list using an intelligent update.
BRIEF DESCRIPTION OF THE DRAWINGS:
[0010] For proper understanding of the invention, reference should be made to the accompanying drawings, wherein:
[0011] Figure 1 illustrates a flow chart according to an embodiment of the invention;
[0012] Figure 2 is a general illustration of a P2P network, in which a plurality of nodes can have virtual direct connections to each other through a hub or a switch;
[0013] Figure 3 illustrates a block diagram of an apparatus that is configured to implement the invention; and
[0014] Figure 4 is a flow chart illustrating another embodiment of the invention.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT(S): [0015] An example method according to the present invention can be one that performs network analysis to identify P2P traffic, and block, charge, or otherwise perform specific handling of the P2P traffic to maximize efficient use of valuable network resources.
[0016] In P2P networks such as, for example, Skype™, traffic is encrypted and there is no central server to which P2P clients connect on a continual basis. Such configurations can make it difficult to identify the 5-tuple that identifies the utilization of P2P protocol. Some P2P networks can treat certain P2P nodes as special; for example, if a node has an enough network capacity, then P2P traffic can, in some cases, be routed through this node. Such a node is typically called a supernode due to its carrying, or capacity for carrying a large amount of data and/or traffic.
[0017] In network traffic analysis methods and systems, identification of supernodes can be helpful in order to simplify handling of traffic. Often, a significant amount and sometimes all traffic to and from a supernode is P2P traffic. Thus, often all connections to and from a supernode are P2P connections.
[0018] Certain embodiments of the present invention can identify the P2P 5- tuple in network traffic analysis using intelligent heuristics with feedback. For example, a P2P client, which can be referred to as node A, can be identified by the fact that it creates a significant number of connections to other peers within a short window of time, which can in many cases be less then 1 second.
[0019] Certain methods and systems according to the invention can identify this connection pattern, and mark the traffic as P2P traffic. Certain embodiments of the invention can identify, for example, two characteristics in the 5-tuple, the protocol and source address. Consequently, the network connection can be classified as P2P traffic. This stage of the analysis can be referred to as the intelligent heuristics phase.
[0020] When the 5-tuple has been found, then the destination host or other peer, which can be (for convenience) referred to as node B, in the P2P network can be treated as a potential P2P host/client. If there are numerous connections to node B then node B can also be marked as a supernode, and network connections to it can all be treated as P2P network connections. This stage of the analysis can be referred to as the feedback phase.
[0021] Certain embodiments of the present invention can also identify P2P nodes that are no longer receiving P2P traffic. In many cases, computer networks can use dynamic Internet Protocol (IP) address assignment. In other words, the IP address of a host or client can change over time. Certain embodiments of the invention can identify that an existing P2P client/host, for example, node A, has not received any P2P data or traffic for some time. Such embodiments of the invention, therefore, would stop treating node A as a P2P client. This can be referred to as the intelligent update phase of the analysis.
[0022] Thus, certain embodiments of the present invention can identify P2P 5-tuple information from network traffic using intelligent heuristics, feedback, and intelligent updates. Such identification can enable P2P network traffic classification, and enable the treatment of P2P traffic in a manner that is different from other network traffic.
[0023] Such embodiments can help significantly increase efficient use of network resources, and potentially avoid exhausting valuable network resources. Existing network analysis methods and systems are not capable of identifying and analyzing P2P network traffic in a manner that is favorably comparable to embodiments of the present invention.
[0024] Some methods and apparatuses according to embodiments of the invention, therefore, are capable of detecting that a node initiates at least a predetermined number of connections to other nodes within a predetermined time, and classifying such initiating nodes as P2P nodes and/or obtaining P2P 5-ruples. Certain embodiments of the invention can also detect whether the nodes so connected have more than a predetermined number of connections to further nodes. [0025] Certain embodiments of the present invention can then classify such nodes as P2P nodes. The predetermined time window for identifying whether a predetermined number of connections are being made can be, for example, one second, and the predetermined number of connections can be, for example, five connections during this one second period of time. Certain embodiments of the invention would enable such parameters to be configurable.
[0026] Various embodiments of the present invention can be implemented in numerous types of networks and systems, including computer networks having a number of P2P nodes disposed therein, and cellular / IP Multimedia Subsystem (IMS) networks where cellular or mobile user equipment communicates through base stations or directly, in which user terminals can be or include nodes and/or base stations can be or include nodes.
[0027] Particular embodiments of the present invention can also be implemented as computer software embodied on a computer readable medium, with the software being able to run on a processor, and controlling the processor to perform the steps of, for example, the methods that are discussed above. Such software can also cause a processor to be configured as the various hardware elements discussed herein.
[0028] More particularly, certain embodiments of the present invention may, for example, be embodied as traffic analyzer and/or firewall computer hardware, computer software, or a hybrid thereof. Thus, certain embodiments of the present invention can be implemented, for example, on a general purpose computer or an Application Specific Integrated Circuit (ASIC).
[0029] Figure 1 illustrates a flow chart according to an embodiment of the invention. According to Figure 1, a check 110 is made to see if a P2P client initiates a predetermined number of connections in a given time period. If the answer is yes, the initiating node is identified 120 as a P2P node. Then a check 130 is made to determine whether other nodes connected to the initiating nodes have a sufficient volume of connections over a given period of time. If yes (e.g. if they do have a volume sufficient to trigger an inference that they are supernodes), these other nodes are classified 140 as P2P nodes.
[0030] The embodiment illustrated in Figure 1, and various other embodiments of the invention, can then monitor 150 traffic to a P2P node, to determine whether P2P traffic is still being transmitted with respect to the node. If no P2P traffic is received for a predetermined period of time, then the node is no longer treated 160 as a P2P node.
[0031] Figure 2 is a general illustration of a P2P network, in which a plurality of nodes can have virtual direct connections to each other through a hub or a switch (the hub or switch is not shown). Such a network can be distinguishable from a client-server network, in which all nodes of a network are logically connected to a common file server for file services.
[0032] For example, in one popular embodiment of a P2P network, nodes share files directly with one another rather than uploading the files to a central file server for subsequent retrieval. The nodes of Figure 2, as mentioned previously, can include various types of user equipment including cellular telephones, base stations, computers, laptop computers, stationary computers, and the like.
[0033] Thus, for example, Node A, Node B, Node C, Node D, and Node E can, for example, be mobile communication devices that are capable of communicating with each other via, for example a mobile switching center (MSC), a base station (BS), or similar technology. Alternative, the nodes can be nodes of a LAN connected by a single router or switch in a physical star topology. There is no requirement that all of the nodes be part of the same physical network.
[0034] Figure 3 illustrates a block diagram of an apparatus that is configured to implement the invention. The apparatus can include an initiating unit 310 that monitors initiated connections by client node. An identifying unit 320 can identify the initiating node as a P2P node, and a marking unit 330 can mark the traffic as P2P traffic.
[0035] The identifying unit 320 can rely on various indicia of P2P traffic, such as the number of connections generated within a particular time frame. Other techniques for distinguishing P2P traffic from, for example, ordinary web browsing HTTP traffic can also be used. These units can perform the intelligent heuristics phase of the analysis.
[0036] Another identifying unit 340 can then identify other P2P nodes based upon the number of connections to the other P2P nodes meeting specific criteria and refer back to the marking unit 330 to mark the other P2P nodes. These units can perform the feedback phase of the analysis. A de-classifying unit 350 can monitor P2P traffic to nodes that have been identified as P2P nodes, and can remove the P2P designations from P2P nodes that are no longer receiving P2P traffic.
[0037] The de-classifying unit 350 can cooperate with the identifying unit 320, the marking unit 330, and the other identifying unit 340 to perform its operations. These units can perform the intelligent update phase of the analysis.
[0038] Figure 4 is a flow chart illustrating another embodiment of the invention. According to Figure 4, at 401 a P2P client creates a predetermined number of connections in a given amount of time. At 402, traffic from the P2P client is marked as P2P traffic. At 403, using protocol and source address, which are two items of the 5-tuple, a connection is classified as a P2P connection.
[0039] At 404, as shown in Figure 4, a destination host can be identified based on the 5-tuple. If the connection volume meets predetermined criteria regarding connection volume over a period of time, the destination host is classified as a P2P host or a supernode, at 405.
[004O] At 406, P2P nodes are de-classified into non-P2P nodes when P2P traffic falls below a predetermined threshold, or falls to zero. The process illustrated in Figure 4 can be performed repeatedly, and the steps described should not necessarily be viewed as having to be performed in the order illustrated simply because they are illustrated in that order.
[0041] One having ordinary skill in the art will readily understand that the invention as discussed above may be practiced with steps in a different order, and/or with hardware elements in configurations which are different than those which are disclosed. Therefore, although the invention has been described based upon these preferred embodiments, it would be apparent to those of skill in the art that certain modifications, variations, and alternative constructions would be apparent, while remaining within the spirit and scope of the invention. In order to determine the metes and bounds of the invention, therefore, reference should be made to the appended claims.

Claims

WE CLAIM:
1. A method, comprising: identifying peer-to-peer connection patterns; marking traffic identified by the patterns as peer-to-peer traffic; identifying a destination address of the traffic as a peer-to-peer host; marking the peer-to-peer host as a supernode; and treating network connections to the supernode as peer-to-peer network connections.
2. The method of claim 1, further comprising: identifying peer-to-peer nodes that are no longer receiving peer-to- peer traffic; and once a node is identified that does not receive peer-to-peer traffic, terminating treating the node as a peer-to-peer client.
3. An apparatus, comprising: a first identifying unit configured to identify peer-to-peer traffic based upon connection patterns; a marking unit configured to mark the traffic as peer-to-peer traffic; a hosting unit configured to specify a destination host of the traffic as a peer-to-peer host, and to mark the host as a supernode, wherein the hosting unit is configured to treat all traffic to the supernode and all network connections to the supernode as peer-to-peer network connections.
4. The apparatus of claim 3, further comprising: a second identifying unit configured to identify a peer-to-peer designated node that is no longer receiving peer-to-peer traffic, and to remove the designation of the node as a peer-to-peer client.
5. A method, comprising: identifying a supernode of a peer-to-peer network using intelligent heuristics; identifying additional nodes of the peer-to-peer network using feedback; and marking the supernode and additional nodes as peer-to-peer nodes in a list.
6. The method of claim 5, further comprising: updating the list using an intelligent update.
7. The method of claim 6, wherein the updating the list comprises removing nodes from the list when the nodes no longer engage in peer-to- peer network traffic.
8. The method of claim 5, wherein the identifying the supernode comprises identifying at least two characteristics of the supernode's 5-tuple.
9. The method of claim 8, wherein the at least two characteristics comprise protocol and source address.
10. The method of claim 5, wherein the identifying the supernode comprises identifying that the supernode encounters a number of connections greater than a predetermined threshold within a predetermined amount of time.
11. The method of claim 10, wherein the predetermined amount of time is approximately 1 second, and wherein the predetermined threshold is approximately five.
12. The method of claim 5, wherein the identifying the other nodes comprises identifying nodes that are in communication with the supernode.
13. The method of claim 5, further comprising: blocking communication with nodes on the list, based on the list.
14. The method of claim 5, further comprising: applying charges or fees to nodes on the list, based on the list.
15. The method of claim 5, wherein the marking the supernode and the additional nodes comprises specifically distinguishing between ordinary nodes and supernodes.
16. An apparatus, comprising: a first identifying unit configured to identify a supernode of a peer-to- peer network using intelligent heuristics; a second identifying unit configured to identify additional nodes of the peer-to-peer network using feedback; and a marking unit configured to mark the supernode and additional nodes as peer-to-peer nodes in a list.
17. The apparatus of claim 16, further comprising: updating the list using an intelligent update.
18. The apparatus of claim 17, wherein the updating the list comprises removing nodes from the list when the nodes no longer engage in peer-to- peer network traffic.
19. The apparatus of claim 16, wherein the marking the supernode and the additional nodes comprises specifically distinguishing between ordinary nodes and supernodes.
20. The apparatus of claim 16, wherein the identifying the supernode comprises identifying at least two characteristics of the supernode's 5-tuple.
21. The apparatus of claim 20, wherein the at least two characteristics comprise protocol and source address.
22. The apparatus of claim 16, wherein the identifying the supernode comprises identifying that the supernode encounters a number of connections greater than a predetermined threshold within a predetermined amount of time.
23. The apparatus of claim 22, wherein the predetermined amount of time is approximately 1 second, and wherein the predetermined threshold is approximately five.
24. The apparatus of claim 16, wherein the identifying the other nodes comprises identifying nodes that are in communication with the supernode.
25. The apparatus of claim 16, further comprising: blocking communication with nodes on the list, based on the list.
26. The apparatus of claim 16, further comprising: applying charges or fees to nodes on the list, based on the list.
27. A computer program tangibly embodied on a computer readable medium encoding instructions for performing: identifying a supernode of a peer-to-peer network using intelligent heuristics; identifying additional nodes of the peer-to-peer network using feedback; and marking the supernode and additional nodes as peer-to-peer nodes in a list.
28. The computer program of claim 27, further comprising instructions for performing: updating the list using an intelligent update.
29. An apparatus, comprising: identifying means for identifying a supernode of a peer-to-peer network using intelligent heuristics and for identifying additional nodes of the peer-to-peer network using feedback; and marking means for marking the supernode and additional nodes as peer-to-peer nodes in a list.
30. The apparatus of claim 29, further comprising: updating means for updating the list using an intelligent update.
PCT/IB2007/003545 2006-11-29 2007-11-19 Method and apparatus for peer-to-peer network traffic analysis Ceased WO2008065496A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200780044054.6A CN101558604B (en) 2006-11-29 2007-11-19 Method and apparatus for peer-to-peer network traffic analysis

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US86144706P 2006-11-29 2006-11-29
US60/861,447 2006-11-29
US11/907,780 2007-10-17
US11/907,780 US20090106364A1 (en) 2007-10-17 2007-10-17 Method and apparatus for peer-to-peer network traffic analysis

Publications (2)

Publication Number Publication Date
WO2008065496A2 true WO2008065496A2 (en) 2008-06-05
WO2008065496A3 WO2008065496A3 (en) 2008-08-07

Family

ID=39315330

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2007/003545 Ceased WO2008065496A2 (en) 2006-11-29 2007-11-19 Method and apparatus for peer-to-peer network traffic analysis

Country Status (2)

Country Link
CN (1) CN101558604B (en)
WO (1) WO2008065496A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9130959B2 (en) 2008-10-30 2015-09-08 Thomson Licensing Method and apparatus for monitoring a Kad network

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10567986B2 (en) * 2016-09-06 2020-02-18 Qualcomm Incorporated Back-off mechanisms for fair joint access of unlicensed sidelink

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB0402739D0 (en) * 2004-02-09 2004-03-10 Saviso Group Ltd Methods and apparatus for routing in a network
US7457293B2 (en) * 2004-04-05 2008-11-25 Panasonic Corporation Communication apparatus, method and program for realizing P2P communication
US20090299937A1 (en) * 2005-04-22 2009-12-03 Alexander Lazovsky Method and system for detecting and managing peer-to-peer traffic over a data network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9130959B2 (en) 2008-10-30 2015-09-08 Thomson Licensing Method and apparatus for monitoring a Kad network

Also Published As

Publication number Publication date
CN101558604B (en) 2013-04-24
CN101558604A (en) 2009-10-14
WO2008065496A3 (en) 2008-08-07

Similar Documents

Publication Publication Date Title
JP7767527B2 (en) Ensuring separation of control and user planes in mobile networks
Yoon et al. Enabling security functions with SDN: A feasibility study
EP3148118B1 (en) Providing application metadata using export protocols in computer networks
CN107241186B (en) Network device and method for network communication
EP2241058B1 (en) Method for configuring acls on network device based on flow information
CN101171809B (en) Method and device for transmitting multicast streams over a data switching network
CN102404396B (en) Method, device and system for identifying peer-to-peer (P2P) flow and equipment
Cabaj et al. SDN Architecture Impact on Network Security.
US8219679B2 (en) Detection and control of peer-to-peer communication
EP3457744B1 (en) Service traffic control method and device
Spognardi et al. A methodology for P2P file-sharing traffic detection
US7561587B2 (en) Method and system for providing layer-4 switching technologies
US20080162639A1 (en) System and method for identifying peer-to-peer (P2P) application service
Mohammadnia et al. IoT-NETZ: Practical spoofing attack mitigation approach in SDWN network
JP2011159247A (en) Network system, controller, and network control method
CN107409047A (en) Encrypt the coordinate packet delivering of session
US20090106364A1 (en) Method and apparatus for peer-to-peer network traffic analysis
WO2008065496A2 (en) Method and apparatus for peer-to-peer network traffic analysis
KR102145579B1 (en) Data transfer system between server and clients
EP2860911B1 (en) Method and device for classifying encrypted data flows between at least one web client and at least one web server
CN102130964A (en) Method for acquiring bit torrent (BT) seed file and relevant devices
JP2009504022A (en) Serial clustering
Ngiwlay et al. Bittorrent peer identification based on behaviors of a choke algorithm
Wang et al. Traffic Measurement Mechanisms for High Precision Internet Applications
WO2023078662A1 (en) Method of operating a telecommunications network

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200780044054.6

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07848907

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07848907

Country of ref document: EP

Kind code of ref document: A2