Identifying P2P Network Activities on Encrypted Traffic

Peer-to-Peer (P2P) traffic has always been a dominant portion of current Internet traffic and become more and more difficult to manage for Internet Service Producers (ISP) and network administrators. Although many methods have been proposed to classify different types of P2P applications and achieved satisfied performance, research on identifying network activities of a certain P2P application is still lacking to the best of our knowledge, which is urgently required in the context of forensic investigation for illegal P2P applications. In this paper, a novel approach based on Hidden Markov Model is proposed to identify network activities on the encrypted traffic, based on analysis of the time series characteristics and statistical properties of network traffic. After presenting a general model of network activities, Team Viewer is selected as a case study to verify the effectiveness of the approach to identify different activities. According to experiments using real network traces, our approach proves to be effective in identifying different activities of a P2P application with a high true positive 99.1% and low negligible false positive 3.6%.