Detecting Skype flows in Web traffic

Network managers face nowadays a challenging problem to detect traffic from Skype, a very popular application for VoIP communications. If no restrictive firewalls are adopted, Skype uses UDP as its preferred transport protocol, but it is known that due to its high capacity of adaptation, Skype can operate behind many firewalls and network proxies without user configuration. Behind restrictive firewalls, Skype uses Web TCP ports (80 or 443) as a fallback mechanism to delude firewalls and other network elements. This strategy renders Skype traffic disguised as Web traffic quite difficult to detect by network operators. In this paper, we propose a method to efficiently detect Skype flows hidden among Web traffic. We validate our proposal using real-world experimental data gathered at a commercial Internet service provider (ISP) and an academic institution. Our experimental results show a performance of around 90% detection rate of disguised Skype flows with a false positive rate of only 2%, whereas a 100% detection rate of Skype flows in Web traffic is achieved with a false positive rate limited to only 5%. We also evaluate the feasibility of our proposal in a real-time Skype detection scenario.