A Model for Foxy Peer-to-Peer Network Investigations (original) (raw)

Validation Rules for Enhanced Foxy P2P Network Investigations

IFIP Advances in Information and Communication Technology, 2014

Experiments with the Foxy P2P network have demonstrated that the first uploader of a file can be identified when search queries are submitted to all the network nodes during initial file sharing. However, in real Foxy networks, file search queries are not transmitted to the entire Foxy network and this process may not identify the first uploader. This paper presents a set of validation rules that validate the observed first uploader. The validation rules define the seeder curve that consistently describes the number of uploaders over time. Analysis of four scenarios shows improved accuracy at detecting the first uploader and that, in situations with insufficient competition for file content, the first uploader may not be identified precisely.

Validation of Rules Used in Foxy Peer-to-Peer Network Investigations

IFIP Advances in Information and Communication Technology, 2012

Rules have been specified for identifying first seeders in the Foxy peerto-peer (P2P) network. However, these rules have not been validated due to difficulties in repeating download scenarios. This paper describes a rule validation scheme that uses a network simulation environment. The Type I and Type II error rates of Foxy network monitoring rules over 100 simulation experiments covering ten scenarios are measured and analyzed. The error rates reflect the limitations of the monitoring rules and demonstrate the importance of using network simulations for rule validation.

Universal Peer-to-Peer Network Investigation Framework

Peer-to-Peer (P2P) networking has fast become a useful technological advancement for a vast range of cybercriminal activities. Cybercrimes from copyright infringement and spamming, to serious, high financial impact crimes, such as fraud, distributed denial of service attacks (DDoS) and phishing can all be aided by applications and systems based on the technology. The requirement for investigating P2P based systems is not limited to the more well known cybercrimes listed above, as many more legitimate P2P based applications may also be pertinent to a digital forensic investigation, e.g, VoIP and instant messaging communications, etc. Investigating these networks has become increasingly difficult due to the broad range of network topologies and the ever increasing and evolving range of P2P based applications. This paper introduces the Universal Peer-to-Peer Network Investigation Framework (UP2PNIF); a framework which enables significantly faster and less labour intensive investigation of newly discovered P2P networks through the exploitation of the commonalities in network functionality. In combination with a reference database of known network protocols and characteristics, it is envisioned that any known P2P network can be instantly investigated using the framework. The framework can intelligently determine the best methodology dependant on the focus of the investigation resulting in a significantly expedited evidence gathering process.

Identifying First Seeders in Foxy Peer-to-Peer Networks

2010

This paper describes a new approach for identifying first seeders in illegal file sharing investigations involving Foxy, one of the most popular Chinese peer-to-peer networks. In identifying first seeders, the approach focuses on determining the slow-rising period of the cumulative seeder curve instead of merely measuring the number of seeders. The relationships between file popularity, number of packets and the maximum upload limit during the time that the first seeder is connected to the network are also analyzed. These relationships are used to specify rules that investigators can use to determine if an identified seeder is, in fact, the first seeder.

Evidence Collection in Peer-to-Peer Network Investigations

IFIP Advances in Information and Communication Technology, 2012

Peer-to-peer (P2P) file sharing networks are often abused to distribute content that is prohibited by law. Strong evidence of suspicion must be provided to obtain a court order to identify the location of an offender. However, initial evidence collection from a P2P network is a challenge due to the lack of a central point of control and the dynamic nature of the network. This paper describes an initial evidence collection tool for P2P network forensics. The tool performs active and passive monitoring by inserting a modified peer node in a P2P network that records relevant information about nodes that distribute contraband files. It logs data sent by suspicious nodes along with timestamps and unique identification information, which provides a strong, verifiable body of initial evidence.

Identification and Analysis of Peer-to-Peer Traffic

Journal of Communications, 2006

Recent measurement studies report that a significant portion of Internet traffic is unknown. It is very likely that the majority of the unidentified traffic originates from peer-to-peer (P2P) applications. However, traditional techniques to identify P2P traffic seem to fail since these applications usually disguise their existence by using arbitrary ports. In addition to the identification of actual P2P traffic, the characteristics of that type of traffic are also scarcely known. The main purpose of this paper is twofold. First, we propose a novel identification method to reveal P2P traffic from traffic aggregation. Our method does not rely on packet payload so we avoid the difficulties arising from legal, privacy-related, financial and technical obstacles. Instead, our method is based on a set of heuristics derived from the robust properties of P2P traffic. We demonstrate our method with current traffic data obtained from one of the largest Internet providers in Hungary. We also show the high accuracy of the proposed algorithm by means of a validation study. Second, several results of a comprehensive traffic analysis study are reported in the paper. We show the daily behavior of P2P users compared to the non-P2P users. We present our important finding about the almost constant ratio of the P2P and total number of users. Flow sizes and holding times are also analyzed and results of a heavy-tail analysis are described. Finally, we discuss the popularity distribution properties of P2P applications. Our results show that the unique properties of P2P application traffic seem to fade away during aggregation and characteristics of the traffic will be similar to that of other non-P2P traffic aggregation.

A unified format for traces of peer-to-peer systems

2009

Abstract Peer-to-Peer (P2P) systems have recently emerged as a scalable platform for which costs are shared between the system users. Today, P2P technology is serving millions of users world-wide, with applications such as file sharing, video streaming, grid computing, and massively multiplayer online games. Such diversity and scale pose important research and technical problems, which in turn require a much better understanding of the usage patterns and of the performance bottlenecks.

Identification of P2P Flows Through Host Activity

Proceedings of the 6th International ICST Conference on Broadband Communications, Networks, and Systems, 2009

With the increasing quantity and varying nature of traffic crossing the internet, coupled with techniques such as fluctuating port numbers and transport layer encryption, the identification of individual packet flows is becoming more difficult. We introduce and investigate a new method for the detection of P2P flows based on the activity of the hosts (IP addresses) involved in the connection. Heuristics are generated that examine properties of these hosts and used to uniquely detect individual P2P and non-P2P flows. The identification strategy has been tested on two real network data traces from a core internet router with some classification accuracies showing higher than 99%.