Skip to main content
SpringerLink
Log in

On Metrics to Distinguish Skype Flows from HTTP Traffic

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Skype is a Voice over IP (VoIP) Internet application that is gaining huge popularity in recent years. A key point to Skype popularity is its capability to dynamically adapt itself to operate behind firewalls or network proxies. A common way adopted by Skype to delude these network devices is to use port 80, normally expected to comprise HTTP traffic. In this paper, we propose metrics and investigate statistical tests intended to clearly distinguish Skype flows from HTTP traffic. We validate our study using real-world experimental datasets gathered at a commercial Internet Service Provider (ISP). Our experimental results suggest that the proposed methodology may be seen as a promising building block towards a system to detect general protocol anomalies in HTTP traffic.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

References

  1. Freire, E.J.P., Ziviani, A., Salles, R.M.: On metrics to distinguish skype flows from HTTP traffic. In: Proceedings of the IEEE Latin American Network Operations and Management Symposium—IEEE LANOMS 2007, September (2007)

  2. IANA, Port numbers. http://www.iana.org/assignments/port-numbers

  3. Skype. http://www.skype.com/

  4. Baset, S., Schulzrinne, H.: An analysis of the skype peer-to-peer internet telephony protocol. In: Proceedings of IEEE INFOCOM’06, April (2006)

  5. Ehlert, S., Petgang, S., Magedanz, T., Sisalem, D.: Analysis and signature of skype VoIP session traffic, in 4th IASTED International Conference on Communications, Internet, and Information Technology—CIIT 2006, pp. 83–89, November/December (2006)

  6. Guha, S., Daswani, N., Jain, R.: An experimental study of the skype peer-to-peer VoIP system. In: Proceedings of the 5th International Workshop on Peer-to-Peer Systems—IPTPS’06, pp. 1–6, February (2006)

  7. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: Proceedings of the ACM SIGCOMM’05, pp. 229–240 (2005)

  8. Moore, A., Papagiannaki, K.: Toward the accurate identification of network applications. In: Proceedings of the Passive and Active Measurement Workshop—PAM 2005, March/April (2005)

  9. Bernaille, L., Teixeira, R., Akodkenou, I., Soule, A., Salamatian, K.: Traffic classification on the fly. ACM SIGCOMM Comput. Commun. Rev. 36(2), 23–26 (2006)

    Article  Google Scholar 

  10. Ma, J., Levchenko, K., Kreibich, C., Savage, S., Voelker, G.M.: Unexpected means of protocol inference. In: Proceedings of the 6th ACM SIGCOMM Internet Measurement Conference—IMC ‘06, pp. 313–326 (2006)

  11. Leland, W.E., Taqqu, M.S., Willinger, W., Wilson, D.V.: On the self-similar nature of ethernet traffic (extended version). IEEE/ACM Trans. Netw. 2, 1–15 (1994)

    Article  Google Scholar 

  12. Crovella, M.E., Bestavros, A.: Self-similarity in World Wide Web traffic: evidence and possible causes. IEEE/ACM Trans. Netw. 5, 835–846 (1997)

    Article  Google Scholar 

  13. Mah, B.A.: An empirical model of http network traffic. In: Proceedings of the IEEE INFOCOM’97 (1997)

  14. Barford, P., Crovella, M.: Generating representative web workloads for network and server performance evaluation. In: Proceedings of the ACM SIGMETRICS ‘98, pp. 151–160 (1998)

  15. Cunha, C., Bestavros, A., Crovella, M.: Characteristics of www client-based traces, tech. rep., Boston, MA, USA (1995)

  16. Choi, H.-K., Limb, J.O.: A behavioral model of web traffic. In: Proceedings of the Seventh Annual International Conference on Network Protocols—ICNP’99, pp. 327–334 (1999)

  17. Arlitt, M., Williamson, C.: A synthetic workload model for Internet mosaic traffic. In: Proceedings of the 1995 Summer Computer Simulation Conference, pp. 852–857, July (1995)

  18. Reyes-Lecuona, A., González-Parada, E., Casilari, E., Casasola, J.C., Díaz-Estrella, A.: A page-oriented www traffic model for wireless system simulations. In: Proceedings of 16th International Teletraffic Congress—ITC, pp. 1271–1280, June (1999)

  19. Abrahamsson, H., Ahlgren, B.: Using empirical distributions to characterize web client traffic and to generate synthetic traffic. In: Proceedings of IEEE Global Telecommunications Conference—GLOBECOM’00, November (2000)

  20. Kruegel, C., Vigna, G., Robertson, W.: A multi-model approach to the detection of web-based attacks. Comput. Netw. 48(5), 717–738 (2005)

    Article  Google Scholar 

  21. Estévez-Tapiador, J.M., García-Teodoro, P., Díaz-Verdejo, J.E.: Measuring normality in http traffic for anomaly-based intrusion detection. Comput. Netw. 45, 175–193 (2004)

    Article  Google Scholar 

  22. Suh, K., Figueiredo, D.R., Kurose, J., Towsley, D.: Characterizing and detecting relayed traffic: a case study using skype. In: Proceedings of the IEEE INFOCOM’06, April (2006)

  23. Bonfiglio, D., Mellia, M., Meo, M., Rossi, D., Tofanelli, P.: Revealing skype traffic: when randomness plays with you. In: Proceedings of the ACM SIGCOMM’07, August (2007)

  24. Bonfiglio, D., Mellia, M., Meo, M., Ritacca, N., Rossi, D.: Tracking down skype traffic. In: Proceedings of the IEEE INFOCOM’08, April (2008)

  25. Jacobson, V., Leres, C., McCanne, S.: tcpdump. http://www.tcpdump.org/

  26. Cochran, W.G.: The χ2 test of goodness of fit. Ann. Math. Stat. 23(3), 315–345 (1952)

    Article  MATH  MathSciNet  Google Scholar 

  27. Massey, F.J., Jr.: The kolmogorov–smirnov test for goodness of fit. J. Am. Stat. Assoc. 46, 68–78 (1951)

    Article  MATH  Google Scholar 

  28. Ye, N., Li, X., Chen, Q., Emran, S.M., Xu, M.: Probabilistic techniques for intrusion detection based on computeraudit data. IEEE Trans. Syst. Man Cybern. A 31, 266–274 (2001)

    Article  Google Scholar 

  29. Elson, J.: tcpflow. http://www.circlemud.org/jelson/software/tcpflow/

  30. Freire, E.J.P., Ziviani, A., Salles, R.M.: Detecting skype flows in web traffic. In: Proceedings of the IEEE/IFIP Network Operations and Management Symposium—IEEE/IFIP NOMS 2008, April (2008)

Download references

Acknowledgments

The authors would like to thank Marcos Gomes Pinto Ferreira, Marcos Vinícius do Couto, and all other staff members of the commercial ISP that kindly helped us to get the Web experimental datasets used in this work. This work was supported by the Brazilian Army, CNPq, and FAPERJ.

Author information

Authors and Affiliations

  1. Military Institute of Engineering (IME), Praça General Tibúrcio, 80, 22290-270, Rio de Janeiro, RJ, Brazil

    Emanuel Pacheco Freire & Ronaldo Moreira Salles

  2. National Laboratory for Scientific Computing (LNCC), Av. Getúlio Vargas, 333, 25651-075, Petrópolis, RJ, Brazil

    Artur Ziviani

Authors
  1. Emanuel Pacheco Freire
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Artur Ziviani
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Ronaldo Moreira Salles
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Artur Ziviani.

Additional information

This paper is an extended version of [1].

Rights and permissions

Reprints and permissions

About this article

Cite this article

Freire, E.P., Ziviani, A. & Salles, R.M. On Metrics to Distinguish Skype Flows from HTTP Traffic. J Netw Syst Manage 17, 53–72 (2009). https://doi.org/10.1007/s10922-009-9120-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-009-9120-x

Keywords

Search

Navigation