1. The testbed environment for this research to generate real-world Skype behaviors for analyzation is as follows: A NAT-ed LAN consisting of 7 machines running only Skype with all Automatic Updates and other services disabled, with 2 of the machines dedicated to generating VoIP calls and 2 machines generating instant messages to mimic real world user behavior 2 machines with Intel i7 four core processors and 8 GB of RAM running only Skype with all Automatic Updates and other services disabled and the university firewall disabled in order to increase the chance of these machines being promoted to supernodes in the Skype P2P network All machines not making calls or sending instant messages simply have Skype open and running to generate control traffic The features of the connected IPs used for analysis are: Number of bytes per packet Inter-packet delay Calling All Nodes: Classifying Skype Control Protocol Brett Meyer Computer Science Department The University of Georgia carl@cs.uga.edu Introduction The rise in popularity of P2P applications in the past several years has also led to a corresponding rise in malware which employs this same overlay network technique, most considerably botnets. Detecting valid P2P programs in a network trace is a foremost concern in network security research. Background/Related Work Previous work has attempted to classify voice, video and instant message data transmitted through the Skype application No attempts have been made thus far to classify the P2P overlay control protocol by itself. Most Skype users do not constantly make calls while they have the application open, but leave Skype running in the background, and only make calls or send instant messages periodically. Approach Skype uses a highly robust proprietary encryption mechanism to hide all of the data transmitted from the application. The feature selected to facilitate classification is the keep-alive message that the Skype network must send between the nodes in order to maintain the overlay network. Discussion Skype traffic is being collected from the testbed environment and analyzed for the statistical qualities of the likely keep-alive transmissions. In the next phase of this research, a similar testbed will be created for 4 additional P2P applications in order to generate training, testing, and evaluation sets for classification. Contributions Dataset consisting of real-world Skype control, messaging, and call transactions Dataset consisting of real-world P2P application behaviors Statistical method for modeling Skype control protocol behavior References 1. BASET, S. A., AND SCHULZRINNE, H. An analysis of the skype peer-to-peer internet telephony protocol. In IEEE Infocom ’06 (Barcelona, Spain, April 2006). 2. BONFIGLIO, D., MELLIA, M., MEO, M., ROSSI, D., AND TOFANELLI, P. Revealing skype traffic: When randomness plays with you. In ACMSIGCOMM’07 (Kyoto, Japan, August 2006). 3. GUHA, S., DASWANI, N., AND JAIN, R. An experimental study of the skype peer-to-peer voip system. In 5th International Workshop on Peer-to-Peer Systems (Santa Barbara, California, Feburary 2006). 4. HAQ, I. U., ALI, S., KHAN, H., AND KHAYAM, S. A. What is the impact of p2p traffic on anomaly detection? Recent Advances in Intrusion Detection: Lecture Notes in Computer Science 6307/2010 (2010), 1–17. 5. ROSSI, D., MELLIA, M., AND MEO, M. Understanding skype signaling. Computer Networks (November 2008).