Proposal / Submission Type

Presentation

Location

Richmond, Virginia

Start Date

10-6-2013 1:45 PM

Abstract

Tracing contraband downloads leads investigators to an IP address, and in turn Internet Service Providers (ISP) can provide a physical location using this IP address. However, most homes and offices share this IP address among many computers using wireless networks. In other words, there needs to be another investigation to find out which computer was responsible for contraband downloads. To make matters worse, these shared wireless networks often have vulnerabilities in access control such as using WEP or using weak passwords. In such cases, any computer in range, not necessarily at the given physical address, could be responsible. We use shallow packet analysis to identify which computer in the shared wireless network is participating in peer-to-peer downloads. Our approach does not require the packet content, thus does not require wiretapping warrant. We discuss characteristics of peer-to-peer traffic and show how we derive and use them. Our approach monitors the patterns in the duration, the frequency, the amount of information uploaded and downloaded, and the download speed in all connections. In particular, we monitor the traffic distribution over time for each connection and combine them based on their unencrypted header information to learn which connections are likely to stem from which application.

Keywords: peer-to-peer, contraband download, tracing, investigation tool

 
Jun 10th, 1:45 PM

Identifying Peer-to-Peer Traffic on Shared Wireless Networks

Richmond, Virginia

Tracing contraband downloads leads investigators to an IP address, and in turn Internet Service Providers (ISP) can provide a physical location using this IP address. However, most homes and offices share this IP address among many computers using wireless networks. In other words, there needs to be another investigation to find out which computer was responsible for contraband downloads. To make matters worse, these shared wireless networks often have vulnerabilities in access control such as using WEP or using weak passwords. In such cases, any computer in range, not necessarily at the given physical address, could be responsible. We use shallow packet analysis to identify which computer in the shared wireless network is participating in peer-to-peer downloads. Our approach does not require the packet content, thus does not require wiretapping warrant. We discuss characteristics of peer-to-peer traffic and show how we derive and use them. Our approach monitors the patterns in the duration, the frequency, the amount of information uploaded and downloaded, and the download speed in all connections. In particular, we monitor the traffic distribution over time for each connection and combine them based on their unencrypted header information to learn which connections are likely to stem from which application.

Keywords: peer-to-peer, contraband download, tracing, investigation tool