Sniffing Out Illicit BitTorrent Files

A new tool promises to detect illegal files without slowing network traffic.

A new technique has been developed for detecting and tracking illegal content transferred using the BitTorrent file-trading protocol. According to its creators, the approach can monitor networks without interrupting the flow of data and provides investigators with hard evidence of illicit file transfers.

Credit: Technology Review

Contraband files might include pirated movies, music, or software, and even child pornography. When the tool detects such a file, it keeps a record of the network addresses involved for later analysis, says Major Karl Schrader, who led the work at the Air Force Institute of Technology, in Kettering, OH.

The use of peer-to-peer (P2P) software and of the BitTorrent protocol in particular have increased steadily over recent years. In fact, for many Internet service providers (ISPs), the vast majority of Internet traffic now consists of P2P transfers.

ISPs are generally only interested in detecting this type of traffic in order to control, or "throttle," it and free up bandwidth for other uses. However, this approach reveals nothing about the contents of each transfer, says Schrader. A handful of network-monitoring tools can identify specific BitTorrent files, but the process is generally slow, since the contents of each file have to be examined. The time that this takes also increases exponentially as the number of files that need to be scanned grows.

"Our system differs in that it is completely passive, meaning that it does not change any information entering or leaving a network," says Schrader. It works, he says, by first spotting files that bare the hallmark of the BitTorrent protocol by examining the first 32 bits of the files' header data. Then the system looks at the files' hash, a unique identifying code used to coordinate the simultaneous download of hundreds of file fragments by different users. If a hash matches any stored in a database of prohibited hashes, then the system will make a record of the transfer and store the network addresses involved.

Story continues below

"I'm convinced that the solution works and that it will be quite cheap, as it is very specialized," says Hendrik Schulze, chief technology officer of Ipoque, a network analysis company based in Leipzig, Germany. More generalized solutions that try to monitor for a wide range of file types may be more flexible, he says, but they will also be more expensive.

One reason why the new technique is so fast is that the apparatus required consists of a specially configured field programmable gate array (FPGA) chip and a flash-memory card that stores a log of the illicit activity.