Proceedings [PDF] - Measurement and Analysis of P2P Activity ...

International Conference Advances in the Analysis of Online Paedophile Activity Paris, France; 2-3 June, 2009
storage 2 . The resulting data set occupies 500 gigabytes
in total. It contains 10 millions queries, 90 millions of
IP addresses and 280 millions of distinct files.
This measurement as the benefit of capturing all of
the data exchanged by the server, however it fails at collecting
clients to clients communications. Hence, we are
not able to study the file exchanges that occur between
clients.
3.2 Client measurements
There are two different client based measurements.
The first one, Honeypot, aims at collecting information
about file exchanges between clients, whereas the
second one performs queries using specific keywords to
monitor files available in the eDonkey network. They
are conjointly used to circumvent the limitations of the
server measurements.
3.2.1 Honeypot
We developed an eDonkey honeypot : a client that (1)
informs the server that it is willing to exchange a predefined
list of files, and (2) that allows connection from
other clients, but will either send random content or no
content at all. Moreover, the honeypot retrieves the list
of files shared by clients contacting it. Consequently, it
is now possible to measure the paedophile activity concerning
client to client communication, and to precisely
identify the interest of users concerning specific files.
Using this honeypot, we conducted an active measurement
[4] during 32 days; 24 distributed honeypots
were advertising 4 files. The resulting data set contains
110 049 IP addresses and 28 007 distinct files.
Two important facts were enlighten by this measurement
: (1) long and distributed measurements are relevant
and allow to discover more peers and files; (2)
with the random content strategy, more peers contact
the honeypots than with the no content one.
3.2.2 Client sending queries
Here, we use an eDonkey client that exactly act as
a regular client would. It periodically queries eDonkey
servers using a list of predefined paedophile and nonpaedophile
keywords. The goal of this measurement is
therefore to enumerate the files that are globally available
in the eDonkey network, and to be able to detect
when files appear.
This measurement was conducted during 140 days
from October 2008 to February 2009. We observed 2
978 764 distinct IP addresses and 2 784 583 distinct
files.
While simple, this experiment shows that it is really
difficult to completely discover all of the files available
in eDonkey : long measurements discover new files with
2 the data set is available at http://content.lip6.fr/
latapy/edonkey/weeks/
Percentage of filenames
14
12
10
8
6
4
2
Client measurements
Server measurements
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Age in filenames
Figure 1: Distribution of ages seen in filenames.
The y-axis indicates the percentage of filenames (containing
ages) including the corresponding age on the
x-axis.
an important growth rate.
Example: Ages in filenames
A unique format was used to store the data from the
three different measurements. It is therefore straightforward
to analyse the resulting data sets using the same
techniques. Figure 1 presents the distribution of filenames
containing information about ages 3 for a given
age.
Whereas we consider two different data sets, a striking
result visually arises concerning ages : there is a
clear interest for 18 years old, and another one around
12 to 13 years old. We are currently investigating the
spike at 9 years old on the client measurement in order
to check whether this is a measurement artifact : the
server measurement contains much more filenames than
the client one, and was performed two years ago.
4. REFERENCES
[1] Y. Kulbak and D. Bickson, “The eMule Protocol
Specification,” 2005,
http://citeseer.ist.psu.edu/kulbak05emule.html.
[2] United States General Accounting Office, “File
sharing programs : Child Pornography Is Readily
Accessible over Peer-to-Peer Networks,” 2003.
[3] F. Aidouni, M. Latapy, and C. Magnien, “Ten
weeks in the life of an eDonkey server,” in Sixth
International Workshop on Hot Topics in
Peer-to-Peer Systems (Hot-P2P 2009), Rome,
Italy, May 2009.
[4] O. Allali, M. Latapy, and C. Magnien,
“Measurement of eDonkey Activity with
Distributed Honeypots,” in Sixth International
Workshop on Hot Topics in Peer-to-Peer Systems
(Hot-P2P 2009), Rome, Italy, May 2009.
3 such as 12 years old is encoded as 12yo or 12yr.
2
8