Proceedings [PDF] - Measurement and Analysis of P2P Activity ...

International Conference Advances in the Analysis of Online Paedophile Activity Paris, France; 2-3 June, 2009
Tracing paedophile eDonkey users
through keyword-based queries
Raphaël Fournier, Guillaume Valadon, Clémence Magnien, Matthieu Latapy
LIP6 – CNRS and University Pierre & Marie Curie
104, avenue du Président Kennedy, 75016 Paris, France
1. MOTIVATION
Recent studies showed that Internet bandwith is now
massively dedicated to peer-to-peer (P2P) exchanges.
Thus, it is important to precisely examine this new way
of transmitting data and the kind of content that is
exchanged. In particular, authorities are willing to obtain
reliable information on paedophile activity on these
networks, in order to fight against cybercriminality 1 .
One of the most prominent P2P networks is eDonkey,
a semi-centralized system. Users connect to servers and
submit content queries, servers return lists of files, then
users exchange files directly. A study [1] was designed
to record, all the exchanges between an eDonkey server
and the connected peers. The exchanges collected include:
• keyword-based search queries submitted to the server
and the server’s answer consisting in lists of
files;
• specific file requests and server’s answers (lists of
users sharing the file).
The experiment lasted ten weeks without interruption.
There were 127 million queries submitted to the server,
by 28 million IPs. As a first and rather rough definition,
we consider that a user uses only one IP and that an
IP is not shared by several users. The measures on
paedophile activity were based on a set of 21 keywords.
Their “paedophile” nature was previously assessed by
co-occurence studies [2]. We consider that a query is
paedophile if it contains at least one of these words – we
call it model “PQ”. An IP is considered as paedophile
as soon as it submits such a paedophile query.
2. GOALS
This study aims at establishing some accurate facts
about paedophile users on the eDonkey server. Above
all, counting paedophile users is our priority. Thus, the
study will first require to clearly define what a paedophile
user is and what makes a query a paedophile
one.
1 This work is supported by the European MAPAP (SIP-
2006-PP-221003) and the French ANR/MAPE projects.
3. RESULTS
Number of queries by IP (Fig. 1)
Number of IPs
100000
10000
1000
100
10
1
1 10 100 1000
Number of paedophile queries
Figure 1: Distribution of the number of paedophile
queries by paedophile IP, i.e. for each
encountered number of paedophile queries, the number
of IPs which submitted this number of queries.
The distribution is highly heterogeneous: more than
66% of the total paedophile IPs submit only one query
– and 94% less than 5 –, while some IPs submit up
to 456 queries within ten weeks. This figure raises the
question of the characterization of a paedophile IP: is
a single query within 10 weeks enough to consider the
IP as paedophile 456 queries in the overall experimentation
means more than 6 paedophile queries a day,
is it the behavior of a very active human user or of a
robot Our underlying assumptions on the way eDonkey
clients work are also called into question here: are
queries sometimes automatically re-submitted to the
search engine
This distribution is crucial to have a good model to
count paedophile users with a low false-positive rate.
1
97