Chun-Ming Leung, Yuen-Yan Chan;

“Network Forensic on Encrypted Peer-to-Peer VoIP Traffics and The Detection, Blocking, and Prioritization of Skype Traffics”; In Proceedings of The 16th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises, Jun 2007; Accepted, 8th May 2007

Abstract

Skype is a popular peer-to-peer (P2P) voice over IP (VoIP) application evolving quickly since its launch in 2003. However, the ability to traverse network address translation (NAT) and bypass firewalls, as well as the induced bandwidth burden due to the super node (SN) mechanism, make Skype considerably a threat to enterprise networks security and availability. Because Skype uses both encryption and overlays, detection and blocking of Skype is nontrivial.
Motivated by the work of Biondi and Desclaux [3], we adopt the view of Skype as a backdoor and we take a forensic approach to analyze it. We share our experience in this paper.

With the forensic evidence, we identify a transport layer communication framework for Skype. We further formulate a set of socket-based detection and control policies for Skype traffics. Our detection method is a hybrid between payload and non-payload inspections, with improved accuracy and version sustainability over the traditional payload-only approaches.

Our solution is practicable both inside and outside the NAT firewalls. This breakthrough makes the detection, blocking, and prioritization of Skype traffics possible in both the enterprise internal networks and the Internet Services Providers carrier networks.

Keywords

Enterprise Network Security, Network Forensics, Traffic Analysis, Skype, Blocking, Traffic Prioritization, NAT Traversal, Reverse Engineering