Overall Analysis And Characteristics Of Skype Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Abstract-Skype software became very popular in recent years. One of the causes of its success is the high adaptivity provided by the software. Skype is a popular peer-to-peer (P2P) voice over IP

(VoIP) application it is popular since its launch in 2003. In this paper, we study about the threats to enterprise networks security and availability caused by Skype. Because Skype can operate behind many firewalls and network proxies without user configuration. Skype uses encryption and overlays detection and blocking of Skype is non-trivial. We also study about the characteristics and the signaling traffic generated by Skype and comparisons of the two types of test chi-square test and the Kolmogorov-Smirnov test to distinguish Skype flows from Web traffic. List of services offered by Skype i) voice communication, ii) video communication, iii) file transfer, and iv) chat services.


Peer-to-peer (P2P) voice over IP (VoIP) technology such as Skype has brought much convenience to our daily lives. Skype has a special function where it has the ability to work behind a firewall. This is because when Skype runs on a network behind a firewall, it connects "outward" toward the internet. Skype does not modify or interfere any network where the networks firewall is used [1]. When Skype allows many incoming connections, it increases the quality of a Skype call. Skype has the ability to work in different network environments, as it can automatically detect network characteristics Skype can also use other computers to relay its traffic. The ability for Skype to traverse network address and bypass corporate firewalls also makes it a threat to enterprise network security and policy. Detecting and blocking Skype is an important issue as Skype's payload is encrypted from end to end. The peer-to-peer nature of Skype also makes blocking methods for general VoIP protocols fail. From an administers point of view almost everything is unclear. The destination is not found and Skype by default reuses the proxy credentials [2]. It is very difficult to distinguish between a normal behavior and unauthorized behavior.

The Traffic and Signaling created by Skype is very high so to have a good understanding of the traffic it is important for us to measure the traffic. There are two types of measurements such as active and passive both these techniques are used to measure the traffic which will give us a deep understanding about the traffic. it recently reached over 170 millions of users, and accounts for more than 4.4% of total VoIP traffic [3]. The Skype uses P2P architecture whereas VoIP uses a traditional method of having client-server model. The most important characteristics of the traffic generated can be found by measuring or observing in terms of bit rate, inter-packet gap and the size of a packet. This applies to both voice and video calls. Skype uses various voice Codec's, this process helps to differentiate the voice Codec's but also reveals the different traffic behavior based on transport layer protocol. This paper investigates the detection Web traffic created by Skype [4], we have discussed the two metrics which helps us to differentiate Skype flow from Web traffic. The two Goodness-of-Fit tests are, the Kolmogorov-Smirnov and the Chi-square test. These are the two different approaches to identify Skype traffic in TCP or UDP flows. Skype offers end users several services: i) voice communication, ii) video communication, iii) file transfer, and iv) Chat services. End to End (E2E) means any voice/video calls between two Skype clients whereas End to Out (E2O) means calls between a Skype user and a PSTN terminal. In the case of E2O charge is applied and the user has to subscribe for this feature. E2O is normally used only for long distance purposes.

The paper is organized as follows. Section II Skype services explains about the services offered by Skype. Section III Signaling Traffic. Section IV Goodness of fit test. The Skype traffic and its characterization are explained in section V. Threats to network security. Section VII conclusion.

Skype Services

Skype offers three services: Voice over Internet Protocol allows Skype clients to make two-way communication either as voice/video streams or even both. IM allows Skype users to send and receive text messages in real-time, and file transfer allows a Skype user to send and receive a file this happens only when there is an acknowledgment from the recipient. Skype also offers paid services that allow Skype users to send and receive calls to regular telephone numbers through VoIP­PSTN gateways. But this system is mainly used for making long distance calls. E2O is not free and Skype users are charged 1.7 Eurocents per minute for making calls to North America, Western Europe, China and Australia; the rates being higher for calls made to mobile phones and other countries Skype has to compete with other network providers. The Skype software can be used on different platforms like Windows, Mac OS X and Linux. The technology in Skype was originally developed for KaZaA [5]. Skype now is an important software for students, faculty, and staff needing to make connections with those outside their local calling zones. At some institutions, Skype complements podcast efforts by allowing students and faculty to easily make digital recordings of phone conversations. The peer to peer network has two layers and based on these two layers the participants are organized. The two layers are Super node and Ordinary node i) Super nodes: Super nodes are the nodes where the networks are maintained as an overlay ii) Ordinary nodes: The ordinary nodes take one or more small Super nodes and combine with it. These networks have been the subject for the researchers in recent time [6]-[7]; Since the Ordinary nodes take some small amount of super nodes these super nodes can also function and perform like the Ordinary node. Ordinary nodes send their questions through a Super node to which they are related with. Computer-based Voice over IP (VoIP) is in the technology for so many years now; Skype is the first service to arrive into the mainstream, Skype has attracted millions of users worldwide. Skype released its Windows version in July 2004 and has gained million users in a very short period of six months. Fig.1. At this rate by the end of the third quarter of 2006, Skype had around 136 million registered users, and is increasing day by day now the number of users exceeds 8 million. Since the users are increasing day by day it created 6.6 billion minutes of traffic in the third quarter of 2006, and now it is estimated to reach over 27 billion minutes of PC-to-PC calls by the year end. About half of Skype's traffic is international [36].

Fig.1. Skype users in 2005 were equivalent to 2.9% of international carrier traffic in 2005 and approximately 4.4% of total international traffic in 2006.


There are three parameters which help Skype to determine the traffic it generates i) Rate: It is defines as the bit rate used by the source, Codec bit rate is one of the example; ii) ∆T is the framing time of the message it can also be defined as the time between the two Skype messages which are in the same flow; iii) RF is the Redundancy Factor, i.e., Depending on the Codec Skype transmits the number of previous blocks with the current block. This acts as a very key parameter to Skype because depending on the rate of change in RF and Codec the different network conditions can be obtained. But sometimes the network conditions can be altered by changing the value of ∆T. To study the signaling traffic it is important to know the building block of Skype message. The schematic diagram representing this is shown in figure.2. The flow rate and its characterization depend on the three measurement indexes [8], which are typical of streaming services over packet networks. i) Bit rate (B): This can be defined as the rate at which bits are generated every one second. ii) Inter-Packet-Gap (IPG): is similar to delta T where the time between two consecutive packets is in the same flow. Iii) Payload length (L): is defined as the number of bytes transported in the TCP or UDP; By adding the transport layer and network layer overheads the corresponding IP packet size can be determined. The Skype message building block is based on the rate at which the voice and the video Codec are sent to the blocks. The data transfer and the instant IM message is sent to the data block which acts as a framer and there is a change in the system when the value of delta T and the RF changes. The set up leads to the mux where all the blocks are connected together and mux gives the required output.

Fig.2. Schematic diagram of building block of Skype message.

The importance of Skype traffic identification is mainly to find the traffic created by Skype and the analysis characterization for network design. The network operators show a great value of interest in this area. The performance monitoring is based on the tariff policies and various strategies carried out. Even though when the network operators show lot of interest in this area to identify and study about the Skype traffic is a challenging job, given that the software is proprietary and the traffic is very confusing. Because Skype uses an unknown algorithm and complex solutions which is difficult to reverse engineer because Skype uses a lot of cryptographic techniques and obfuscation techniques [9]-[10]. Skype always chooses a codec depending on any of the unknown algorithms. By choosing different codec the behavior of the Skype changes. All Codec used by the Skype are standardized except the ISAC one, which is a unique Codec offered by Global IP Sound [27].

The Skype traffic can be classified and studied according to the two techniques, for revealing the traffic and to categorize the results. ISAC is the preferred Codec for E2E (End-to-end) calls; while the G.729 Codec is preferred for E2O Skype clients to a PSTN terminal calls. The nominal characteristics of different codec name their bit rate and frame size is mentioned in Table.1.




Frame Size[ms]

Bit rate[kbps]
















13.3, 15.2


80 (mean)




True Motion VP7



Irrespective of the transport layer protocol which is either the TCP or the UDP. Both of these techniques are scalable, can be performed online, also these two techniques are used to a more general extent compared to the Skype traffic identification. The two Goodness-of-Fit tests, the Kolmogorov-Smirnov and the Chi-square test. The Chi Square test detects clearly the Skype's fingerprint but is very doubtful to find VoIP-related traffic characteristics. On the other side, it is important for us to find out all VoIP traffic generated by Skype, by using less complex algorithms. Finally, [10] the focus is on identifying relayed traffic, and present this result as an application to Skype. The adopted approach is to compensate, the relay node, also tells about the incoming and outgoing packet time and usage of the bandwidth. This technique is one of the few successful experiments and is proved to be reliable in identifying all Skype VoIP traffic.


The various properties of the goodness-of-fit test are the rate at which the frequencies are observed. This means that there is only one data value for every category. The degrees of freedom are less in number when compared to the number of categories but less by one. But it is greater than one when compared with the sample size. It is always a right tail test and has a chi-square distribution. Even when there is a change in the switching categories the test statistic doesn't change.

In the case where the distribution of population is unknown it is better to use the goodness-of-fit test it can also be used when the distribution of the population model is satisfactory. We used the chi-square test and the Kolmogorov-Smirnov test to distinguish Skype flows from Web traffic. These are the two tests which is used frequently and can also be used to find the intrusion detection [11], [31], These techniques can also be used to detect the presence of random payloads [12]. But in this work we do not use any of the values of the two tests we neither use chi-square χ2 value nor the Kolmogorov- Smirnov D value to accept or reject the initial hypothesis in some known distribution. We directly compare the calculated values of both the test χ2 and D to the given threshold value to find whether the flow is Skype or not. This solution can provide more simplicity and flexibility to the program, because it is only required to change threshold values to get a loose classification.

Chi-square test

The chi-square test is an alternative to the Anderson-Darling and Kolmogorov-Smirnov goodness-of-fit tests. The chi-square goodness-of-fit test is applicable to any of the discrete distributions. The discrete distribution can be either the binomial or the poisson. It checks a null hypothesis where the observed frequencies follow a specified distribution [13]. The major attractive feature of the chi-square goodness-of-fit test is that it can be applied to any of the distribution to calculate the cumulative distribution of that. Chi-square goodness-of-fit test is applied to binned data and the values of the chi-square test statistic are dependent on how the data's are binned together. The main disadvantage of the chi-square test is that it requires a sufficient sample size in order for the chi-square approximation to be valid shown in figure.3. Suppose we have n observations from a population distribution it can be classified into k mutually exclusive classes and there is some theory which says that an observation falls into class i with probability pi, where (i=1….k).


Where Oi is the observed frequency for bin i and Ei is the expected frequency for bin i. The expected frequency is calculated by


Where F is the cumulative Distribution function for the distribution being tested, Yu is the upper limit for class i. Yi is the lower limit for class i, and N is the sample size.

Fig.3. Chi-square distance measurement for intrusion detection.

Kolmogorov-Smirnov test:

The Kolmogorov-Smirnov test is mainly used in a distribution up to a specific range to find the population of that range. The Kolmogorov-Smirnov test [14] is used to test whether the sample population comes inside a hypothesized distribution. This feature is mainly depending on the cumulative distribution and the difference between them, F0(x) and SN(x). F0(x) are some of the specific cumulative frequency distribution, in this case, the empirical distribution function is derived from the training part. SN(x) is the cumulative step function of a sample of N observations or, in other words, SN(x) = c/N where c is the number of observations with a value less than x. The Kolmogorov-Smirnov D value is given by


The Kolmogorov-Smirnov (K-S) test which based on the characteristics of empirical distribution function (ECDF). Given N ordered data points Y1, Y2… YN, The main feature of this test is that the K-S test when compared with the cumulative distribution does not depend on this function. The main advantage of this test is that when compared to the chi-square goodness-of-fit test where they depend on an adequate sample size K-S test does not depend on it also called as exact test. Having these many advantages, the Kolmogorov-Smimov test has several important limitations: It has to be applied to continuous distributions. It is more sensitive near the center of the distribution than at the tails. The major limitation is that the distribution must always be fully specified when the location, scale, and shape parameters are estimated from the data the critical region of these is no longer valid. It typically must be determined by simulation Figure.4. The tests are usually carried out based on the two parameters but when the tests are under the detection part any two out of three parameters and the detection can be based on both metrics (χ2 and K-S).

Fig.4. The K-S test is based on the maximum distance between these two curves.

These parameters were all less accurate in comparison with the χ2 detection using all parameters combined. In this case, every point has three threshold values.


The major step of the detection process is using a training dataset to characterize a Web traffic behavior compared to the Skype. HTTP full packet traces are captured using the command tcpdump [15] program; this command will create dump files. The tcpflow [16] is a program to read these created dump files and to calculate the parameters present in the Web workload. The tcpflow is GPL software helps to read the dump files and to organize and separate the flow present in it. Two traffic measurements were conducted; the summary of the data sets is presented in Table II. The first measurement was carried out at one of the largest Internet providers in Hungary in April 2006. In the chosen network segment, the traffic of about 1000 ADSL subscribers is multiplexed before entering the ATM access network.




Time of


From - To


of flows





Call records 2

07. 11. 2006 10h

08. 11. 2006 16h

25. 04. 2006 11h

26. 04. 2006 11h

1 663 752

36 896 516



The logging to these systems was performed in a router. Further details of the measurement configuration are presented in [17]. In the second measurement (Verification) the traffic of the university department was logged, carrying the traffic of about one hundred users. The experimental results are shown in this paper this is the traffic logging to validate our Skype identification. In any of the above cases measurements only IP and TCP/UDP headers were logged. In this method the flow level information was extracted from the traces. This extraction includes source addresses, ports, packet number, transmitted bytes, start time and end time of the flow. Packet has various levels of information such as packet size, packet arrival-time this was also preserved and used for the identification. Both inbound and outbound traffic was logged; this is carried out to find the accurate identification. But, our method can also be applied even if only one direction is available, since the inbound and the outbound cannot be paired the reliability decreases. Therefore, this method is recommend only when used in edge routers, where inbound and outbound traffic flows through the same router. In the case of asymmetric routing it is not true. The network follows the general daily tendency of the many number of users has a general tendency where the use a SC at home. Some users seem to keep their computer switched on during the night period. The total number of active calls (Fig. 5) also follows similar daily fluctuation. Calls are generally more frequently in the daytime, though we can also recognize some surprising activity in the 1.00-6.00 AM interval, which suggest some "night birds" among the users or overseas calls.

Fig.5. Histogram of the bandwidth of Skype speech flows in Call records 2


The calls seem to be shorter in the daytime and definitely longer in the 21h PM-01h AM period [34], which could be reasonable, because the users obviously find more time for at night to chat. However, in this experiment we could detect only about 130 calls during the 24 hour period. This is the reason why we do not want to draw far-reaching consequences.


To analyze the traffic generated by voice flow it is important to generate voice calls between two PCs when it is directly connected by a LAN with no traffic, and has a condition of no imposed artificial delay or packet loss; one experiment for each available Codec is performed. In the case of flows transported by UDP, which is the preferred transport protocol. We now consider the case of a voice flow transported by TCP [35]. We use the same test bed scenario previously described and after repeating the experiments the results are shown in the figure.6.

Fig. 6. B, IPG and L traces versus Time for a voice call UDP or TCP in the transport layer, ISAC codec

Similarly for video flow the same setup is set, enabling the video source after about 5 s. Voice Codec is random and is not mentioned in particular it is left to the ISAC to decide where UDP is used as transport protocol; neither artificial delay nor loss are imposed. Results are presented in Fig.7. The variability of the bit rate significantly increases with respect to the case of voice flows, ranging from a few kbps up to 800 kbps. The IPG (middle plot) is less regular than in the voice-only case. A large number of IPG samples are about 30 ms while many other IPG samples are very small [35]. This is due to the fact that Skype is multiplexing voice and video blocks.

Fig.7. B, IPG and L traces versus time for a video-call UDP at the transport layer


We now consider the geographical location of contacted peers and based on these geographical locations there is change in the traffic. The dataset we consider, we observed 304 690 external peers, corresponding to 263 886 different IP addresses. Normally host IP addresses are used to perform the geo-location of IP addresses. Reports results for the subset of about 10 k peers out of the about 264 k queries these results had both longitude and latitude information. From the picture, it is easy to recognize the shape of continents, especially Europe and North America Fig.8. Further details on the geo-location of the whole Skype peer dataset is given in Fig. 9, which reports a breakdown, considering probe and non-probe flows per continent (bottom) and per European Country (top). The breakdown is limited to top ten groups, ranking them by decreasing level of preference. Confirms that Skype usage peaks during normal working hours.

The graph plots the geographic distribution of the traffic and per nodes, with its contribution peaking around 11am UTC (mid­day over most of Europe). North America contributes 15.25% of super nodes, which has a peak contribution around noon [33]. Similarly, Asia contributes 20.25% and peaks around its mid­day. Combined with the lower weekend usage from the previous graph, there is evidence to conclude that Skype usage, at least for those nodes that become super nodes, is correlated with normal working hours. First, probing mechanism tends to privilege nearby hosts: indeed, 60% of the probed IPs is located in Europe, four times as much as in North America (15%).

Fig.8. Geographic distribution of super nodes as observed over

the duration of our trace.

The probing mechanism suggests that it tends to discover network hosts that are geographically close. Second, this is different for non-probe traffic where this does not happen: while the percentage of peers that are located in Europe actually decreases by 48% with respect to probe traffic, the percentage of North American peers nearly doubles 29%. On the contrary, the peer discovery mechanisms implemented by the probes is driven by the physical properties of the underlying network.

Fig. 9. Geographical breakdown of probe and non-probe signaling traffic,

Considering all continents (top) and the ten most active European countries.


The next figure (Fig. 10) shows the bandwidth and the packet rate of the detected Skype calls. The Skype calls usually has a bandwidth ranging from 18 to 70 Kbps, Mainly the bandwidth is around 40 Kbps. Fig. 8 shows three peaks in the histogram of the packet rate of Skype speech flows, which correspond to the typical three inter-arrival times (20, 30 and 60 ms). The other set of values shows that packet rates smaller than the typical ones (16, 33 and 50 packets/sec) also occur. The reason for this is that the termination of a flow cannot be determined accurately in some cases.

Fig.10. Histogram of the packet rate of Skype speech flows in Call records

2 dataset

The average packet size of Skype speech flows is plotted in Fig. 11. This diagram shows the typical packet size which includes both IP and TCP/UDP headers and the bandwidth is between 100 B and 200B, which is also confirmed by our test measurements [34]. In the smaller packet size the bandwidth occurs in one direction when separate inbound and outbound TCP flow is present. The average packet size of speech flow is shown in Bytes whereas in Fig.3. The packet size was shown in Kbits/sec. The frequency is very high at 200 Bytes the TCP headers have packet size around this region.

Fig.11. Histogram of the average packet size of Skype speech flows in

Call records 2 dataset



Before we get into the threats caused by Skype to the networks it is important to know how Skype works and the key components of Skype [32].


A Skype client opens a TCP and a UDP listening port and the port number varies depending on the connection dialog box

Host Cache (HC):

Is a list of super nodes that has an IP address and port pairs that builds and refreshes regularly

A SC stores Host Cache in the Windows registry for future use.


A wideband codec allowing frequencies between 50-8K Hz, various levels of Codec can be found these are Implemented by Global IP Sound

Buddy List:

Skype stores buddy information (similar to the host cache) in Windows registry

Buddy list is encrypted to machine and not on a central server


Skype uses 256-bit to encrpt the data it maily uses around AES 1536 to 2048 bit RSA to negotiate

Symmetric AES keys:

NAT and Firewall

SC uses a variation of the STUN and TURN protocols to determine the type of NAT and firewall

Super node (SN):

It is defined as an online node that maintains the Skype overlaying network. Any Skype Client with a public IP address can be promoted to an SN without the awareness of the SC host.

Fig.12. Skype Network.

NAT and Firewall Determination is defined as that there is no activity in the application layer. Only at the transport layer, Skype performs NAT and Firewall detection. When the UDP packets are ≥ 2 from SCA.U up to handshake SNs are observed [18]. NAT traversal is one of the main functions of Skype, where it helps in determining what kind of NAT settings is the Skype Client currently uses. This method affects the procedures when these are taken at later stages. Any node which has a public IP address and has sufficient CPU, memory with some network bandwidth it automatically qualifies as a candidate to become a super node. An ordinary host must connect to a super node to proceed it must also register itself with the Skype login server Fig.12.

STUN is defined as a simple client-server protocol where a client sends a request to a server, and the server returns a response. There are two types of requests taking place in the STUN first is the Binding Requests where it is sent over UDP, and second is the Shared Secret Requests (SSR) this is sent over TLS [18] over TCP. SSR asks the server to return a temporary username and password. This username and password are used when the Binding Request and Binding Response asks for the purposes of authentication. Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN) is a lightweight protocol that allows applications to discover the presence and types of elements such as NATs and firewalls between them and the public Internet. It also provides the ability for applications to determine the public Internet Protocol (IP) addresses allocated to them by the NAT. Fig.13. STUN which usually works with many existing NATs hence does not require any special behavior from them. As a result, it allows a wide variety of applications to work through existing NAT infrastructure [19].


Traversal Using Relay NAT is a protocol which allows for an element behind a NAT or firewall where it can receive data's over TCP connections or UDP connections. This method is most useful for elements behind symmetric NATs or firewalls that wish to be on the receiving end of a connection to a single peer. This method does not allow any user to run servers on known ports. It also does not allow them when they are behind NAT; it works only when the user has a connection behind a NAT only when it is a single peer [Fig.14.]. Its main function is to provide the security functions provided by symmetric and the functions are similar NATs and firewalls, but to change them into port-restricted NATs. When it requires clients to keep a transport address into a protocol message at this situation a TURN is mainly applicable. With these expectations the clients are able to receive packets from a single host. Examples of such protocols include SIP, which makes use of the Session Description Protocol (SDP) [20]. SDP carries and IP address are the system on which the clients are able to receive media packets from its peer. The main example of a protocol which meets these criteria is the Real Time Streaming Protocol (RTSP) [22]. TURN is normally defined as a client-server protocol. It has similar syntax and general operation to STUN, in order to facilitate a joint implementation of both. TURN which defines a request message, called as an Allocate, which asks the TURN server to assign a public IP address and port. TURN can also run over both UDP and TCP, as it allows for a client to request address/port pairs for receiving both UDP and TCP. We find that SC uses a variation of the STUN [21] and TURN [23] protocols to determine the type of NAT and firewall it is behind. We also conjecture that SC refreshes this information periodically. This information is also stored in the shared.xml file Unlike its file sharing, a Skype client cannot prevent itself from becoming a super node.

The (TURN) query increases the latency and packet loss whereas (STUN) does not work through symmetric Network Address Translators (NATs)


The first time startup and after the first installation, HC was observed empty. After logging in for the first time the Bootstrap super nodes HC was initialized with seven IP: port pairs. Bootstrap IP is the node which has the port information Encrypted these are not directly visible in Skype Windows's registry. The Skype login algorithm is based on the particular format first it sends UDP packets to the HC IP address and waits for the response time the response time is around 5 seconds. If this condition is not satisfied it goes to the TCP connection with HC IP address and the system waits for the connection. Now again the packet is sent to the TCP connection with different HC IP address waits for the packet to succeed if not it goes to the next step and the process is repeated it waits until the system succeeds. But it acts as a loop when the different IP addresses are tried and it again waits for five seconds which is the wait time and then the prosess starts again this flow chart is shown in Fig.15.

To determine at least one available peer and establishes a TCP connection HC was periodically updated with new peers' IP port when a client is behind a NAT, transport addresses obtained from the local operating system will not be publically routable, and therefore, not useful in these protocols. TURN allows a client to obtain a transport address, from a server on the public Internet, which can be used in protocols meeting the above criteria. As a result of this, when a TURN server is placed in front of a symmetric NAT, the resulting combined system has identical security properties to a system that just had an address restricted NAT. Since clients behind such devices cannot run public servers, they cannot run them behind TURN servers either.



We have seen the components of the Skype network and how this network works. Now let us see about the threat to the enterprise network security brought by Skype. The growing popularity of Skype Technologies SA's free Internet telephony software pose the same kind of security challenges for companies that other peer-to-peer (P2P) software technologies have created in recent years [37]. 

The warning comes after the disclosure of two critical flaws in Skype's software, one of which could allow malicious hackers to take complete control of compromised systems. 

One of the flaws is a buffer overflow error in Skype's user client for Windows that could allow attackers to execute arbitrary code on compromised systems, according to a statement from the company. The other vulnerability is a heap overflow flaw in a networking routine affecting Skype client for all platforms. That flaw could crash the client software. Intrusions into information systems have presented important threats to reliability and QoS of systems, causing faults and failures in systems, and interrupting services to users [24]-[25]. Intrusions can take many forms such as denying services by flooding system resources, e.g., communication channels, servers, memory and CPU, rapidly propagating a virus or worm, gaining privileges of root users to perform malicious actions etc. To protect information systems from intrusions and thus assure reliability and QoS of systems, it is highly desirable to develop techniques that detect intrusions into information systems in real time while intrusive activities are occurring. 

Peer-to-peer (P2P) voice over IP (VoIP) technology such as Skype [1] has brought much convenience to our daily lives. However, the heavy bandwidth burden incurred by Skype's super node (SN) mechanism threatens network availability. The ability for Skype to traverse network address translation (NAT) mechanism and bypass corporate firewalls also makes it a threat to enterprise network security and policy. Furthermore, unregulated Skype usage of the employees for leisure and private purposes can lead to economic loss. Therefore enterprises are seeking solutions to regulate Skype activities over their networks. This motivates our research on analyzing and blocking of the encrypted P2P VoIP traffics of Skype. There has not been a tremendous amount of forensic analysis of Skype. The use of encryption, as previously noted, makes it very difficult to determine the details of the protocol. The administrator guide provided by the makers of Skype [26] provides a general functional explanation of the Skype network, however it does not provide any details of any fixed static network components or the protocols involved in call establishment. The administrators guide goes further to detail how to set up and install Skype in a variety of local network configurations. The details from a network perspective, the call signaling, establishment, and tear down of connections in Skype as well as the sign in process. The authors in [10] extend the work in 2006 by analyzing Skype version 2.0 and conclude with an IDS signature to detect the presence of Skype traffic on a network. This analysis relies on the sequencing of packets rather than the content of any specific packet. From the analysis results, we contribute by being the first in the followings: (1) Identify the Skype communication framework with details down to the Transport Layer. (2) Formulate the detection policies for active Skype UDP socket which enable blocking and even prioritizing of Skype traffics. (3) Formulate a hybrid solution consists of payload and non-payload oriented detection methods and makes blocking and prioritizing feasible.

The Skype communication frame work is achieved by performing forensic analysis on the network traffics generated by the encrypted Skype peer to-peer VoIP activities. Forensics is the use of technological techniques to conduct an investigation or to find evidences in a criminal case. Network forensics which is normally defined as the capture, recording, and analysis of network events in order to discover the network security problem. Forensic analysis seeks answers for how an intrusion occurred and what the intruders did (see [27]-[28]-[30] for suggested approaches). By adopting Skype as a backdoor, the results are shown for the forensic analysis on the Skype traffics, Skype activities and what Skype have done during these activities. The path of the Skype starts up with the registration and then the authentication when the authentication fails it does not connect to the ASN Fig.16.

Fig.16. Path of Skype

Then it checks for the location, it finds the NAT and firewall the handshaking of SN allows it to pass through the firewall. SC peers locates the caller and updates the status, when the user is not registered it fails to connect to LSN. After adding the caller to the contact list it makes the call and the conversation starts. When there is no conversation and the person is idle after the set time the system is time out and goes offline. But if the conversation is normal after it's over the caller hangs up the call after which the Skype is logged out and closed.

Based on the Experiment conducted by the Chinese University of Hong Kong they recorded all packets generated during the experiment at each of the client sides. This gives more than 100 set of samples (each contains more than 1,500 packets) for further investigation. For each packet, the timestamps, IP addresses and port numbers of source and destination, protocols, packet sizes, and the payload were examined. The packets were compared against the application-level activities by their timestamps.


This paper focused on various services provided by Skype allows two Skype clients to establish two-way voice/video streams with each other, IM allows two or more Skype users to exchange small text messages in real-time, and file transfer allows a Skype user to send a file to another Skype user if the recipient agrees. Skype also offers paid services for Voice call from Skype client to PSTN terminal. Also shows the signaling traffic created by Skype in different geo-locations. The measurements and characterization of the traffic created and the data sets used for the Skype traffic identification. Goodness of fit test is done to find how well the statistical model fits a set of observations these are used to test whether two samples are drawn from identical distribution or whether the outcome frequencies follow a specified distribution. The results of the two tests Kolmogorov-Smirnov and the Chi-square test and comparison of the results are shown. This paper also focuses on the path taken by the Skype networks and the threats created by the Skype to the enterprise network security. The experiments conducted by various institutions and network forensic analysis on encrypted peer-to-peer VoIP traffics of Skype activities. These results enable us to show the communication framework of Skype down to the transport layer.