The use of Skype application is constantly increasing in corporate environments and is having a dramatic impact on carriers’ revenue streams. But perhaps more importantly, the very nature of Skype traffic is raising security concerns as Skype’s protocol is proprietary and acts as a complete black box. Security administrators are currently unable to monitor and secure it efficiently.

Skype uses a peer-to-peer technology and several obfuscation techniques, making it challenging for network operators to identify associated traffic. Skype encrypts data transmitted over the Internet between peers and is particularly gifted when it comes to circumvent security limitations. Entering via uncommon channels like https (Web) port, Skype is usually very successful at passing corporate firewalls. Furthermore, Skype designers are making the software even more furtive at every new version.

The network research group at Lynanda has come with a solution to identify Skype’s traffic on-the-fly. As expected the solution is not based on common firewall practices, but on statistical data-mining techniques. In fact the method used to filter Skype is a two-steps process.

First, the firewall is exposed to its target environment to “learn” the particularities of Skype’s traffic. Then, it uses the information collected together with pattern-matching techniques to actually identify Skype’s related traffic. Various technologies like neural networks, distributed statistical calculus, and pattern recognition through machine learning are involved in the methodology developed by Lynanda. These techniques are very similar to the ones currently used in financial statistics to discover regularities and typical patterns in apparently chaotic data like stock quotes.

The originality of the method is that it not only looks at the content of the network packets exchanged, it pays also attention to the timing at which they are sent and received. Given all this data, it is quite easy to get a footprint of the Skype application and drop its related traffic.

In experiments, the filter was able to detect and block a Skype call less than 30s after it started, making it a reasonably efficient Skype blocker. A regulator can drop the call by shutting down the pipe. The number of false positives was very low, though it is expected to rise in more complex environments like large corporate networks, especially under heavy network load. The solution appears to be fully scalable and doesn’t require much human intervention or monitoring.

Though this filtering technology needs financial and technical commitment, quoting Ivan Chollet, Solution Architect at Lynanda, it could be incorporated in large organizations networks very soon:

“The only drawback of this technology is its computational expensiveness. In fact one challenge facing traffic-signature techniques on telecom networks is the high speed at which such pattern matching algorithms must be executed. Therefore, this filtering solution involves massively parallel computational capabilities as well as expensive database clusters. However, as these technologies are becoming increasingly affordable, we might see in the near future a large number of small to medium-sized companies using it.”

A Framork released under an opensource scheme.