ABSTRACT
Secure SHell is a TCP based protocol designed to enhance with security features telnet and other insecure remote management tools. Due to its versatility, it is often exploited to forward applications (i.e. HTTP, SCP, etc.) into encoded TCP traffic flows. The point which makes challenging the identification of the uses of SSH is that packets are enciphered and instruments based on deep packet inspection (DPI) cannot achieve this task. We approached the problem of early SSH classification with k-means based machine by studying statistical behavior of IP traffic parameters, such as length, arrival time and direction of packets. In this paper we describe tools and networks designed to collect SSH remote administration traffic as well as relevant results obtained for its classification. In particular, our tool identifies remote management traffic out of other SSH encoded applications with accuracy up to 90.34
- Callado, A.; Kamienski, C.; Szabo, G.; Gero, B.; Kelner, J.; Fernandes, S.; Sadok, D.; A Survey on Internet Traffic Identification; Communications Surveys & Tutorials, IEEE Volume 11, Issue 3, 3rd Quarter 2009 Page(s):37--52 Google ScholarDigital Library
- T. Ylonen and C. Lonvick, ŞThe Secure Shell (SSH) Protocol Architecture, RFC 4251, IETF, Jan. 2006.Google Scholar
- C. Wright, F. Monrose, G. Masson, On Inferring Application Protocol Behaviors in Encrypted Network Traffic, Journal of Machine Learning Research (JMLR): Special issue on Machine Learning for Computer Security, volume 7, pp. 2745--2769, 2006. Google ScholarDigital Library
- R. Alshammari and A. Nur Zincir-Heywood. A Flow Based Approach For SSH Traffic Detection, Systems, Man and Cybernetics, 2007. ISIC. IEEE International Conference on.Google Scholar
- M. Dusi, A. Este, F. Gringoli, L. Salgarelli, Using GMM and SVM-based Techniques for the Classification of SSH-Encrypted Traffic, Proceedings of the 44th IEEE International Conference on Communication (ICC 2009), Dresden, Germany, Jun. 2009. Google ScholarDigital Library
- http://www.openssh.com/Google Scholar
- http://www.tcpdump.org/Google Scholar
Index Terms
- Statistical classification of services tunneled into SSH connections by a K-means based learning algorithm
Recommendations
The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections
SIGMETRICS '00: Proceedings of the 2000 ACM SIGMETRICS international conference on Measurement and modeling of computer systemsOur research focuses on end-to-end congestion avoidance algorithms that use round trip time (RTT) fluctuations as an indicator of the level of network congestion. The algorithms are referred to as delay-based congestion avoidance or DCA. Due to the ...
The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections
Special issue on proceedings of ACM SIGMETRICS 2000Our research focuses on end-to-end congestion avoidance algorithms that use round trip time (RTT) fluctuations as an indicator of the level of network congestion. The algorithms are referred to as delay-based congestion avoidance or DCA. Due to the ...
Comments