research-article

Statistical classification of services tunneled into SSH connections by a K-means based learning algorithm

Authors:
G. Maiolini

Elsag Datamat SpA, Rome, Italy

Elsag Datamat SpA, Rome, Italy
View Profile

,
A. Baiocchi

University of Rome, Sapienza, Rome

University of Rome, Sapienza, Rome
View Profile

,
A. Rizzi

University of Rome, Sapienza, Rome

University of Rome, Sapienza, Rome
View Profile

,
C. Di Iollo

Elsag Datamat SpA, Rome, Italy

Elsag Datamat SpA, Rome, Italy
View Profile

IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing ConferenceJune 2010Pages 742–746https://doi.org/10.1145/1815396.1815567

Published:28 June 2010Publication History

IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference

Pages 742–746

ABSTRACT

Secure SHell is a TCP based protocol designed to enhance with security features telnet and other insecure remote management tools. Due to its versatility, it is often exploited to forward applications (i.e. HTTP, SCP, etc.) into encoded TCP traffic flows. The point which makes challenging the identification of the uses of SSH is that packets are enciphered and instruments based on deep packet inspection (DPI) cannot achieve this task. We approached the problem of early SSH classification with k-means based machine by studying statistical behavior of IP traffic parameters, such as length, arrival time and direction of packets. In this paper we describe tools and networks designed to collect SSH remote administration traffic as well as relevant results obtained for its classification. In particular, our tool identifies remote management traffic out of other SSH encoded applications with accuracy up to 90.34

References

Callado, A.; Kamienski, C.; Szabo, G.; Gero, B.; Kelner, J.; Fernandes, S.; Sadok, D.; A Survey on Internet Traffic Identification; Communications Surveys & Tutorials, IEEE Volume 11, Issue 3, 3rd Quarter 2009 Page(s):37--52 Google ScholarDigital Library
T. Ylonen and C. Lonvick, ŞThe Secure Shell (SSH) Protocol Architecture, RFC 4251, IETF, Jan. 2006.Google Scholar
C. Wright, F. Monrose, G. Masson, On Inferring Application Protocol Behaviors in Encrypted Network Traffic, Journal of Machine Learning Research (JMLR): Special issue on Machine Learning for Computer Security, volume 7, pp. 2745--2769, 2006. Google ScholarDigital Library
R. Alshammari and A. Nur Zincir-Heywood. A Flow Based Approach For SSH Traffic Detection, Systems, Man and Cybernetics, 2007. ISIC. IEEE International Conference on.Google Scholar
M. Dusi, A. Este, F. Gringoli, L. Salgarelli, Using GMM and SVM-based Techniques for the Classification of SSH-Encrypted Traffic, Proceedings of the 44th IEEE International Conference on Communication (ICC 2009), Dresden, Germany, Jun. 2009. Google ScholarDigital Library
http://www.openssh.com/Google Scholar
http://www.tcpdump.org/Google Scholar

Index Terms

Statistical classification of services tunneled into SSH connections by a K-means based learning algorithm
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

Rtt-based congestion avoidance for high-speed tcp internet connections
Read More
The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections
SIGMETRICS '00: Proceedings of the 2000 ACM SIGMETRICS international conference on Measurement and modeling of computer systems

Our research focuses on end-to-end congestion avoidance algorithms that use round trip time (RTT) fluctuations as an indicator of the level of network congestion. The algorithms are referred to as delay-based congestion avoidance or DCA. Due to the ...
Read More
The incremental deployability of RTT-based congestion avoidance for high speed TCP Internet connections
Special issue on proceedings of ACM SIGMETRICS 2000

Our research focuses on end-to-end congestion avoidance algorithms that use round trip time (RTT) fluctuations as an indicator of the level of network congestion. The algorithms are referred to as delay-based congestion avoidance or DCA. Due to the ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
IWCMC '10: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
June 2010
1371 pages
ISBN:9781450300629
DOI:10.1145/1815396
General Chairs:
Ahmed Helmy
University of Florida
,
Peter Mueller
IBM, Switzerland
,
Program Chair:
Yan Zhang
Simula Research Laboratory and University of Oslo, Norway
Copyright © 2010 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 June 2010
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
machine learning
secure shell
traffic analysis
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 248
  Total Downloads
- Downloads (Last 12 months)3
- Downloads (Last 6 weeks)2
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.