Two-phased method for identifying SSH encrypted application flows

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

8 Citations (Scopus)

Abstract

The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)
Original languageEnglish
Title of host publicationProceedings
Subtitle of host publication7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011
Place of PublicationPiscataway, NJ, USA
PublisherIEEE Institute of Electrical and Electronic Engineers
Pages1033-1038
ISBN (Electronic)978-1-4244-9538-2
ISBN (Print)978-1-4244-9539-9
DOIs
Publication statusPublished - 2011
MoE publication typeA4 Article in a conference publication
Event7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011 - Istanbul, Turkey
Duration: 12 Aug 2011 → …

Conference

Conference7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011
Abbreviated titleIWCMC 2011
Country/TerritoryTurkey
CityIstanbul
Period12/08/11 → …

Fingerprint

Dive into the research topics of 'Two-phased method for identifying SSH encrypted application flows'. Together they form a unique fingerprint.

Cite this