Two-phased method for identifying SSH encrypted application flows

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

5 Citations (Scopus)

Abstract

The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)
Original languageEnglish
Title of host publicationProceedings
Subtitle of host publication7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011
Place of PublicationPiscataway, NJ, USA
PublisherInstitute of Electrical and Electronic Engineers IEEE
Pages1033-1038
ISBN (Electronic)978-1-4244-9538-2
ISBN (Print)978-1-4244-9539-9
DOIs
Publication statusPublished - 2011
MoE publication typeA4 Article in a conference publication
Event7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011 - Istanbul, Turkey
Duration: 12 Aug 2011 → …

Conference

Conference7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011
Abbreviated titleIWCMC 2011
CountryTurkey
CityIstanbul
Period12/08/11 → …

Fingerprint

Tunnels
Pattern matching
Network security
Network management
Clustering algorithms

Cite this

Hirvonen, M., & Sailio, M. (2011). Two-phased method for identifying SSH encrypted application flows. In Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011 (pp. 1033-1038). Piscataway, NJ, USA: Institute of Electrical and Electronic Engineers IEEE. https://doi.org/10.1109/IWCMC.2011.5982683
Hirvonen, Mervi ; Sailio, Mirko. / Two-phased method for identifying SSH encrypted application flows. Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. Piscataway, NJ, USA : Institute of Electrical and Electronic Engineers IEEE, 2011. pp. 1033-1038
@inproceedings{303569b2c6304ed6b6c770484358dd61,
title = "Two-phased method for identifying SSH encrypted application flows",
abstract = "The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94{\%} of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)",
author = "Mervi Hirvonen and Mirko Sailio",
year = "2011",
doi = "10.1109/IWCMC.2011.5982683",
language = "English",
isbn = "978-1-4244-9539-9",
pages = "1033--1038",
booktitle = "Proceedings",
publisher = "Institute of Electrical and Electronic Engineers IEEE",
address = "United States",

}

Hirvonen, M & Sailio, M 2011, Two-phased method for identifying SSH encrypted application flows. in Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. Institute of Electrical and Electronic Engineers IEEE, Piscataway, NJ, USA, pp. 1033-1038, 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011, Istanbul, Turkey, 12/08/11. https://doi.org/10.1109/IWCMC.2011.5982683

Two-phased method for identifying SSH encrypted application flows. / Hirvonen, Mervi; Sailio, Mirko.

Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. Piscataway, NJ, USA : Institute of Electrical and Electronic Engineers IEEE, 2011. p. 1033-1038.

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

TY - GEN

T1 - Two-phased method for identifying SSH encrypted application flows

AU - Hirvonen, Mervi

AU - Sailio, Mirko

PY - 2011

Y1 - 2011

N2 - The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)

AB - The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)

U2 - 10.1109/IWCMC.2011.5982683

DO - 10.1109/IWCMC.2011.5982683

M3 - Conference article in proceedings

SN - 978-1-4244-9539-9

SP - 1033

EP - 1038

BT - Proceedings

PB - Institute of Electrical and Electronic Engineers IEEE

CY - Piscataway, NJ, USA

ER -

Hirvonen M, Sailio M. Two-phased method for identifying SSH encrypted application flows. In Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. Piscataway, NJ, USA: Institute of Electrical and Electronic Engineers IEEE. 2011. p. 1033-1038 https://doi.org/10.1109/IWCMC.2011.5982683