Two-phased method for identifying SSH encrypted application flows

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

5 Citations (Scopus)

Abstract

The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)
Original languageEnglish
Title of host publicationProceedings
Subtitle of host publication7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011
Place of PublicationPiscataway, NJ, USA
PublisherIEEE Institute of Electrical and Electronic Engineers
Pages1033-1038
ISBN (Electronic)978-1-4244-9538-2
ISBN (Print)978-1-4244-9539-9
DOIs
Publication statusPublished - 2011
MoE publication typeA4 Article in a conference publication
Event7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011 - Istanbul, Turkey
Duration: 12 Aug 2011 → …

Conference

Conference7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011
Abbreviated titleIWCMC 2011
CountryTurkey
CityIstanbul
Period12/08/11 → …

Fingerprint

Tunnels
Pattern matching
Network security
Network management
Clustering algorithms

Cite this

Hirvonen, M., & Sailio, M. (2011). Two-phased method for identifying SSH encrypted application flows. In Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011 (pp. 1033-1038). Piscataway, NJ, USA: IEEE Institute of Electrical and Electronic Engineers . https://doi.org/10.1109/IWCMC.2011.5982683
Hirvonen, Mervi ; Sailio, Mirko. / Two-phased method for identifying SSH encrypted application flows. Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. Piscataway, NJ, USA : IEEE Institute of Electrical and Electronic Engineers , 2011. pp. 1033-1038
@inproceedings{303569b2c6304ed6b6c770484358dd61,
title = "Two-phased method for identifying SSH encrypted application flows",
abstract = "The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94{\%} of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)",
author = "Mervi Hirvonen and Mirko Sailio",
year = "2011",
doi = "10.1109/IWCMC.2011.5982683",
language = "English",
isbn = "978-1-4244-9539-9",
pages = "1033--1038",
booktitle = "Proceedings",
publisher = "IEEE Institute of Electrical and Electronic Engineers",
address = "United States",

}

Hirvonen, M & Sailio, M 2011, Two-phased method for identifying SSH encrypted application flows. in Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. IEEE Institute of Electrical and Electronic Engineers , Piscataway, NJ, USA, pp. 1033-1038, 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011, Istanbul, Turkey, 12/08/11. https://doi.org/10.1109/IWCMC.2011.5982683

Two-phased method for identifying SSH encrypted application flows. / Hirvonen, Mervi; Sailio, Mirko.

Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. Piscataway, NJ, USA : IEEE Institute of Electrical and Electronic Engineers , 2011. p. 1033-1038.

Research output: Chapter in Book/Report/Conference proceedingConference article in proceedingsScientificpeer-review

TY - GEN

T1 - Two-phased method for identifying SSH encrypted application flows

AU - Hirvonen, Mervi

AU - Sailio, Mirko

PY - 2011

Y1 - 2011

N2 - The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)

AB - The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes. Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision. (12 refs.)

U2 - 10.1109/IWCMC.2011.5982683

DO - 10.1109/IWCMC.2011.5982683

M3 - Conference article in proceedings

SN - 978-1-4244-9539-9

SP - 1033

EP - 1038

BT - Proceedings

PB - IEEE Institute of Electrical and Electronic Engineers

CY - Piscataway, NJ, USA

ER -

Hirvonen M, Sailio M. Two-phased method for identifying SSH encrypted application flows. In Proceedings: 7th International Wireless Communications and Mobile Computing Conference, IWCMC 2011. Piscataway, NJ, USA: IEEE Institute of Electrical and Electronic Engineers . 2011. p. 1033-1038 https://doi.org/10.1109/IWCMC.2011.5982683