The Recognition And Detection Of SSH Tunneled Traffic

The classification of network traffic is at the basis of any modern networkmanagement platform. It is essential to maintaining and managing the network.However, as the encryption techniques are widely used, the conventionalclassifications based on Deep Payload Inspection have been more and more useless.Also, with the development of protocol-disguise techniques, the classicalclassifications based on standard ports are more and more ineffective. All of theseproblems concern to the classifications of encrypted traffic. At application layer,the use of SSH (Secure Shell) is widespread. Because of its perfect authenticationmechanism and strong encryption system, SSH provides the users a securecommunication environment. But, every coin has two sides. SSH also corners thetraffic-classification. So, we employ the Statistical Pattern Recognition method toclassify the encrypted flows.This paper is mainly about how to classify the encrypted flows by means ofstatistical pattern recognition method. We analyze this problem based on severalaspects as follows:1. Feature abstracts and pattern generates during the period of a handshake. Wepropose a method to classify the protocols based on the statistical features during ahandshake. So, we firstly select the features of an encrypted flow, and then we make apattern using these features. Pattern is the precondition and basis of statisticalpattern recognition. Simply and effective statistical features are critical toclassification.2. We research the start and end of a tunneled flow. We discuss the influencecaused by the process of establishing a SSH session on a tunnel boundary using stepby step analyzing the establishment process. A right tunnel boundary makes theaccurately locating a tunneled protocol possible. It is very important to analyze a protocol’s handshake period.3. We design the Maximum Likelihood Classifier based on Gaussian MixtureModel. The classifier is implemented in software. So, the introduction of theseprograms’ algorithm is necessary. After sampling the HTTP, SMTP, POP3, FTPprotocols, we train the classifier using these training data sets. Then, we obtain theparameters of GMM of each protocol. Finally, we analyze the experiment results andestablish a protocol’s “fingerprint” using the class-condition density function.The results show that: the Maximum Likelihood Classifier based on GaussianMixture Model is effective in classifying SSH encrypted flows. In our experimentenvironment, the worst true positive is above85%and the best result of SMTP isnearly100%.