Research And Implement Of SSH Traffic Identification System Based On Behavior Characteristics

In recent years, network technology is developing rapidly, and information network has become an important guarantee for the promotion of social development. But a variety of hacker attacks and privacy leak occur frequently, network security is paid more attention. But to guarantee the security of a computer system only by using a variety of anti-virus software and security guards is become difficult, especially for the privacy when communicationg. So, more and more applications originally start to encrypt communication data to protect the privacy of the users. In the application layer, use tunneling (eg SSH [1]) to encrypt the communication data becomes more and more popular. By using encrypted tunnel, some people want to protect the privacy of their communication, some others hope to protect their behavior while they use the applications, but there still have some others want to hide their illegal activities[2]. Thus, to identify the encrypted tunneling traffic is becoming more and more important.With the increasing number of application protocols, it becomes more and more difficult for network applications to strictly follow the rule that the particular application use a specific port. The effect of the port-based network traffic identification methods decrease greatly. Data packets are encrypted in the SSH tunneling, so the traditional identification methods based on protocol matching model and load test are no longer applicable.Although the data packet of SSH protocol communication process is encrypted, packets be send to establish a secure connection packets are sent in clear text before formal data transmission. And the length, inter-arrival time, directions and the arrival sequence of the packets are known. In this paper, we design a classification algorithm according to the features above to classify SSH traffic. First of all, we combine the port-based identification method with the load-based identification method to identify the SSH flow in the network, and then, we use the identification method based on behavior characteristic to classify the SSH flows. Select the TCP payload length and arrival time interval of the flow’s forward, reverse and bidirectional packets, and the proportion of the reverse packets. Using the training set to calculate the expectation and variance of each selected flow characteristics. For a given flow, calculate the expectation and variance of each feature, then calculate the probability of that the flow belonging to each of given classification. The flow belongs to the category of the largest probability value.We constructed a SSH traffic classification system, by using the classification algorithm as the core. The system is divided into four parts, data acquisition module, SSH traffic classification module, a database module and display module. The system acquires the data in network through the data acquisition module, and transmit the data got from the data acquisition module to the core module of the classification system-SSH traffic classification module, to identify. Classification module writes the pretreatment results and recognition results to the database for display. Display module present the preprocessing and recognition result to the user visually to help them know that how do the network traffic changes and the classification result of the SSH traffic by reading the data stored in the database.