SSH And Its Obfuscated Protocol Traffic Detection And Bearer Application Identification Technology

SSH protocol is one of the most widely used Internet encryption communication protocols,which is mainly used to protect the communication security of users' remote operation and maintenance servers,and can also be used to construct tunnels to provide secure transmission services for other applications.The widespread use of SSH makes attackers start to use SSH for traffic confusion to avoid network censorship and achieve covert communication.Discovering potential SSH confusion protocol and identifying the application types hosted in SSH encryption channels are hot frontier issues in traffic calculation and network security,this paper proposes a method of SSH application traffic and application combination traffic classification based on machine learning.On this basis,the corresponding software system is designed and implemented.The main research results are as follows:(1)Analyse the characteristics of SSH protocol connection establishment process from two aspects of protocol definition and traffic.Extract the load length of packets in SSH connection establishment process as protocol handshake fingerprint,and propose two algorithms based on handshake fingerprint for SSH protocol identification.Experiments show that the algorithms have a high recognition accuracy of SSH protocol.(2)Analyze the connection establishment process of Obfuscated-OpenSSH protocol the from the protocol implementation level,recombine the load of packet transport layer according to the acknowledgement number,get the characteristic sequence of the connection establishment process of Obfuscated-OpenSSH protocol,and propose the method of feature sequence generation and the recognition algorithm of Obfuscated-OpenSSH protocol based on feature sequence matching.Experiments show that the algorithm has a high Obfuscated-OpenSSH protocol recognition precision and recall rate.(3)Analyze SSH application traffic characteristics from two aspects of protocol definition and traffic,constructs a new set of application traffic classification characteristics based on packet load length and packet transmission direction,and presents the feature extraction method and classification scheme based on supervised machine learning algorithm.Experiments show that the high classification accuracy of remote login,forwarding HTTP,data transfer class(SCP or SFTP),rsync and forwarding FTP can be achieved by using the decision tree J48 algorithm based on this group of characteristics.(4)Analyze the combined traffic characteristics of remote login and data transmission applications,segment the combined traffic of remote login and data transmission applications with equal step size,extract statistical characteristics of each segment based on packet load length and arrival time interval,and classify the segmented application combination traffic based on supervised machine learning algorithm.Experiments show that that the proposed method has a high classification accuracy.(5)Based on the above identification algorithm and classification method as the core of the system business,SSH protocol identification and application classification software system has been designed and implemented.At last,Summarize the whole paper and looks forward to the problems worthy of further study in the future.