| The objective of this work is to develop a framework of best practices for the classification of encrypted traffic where SSH is taken as an example application. Different feature sets are evaluated to assess the robustness of machine learning based traffic identification for classifying encrypted traffic. In this thesis, robustness means that the classifiers are trained on data from one network but tested on data from an entirely different network. To this end, three learning algorithms---AdaBoost, RIPPER and C4.5---are evaluated using packet header, heuristic and flow-based features. Traffic classification is performed without using features such as IP addresses, source/destination ports and payload information. Results indicate that it is possible to classify encrypted traffic without using IP addresses, port numbers and payload information. Moreover, with a greedy search and an entropy based normalized information gain model the C4.5 learning algorithm with statistical flow features is best suited to this problem domain among the learning models evaluated in this thesis. |
