A flow based approach for SSH traffic detection

@article{Alshammari2007AFB,
  title={A flow based approach for SSH traffic detection},
  author={Riyad Alshammari and Ayse Nur Zincir-Heywood},
  journal={2007 IEEE International Conference on Systems, Man and Cybernetics},
  year={2007},
  pages={296-301}
}
The basic objective of this work is to assess the utility of two supervised learning algorithms AdaBoost and RIPPER for classifying SSH traffic from log files without using features such as payload, IP addresses and source/destination ports. Pre-processing is applied to the traffic data to express as traffic flows. Results of 10-fold cross validation for each learning algorithm indicate that a detection rate of 99% and a false positive rate of 0.7% can be achieved using RIPPER. Moreover… 

Tables from this paper

On the fly Application Flows Identification by exploiting K-Means based classifiers
TLDR
This paper has developed a real time traffic classification method based on cluster analysis to identify TCP application flows from statistical parameters, such as length, arrival times and direction of IP packets, and achieves average detection rate and accuracy up to 95.43% for TCP based application flows.
A New Semi-Supervised Method for Network Traffic Classification Based on X-Means Clustering and Label Propagation
TLDR
A new semi-supervised method for traffic classification based on x-means clustering algorithm and a new label propagation technique is proposed that shows its effectiveness for learning a network traffic classifier using a limited labeled data.
A framework for tunneled traffic analysis
  • T. YildirimP. Radcliffe
  • Computer Science
    2010 The 12th International Conference on Advanced Communication Technology (ICACT)
  • 2010
TLDR
It is argued that the results to date for encrypted traffic cannot help a network device such as a firewall make any useful decision, nor are there any indications that this may be achieved in the future.
Machine learning based encrypted traffic classification: Identifying SSH and Skype
TLDR
Assessment of the robustness of machine learning based traffic classification for classifying encrypted traffic where SSH and Skype are taken as good representatives of encrypted traffic indicates the C4.5 based approach performs much better than other algorithms on the identification of both SSH andSkype traffic on totally different networks.
Statistical classification of services tunneled into SSH connections by a K-means based learning algorithm
TLDR
This paper describes tools and networks designed to collect SSH remote administration traffic as well as relevant results obtained for its classification, and identifies remote management traffic out of other SSH encoded applications with accuracy up to 90.34.
FPGA targeted implementation of a neurofuzzy system for real time TCP/IP traffic classification
  • Alessandro CintiA. Rizzi
  • Computer Science
    2013 Sixth International Conference on Advanced Computational Intelligence (ICACI)
  • 2013
TLDR
This paper proposes to employ an FPGA to design a stand-alone device using only information available at network layer, namely packet sizes, directions and inter-arrival times, to perform flow classification according to application layer protocol.
An application-level features mining algorithm based on PrefixSpan
TLDR
A novel application-level features mining algorithm based on PrefixSpan is proposed used to automatically extract features from network traffic to show high precision and low error rate and the algorithm outperforms the Apriori-based featuresmining algorithm.
VoIP traffic classification in IPSec tunnels
  • T. YildirimP. Radcliffe
  • Computer Science
    2010 International Conference on Electronics and Information Engineering
  • 2010
TLDR
It is shown that VoIP/non-VoIP classification can be used to dramatically improve VoIP QoS and may be usedto effectively block non- VoIP traffic in an IPSec tunnel and the usefulness of the technique and the desirability to find more discriminating VoIP identification algorithms for IPSec tunnels.
Network Traffic Classification Using Machine Learning Algorithms
TLDR
This work captures online internet traffic of seven different kinds of applications such as DNS, FTP, TELNET, P2P, WWW, IM and MAIL, and applies three ML algorithms Artificial Neural Network, C4.5 Decision Tree and Support Vector Machine to achieve highly precise results.
...
...

References

SHOWING 1-10 OF 21 REFERENCES
Traffic classification using clustering algorithms
TLDR
This work considers two unsupervised clustering algorithms, namely K-Means and DBSCAN, that have previously not been used for network traffic classification and evaluates these two algorithms and compares them to the previously used AutoClass algorithm, using empirical Internet traces.
A preliminary performance comparison of five machine learning algorithms for practical IP traffic flow classification
TLDR
The performance impact of feature set reduction, using Consistency-based and Correlation-based feature selection, is demonstrated on Na naïve Bayes, C4.5, Bayesian Network and Naïve Bayes Tree algorithms.
BLINC: multilevel traffic classification in the dark
TLDR
This work presents a fundamentally different approach to classifying traffic flows according to the applications that generate them, based on observing and identifying patterns of host behavior at the transport layer and demonstrates the effectiveness of this approach on three real traces.
Internet traffic classification using bayesian analysis techniques
TLDR
This work applies a Naïve Bayes estimator to categorize traffic by application using samples of well-known traffic to allow the categorization of traffic using commonly available information alone, and demonstrates the high level of accuracy achievable with this estimator.
Behavioral authentication of server flows
TLDR
This work presents an approach to classify server traffic based on decision trees learned during a training phase, which provides a more accurate classification in the presence of malicious activity.
Dynamic Application-Layer Protocol Analysis for Network Intrusion Detection
TLDR
This paper discusses the design and implementation of a NIDS extension to perform dynamic application-layer protocol analysis and demonstrates the power of the enhancement with three examples: reliable detection of applications not using their standard ports, payload inspection of FTP data transfers, and detection of IRC-based botnet clients and servers.
ACAS: automated construction of application signatures
TLDR
This paper applies three statistical machine learning algorithms to automatically identify signatures for a range of applications and finds that this approach is highly accurate and scales to allow online application identification on high speed links.
Toward the Accurate Identification of Network Applications
TLDR
This work uses a full payload packet trace collected from an Internet site to identify the types of errors that may result from port-based classification and quantify them for the specific trace under study and devise a classification methodology that relies on the full packet payload.
On Inferring Application Protocol Behaviors in Encrypted Network Traffic
TLDR
This paper presents what it believes to be the first exploratory look at protocol identification in encrypted tunnels which carry traffic from many TCP connections simultaneously, using only post-encryption observable features, and investigates the extent to which common application protocols can be identified using only the features that remain intact after encryption.
HMM profiles for network traffic classification
TLDR
Using less information than previously thought possible, classification accuracy is demonstrated close to that of other recent techniques, and success is shown in classifying a variety of common network applications as observed from real Internet traffic traces.
...
...