Intrusion detection in encrypted accesses with SSH protocol to network public servers

While various network applications are common, attack against them, cause some serious problems. Intrusion detection system (IDS) is one solution to encounter such problems. But IDSes are unable to reactive efficiently in encrypted accesses with encryption protocols, because they can not check the contents of a packet. This paper presents a new approach to detect anomaly behaviors in encrypted accesses with SSH2 protocol to network public servers such as http servers, ftp servers and database servers. In this approach, first the system extracts information from each SSH client, which is consist of transferred data size and time interval between messages. Second, the various actions are identified based on similarity of information. Finally, attacks are detected according to intrusion signatures, generated from the frequency of accesses and specifications of TCP traffic. This system dose not decipher private information, because it detect intrusion only by use of transferred data size and time interval between messages and does not require too many calculations, which are needed in common encrypted traffic analysis methods, before start operation. We show that this system is able to detect various attacks with a high accuracy, by implementing our proposed system on the Snort intrusion detection software and with making use of DARPA evaluation dataset.