A flow based approach for SSH traffic detection

Author

Alshammari, Riyad ; Zincir-Heywood, A. Nur

Author_Institution

Dalhousie Univ., Halifax

fYear

2007

fDate

7-10 Oct. 2007

Firstpage

296

Lastpage

301

Abstract

The basic objective of this work is to assess the utility of two supervised learning algorithms AdaBoost and RIPPER for classifying SSH traffic from log files without using features such as payload, IP addresses and source/destination ports. Pre-processing is applied to the traffic data to express as traffic flows. Results of 10-fold cross validation for each learning algorithm indicate that a detection rate of 99% and a false positive rate of 0.7% can be achieved using RIPPER. Moreover, promising preliminary results were obtained when RIPPER was employed to identify which service was running over SSH. Thus, it is possible to detect SSH traffic with high accuracy without using features such as payload, IP addresses and source/destination ports, where this represents a particularly useful characteristic when requiring generic, scalable solutions.

Keywords

IP networks; learning (artificial intelligence); telecommunication network management; telecommunication security; telecommunication traffic; AdaBoost; IP address; RIPPER; SSH traffic detection; payload; source/destination ports; supervised learning algorithms; traffic data; traffic flows; Application software; Computer science; Cryptography; Engineering management; Financial management; Inspection; Payloads; Supervised learning; Telecommunication traffic; Traffic control;

fLanguage

English

Publisher

ieee

Conference_Titel

Systems, Man and Cybernetics, 2007. ISIC. IEEE International Conference on

Conference_Location

Montreal, Que.

Print_ISBN

978-1-4244-0990-7

Electronic_ISBN

978-1-4244-0991-4

Type

conf

DOI

10.1109/ICSMC.2007.4414006

Filename

4414006