While various network applications are common, attack against them, cause some serious problems. Intrusion detection system (IDS) is one solution to encounter such problems. But IDSes are unable to reactive efficiently in encrypted accesses with encryption protocols, because they can not check the contents of a packet. This paper presents a new approach to detect anomaly behaviors in encrypted accesses with SSH2 protocol to network public servers such as http servers, ftp servers and database servers. In this approach, first the system extracts information from each SSH client, which is consist of transferred data size and time interval between messages. Second, the various actions are identified based on similarity of information. Finally, attacks are detected according to intrusion signatures, generated from the frequency of accesses and specifications of TCP traffic. This system dose not decipher private information, because it detect intrusion only by use of transferred data size and time interval between messages and does not require too many calculations, which are needed in common encrypted traffic analysis methods, before start operation. We show that this system is able to detect various attacks with a high accuracy, by implementing our proposed system on the Snort intrusion detection software and with making use of DARPA evaluation dataset.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.