Real Time Identification of SSH Encrypted Application Flows by Using Cluster Analysis Techniques

Maiolini, Gianluca; Baiocchi, Andrea; Iacovazzi, Alfonso; Rizzi, Antonello

doi:10.1007/978-3-642-01399-7_15

Cited by 24 publications

(18 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These two classes represented the predominant traffic but with different percentages in training and testing sets, so they are the most difficult to recognize correctly. [13] or encrypted connections that carry a single TCP flow on top of it [14], [15], [16], [17], [18]. However, the informativeness of such features is not clear when considering protocols such as IPSec that multiplex the flows into the same encrypted connection, given that there is no way to reassembly the flows being routed through the IPSec channel without knowing the encryption keys.…”

Section: Discussion: Using a Large Datasetmentioning

confidence: 98%

Taking a Peek at Bandwidth Usage on Encrypted Links

Dusi

Este

Gringoli

et al. 2011

2011 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

In this paper we describe a practical yet effective technique to monitor the amount of bytes that several classes of protocols, such as peer-to-peer, e-mail, etc., transmit over encrypted virtual links, such as IPSec tunnels. The experiments described in this paper demonstrate that our regression-treebased bandwidth estimator is effective enough to create usage models inherently robust to changes in path, number of users and type of protocols multiplexed over the encrypted link. In other words, our experimental results indicate that training data obtained from a test IPSec tunnel can be successfully used to monitor bandwidth usage on other encrypted tunnels where only the ciphertext is available.

show abstract

Section: Discussion: Using a Large Datasetmentioning

confidence: 98%

Taking a Peek at Bandwidth Usage on Encrypted Links

Dusi

Este

Gringoli

et al. 2011

2011 IEEE International Conference on Communications (ICC)

View full text Add to dashboard Cite

show abstract

“…They also detected a decrease in accuracy when adding additional applications for detection. The present paper also utilizes K-means clustering algorithm, but the number of target applications is greater than in [8], including widely used BitTorrent protocol. It is noticeable that, with a greater number of tunneled application, the classification accuracy remains high.…”

Section: Related Workmentioning

confidence: 98%

“…al. [8] describe a real time K-means based identification algorithm for SSH encrypted application flows. They utilized arrival times, sizes and directions of packets in the classification.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Two-phased method for identifying SSH encrypted application flows

Hirvonen

Sailio

2011

2011 7th International Wireless Communications and Mobile Computing Conference

View full text Add to dashboard Cite

The use of application-layer tunnels has become more popular nowadays. By using encrypted tunnels for prohibited application such as peer-to-peer file sharing it is easy to gain access to restricted networks. Application-layer tunnels provide a possibility to bypass network defenses which is even more useful for malicious users trying to avoid detection. The accurate identification of application flows in encrypted tunnels is important for the network security and management purposes.Traditional network traffic classification methods based on port numbers or pattern-matching mechanisms are practically useless in identifying application flows inside an encrypted tunnel, therefore another approach is needed. In this paper, we propose a two-phased method for classifying SSH tunneled application flows in real time. The classification is based on the statistical features of the network flows. The first classification phase identifies the SSH connection while the second classification phase detects the tunneled application. A simple K-Means clustering algorithm is utilized in classification. We evaluated our method using manually generated packet traces. The results were promising; over 94% of all flow samples were classified correctly, while untrained application flow samples were detected as unknown at high precision.

show abstract

“…A support vector machine was used in [13] to identify protocols other than HTTP and SSH tunneled over HTTP or SSH by looking at the message size, the block cipher size (involved in the message encryption), and the MTU size. Application-layer protocols sent through an encrypted tunnel that carries traffic from many TCP connections simultaneously were classified in [14], [15] using a k-NearestNeighbor classifier based on Hidden Markov Models with the message size, the message direction, and message inter-arrival times as features. In [16], the authors compared Bayesian Networks, Decision Trees and Multilayer Perceptrons for the flow-based classification of six different types of Internet traffic, including peer-to-peer and content delivery traffic, and showed the importance of correctly classifying training instances.…”

Section: Related Workmentioning

confidence: 99%

Peekaboo: A gray hole attack on encrypted SCADA communication using traffic analysis

Torrisi

Vuković

Dán

et al. 2014

2014 IEEE International Conference on Smart Grid Communications (SmartGridComm)

View full text Add to dashboard Cite

We consider a potential gray hole attack against SCADA substation to control center communications using DNP3. We propose a support vector machine-based traffic analysis algorithm that relies on message direction and timing information only, and we use trace-based simulations to show that even if SCADA traffic is sent through an encrypted tunnel, as often done in practice, the gray hole attack can be effectively performed based on the timing and direction of three consecutive messages. Our results show that the attacker does not need accurate system information to be successful, and could affect monitoring accuracy by up to 20%. We discuss possible mitigation schemes at different layers of the communication protocol stack, and show that a minor modification of message timing could help mitigate the attack.

show abstract

Real Time Identification of SSH Encrypted Application Flows by Using Cluster Analysis Techniques

Cited by 24 publications

References 7 publications

Taking a Peek at Bandwidth Usage on Encrypted Links

Taking a Peek at Bandwidth Usage on Encrypted Links

Two-phased method for identifying SSH encrypted application flows

Peekaboo: A gray hole attack on encrypted SCADA communication using traffic analysis

Contact Info

Product

Resources

About