The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

SSH Traffic Identification Using EM Clustering

EM 클러스터링을 이용한 SSH 트래픽 식별

  • 김경륜 (고려대학교 정보보호대학원 멀티미디어보안연구실) ;
  • 김명섭 (고려대학교 정보보호대학원 멀티미디어보안연구실) ;
  • 김형중 (고려대학교 과학기술대학 컴퓨터정보학과 네트워크관리연구실)
  • Received : 2012.10.14
  • Accepted : 2012.11.23
  • Published : 2012.12.28
Download PDF
⟨ Previous Next ⟩

Abstract

Identifying traffic is an important issue for many networking applications including quality of service, firewall enforcement, and network security. Once we know the purpose of using the traffic in the firewall, we can allow or deny it and provide quality of service, and effective operation in terms of security. However, a number of applications encrypts traffics in order to enhance security or privacy. As a result, effective traffic monitoring is getting more difficult. In this paper, we analyse SSH encrypted traffic and identify differences among SSH tunneling, SFTP, and normal SSH traffics. By using EM clustering, we identify traffics and validate experiment results.

네트워크 트래픽 모니터링에 있어서 트래픽을 사용하는 목적을 알아내는 것은 서비스 품질, 방화벽의 동작, 보안 측면에 있어서 중요한 이슈가 되고 있다. 트래픽을 사용하는 목적을 알게 되면 이를 방화벽에서 거부하거나 허용할 수 있고 이는 서비스 품질, 보안적 측면에서 효과적인 운용이 가능해진다. 하지만 수많은 어플리케이션은 보안이나 서비스 측면에서 트래픽을 암호화시키고 있어 효과적인 트래픽 모니터링이 어렵다. 본 논문에서는 암호화된 트래픽을 사용하는 SSH(Secure Shell) 프로토콜을 분석하고 SSH 터널링, SFTP(SSH File Transfer Protocol)와 일반 SSH 트래픽의 차이점을 분석하고 식별할 수 있는 방법을 제시하고 실험을 통해 검증했다.

Keywords

Acknowledgement

Supported by : 한국연구재단

References

  1. Internet Assigned Numbers Authority (IANA), Retrieved Jun., 15., 2012., from http://www.iana.org/assignments/service-names -port-numbers/service-names-port-numbers.xml
  2. A. W. Moore and K. Papagiannaki, "Toward the accurate identification of network applications," Passive and Active Network Measurement, Lecture Notes in Computer Science Volume 3431, 2005, pp 41-54
  3. A. Madhukar and C. Williamson, "A longitudinal study of p2p traffic classification," in Proc. IEEE Int. Symposium on Modeling, Analysis, and Simulation, Sept. 2006. pp. 179-188.
  4. S. Sen, O. Spatscheck, and D. Wang, "Accurate, scalable in-network identification of p2p traffic using application signatures," in Proc. ACM Int. Conf. World Wide Web, New York, USA, May. 2004. pp. 512-521.
  5. SSH FAQ, Retrieved Jun., 15., 2012., from http://www.rz.uni-karlsruhe.de/ ig25/ssh-faq/.
  6. D. J. Barett and R. E. Silverman, SSH, The Secure Shell: The Definitive Guide, O'Reilly, 2001.
  7. RFC4254, Retrieved Jun., 20., 2012., from http://tools.ietf.org/html/rfc4254.
  8. RFC4252 Retrieved Jun., 20., 2012., from http://tools.ietf.org/html/rfc4252.
  9. RFC4253 Retrieved Jun., 20., 2012., from http://tools.ietf.org/html/rfc4253.
  10. F. Dijkstra, A. Friedl, Specification of advanced features for a multi-domain monitoring infrastructure, Feb. 2010. from http://www.geant.net/Media Centre/Media Library/Pages/Deliverables.aspx.
  11. P. Haffner, S. Sen, O. Spatscheck, and D. Wang, "ACAS: Automated construction of application signatures," in Proc. ACM SIGCOMM Workshop on Mining Network Data, New York, USA, Aug. 2005. pp. 197 -202.
  12. W. Li, M. Canini, A. W. Moore, and R. Bolla, "Efficient application identification and the temporal and spatial stability of classification schema," Computer Networks, vol. 53, no. 6, pp. 790-809, Apr. 2009. https://doi.org/10.1016/j.comnet.2008.11.016
  13. L. Bernaille and R. Teixeira, "Early recognition of encrypted applications," in Proc. Int. Conf. Passive and Active Measurement, Apr. 2007. pp. 165-175.
  14. C. Wright, F. Monrose, and G. M. Masson, "HMM profiles for network traffic classification," in Proc. ACM Workshop on Visualization and Data Mining for Computer Security, Oct. 2004. pp. 9-15.
  15. C. V. Wright, F. Monrose, and G. M. Masson, "On inferring application protocol behaviors in encrypted network traffic," J. Mach. Learn. Res., vol. 7, pp. 2745-2769, 2006.
  16. F. Palmieri and U. Fiore, "A nonlinear, recurrence-based approach to traffic classification," Computer Networks, vol. 53, no. 6, pp. 761-773, Apr. 2009 https://doi.org/10.1016/j.comnet.2008.12.015
  17. C. Fraley and A. E. Raftery, "How Many Clusters? Which Clustering Method? Answers Via Model-Based Cluster Analysis," The Comput. J., vol. 41, no. 08, pp. 578-588, 1998. https://doi.org/10.1093/comjnl/41.8.578
  18. Hyunuk Kim, Ha Yoon Song, "A Study on Characterizing the Human Mobility Pattern with EM(Expectation Maximization) Clustering", Korea Computer Congress, vol.38, no. 1(B), pp. 222-225, Jun. 2011.
  19. Sung-ho Yoon, Myung-sup Kim, "A Study of Performance Improvement of Internet Application Traffic Identification using Flow Correlation", THE JOURNAL OF KOREA INFORMATION AND COMMUNICATIONS SOCIETY, vol. 36, no. 6, pp. 600-607, Jun. 2011. https://doi.org/10.7840/KICS.2011.36B.6.600
  20. Sang-woo Lee, Hyun-shin Lee,Mi-jung Choi, Myung-sup Kim, "Real-time Identification of Skype Application Traffic using Behavior Analysis", THE JOURNAL OF KOREA INFORMATION AND COMMUNICATIONS SOCIETY, vol. 36, no. 2, pp. 131-140, Feb. 2011. https://doi.org/10.7840/KICS.2011.36B.2.131
  21. WireShark, Retrieved Aug., 20., 2012., from http://www.wireshark.org/
  22. WinPcap, Retrieved Aug., 20., 2012., from http://www.winpcap.org/
  23. TCPDUMP, Retrieved Aug., 20., 2012., from http://www.tcpdump.org/
  24. WEKA, Retrieved Aug., 20., 2012., from http://www.cs.waikato.ac.nz/ml/weka/