Browse > Article
http://dx.doi.org/10.7840/kics.2012.37B.12.1160

SSH Traffic Identification Using EM Clustering  

Kim, Kyoung-Lyoon (고려대학교 정보보호대학원 멀티미디어보안연구실)
Kim, Myung-Sup (고려대학교 정보보호대학원 멀티미디어보안연구실)
Kim, Hyoung-Joong (고려대학교 과학기술대학 컴퓨터정보학과 네트워크관리연구실)
Publication Information
The Journal of Korean Institute of Communications and Information Sciences / v.37B, no.12, 2012 , pp. 1160-1167 More about this Journal
Abstract
Identifying traffic is an important issue for many networking applications including quality of service, firewall enforcement, and network security. Once we know the purpose of using the traffic in the firewall, we can allow or deny it and provide quality of service, and effective operation in terms of security. However, a number of applications encrypts traffics in order to enhance security or privacy. As a result, effective traffic monitoring is getting more difficult. In this paper, we analyse SSH encrypted traffic and identify differences among SSH tunneling, SFTP, and normal SSH traffics. By using EM clustering, we identify traffics and validate experiment results.
Keywords
Traffic Monitoring; Encrypted Traffic; Network Security; IDS; EM Clustering;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Internet Assigned Numbers Authority (IANA), Retrieved Jun., 15., 2012., from http://www.iana.org/assignments/service-names -port-numbers/service-names-port-numbers.xml
2 S. Sen, O. Spatscheck, and D. Wang, "Accurate, scalable in-network identification of p2p traffic using application signatures," in Proc. ACM Int. Conf. World Wide Web, New York, USA, May. 2004. pp. 512-521.
3 A. W. Moore and K. Papagiannaki, "Toward the accurate identification of network applications," Passive and Active Network Measurement, Lecture Notes in Computer Science Volume 3431, 2005, pp 41-54
4 A. Madhukar and C. Williamson, "A longitudinal study of p2p traffic classification," in Proc. IEEE Int. Symposium on Modeling, Analysis, and Simulation, Sept. 2006. pp. 179-188.
5 SSH FAQ, Retrieved Jun., 15., 2012., from http://www.rz.uni-karlsruhe.de/ ig25/ssh-faq/.
6 D. J. Barett and R. E. Silverman, SSH, The Secure Shell: The Definitive Guide, O'Reilly, 2001.
7 RFC4254, Retrieved Jun., 20., 2012., from http://tools.ietf.org/html/rfc4254.
8 RFC4252 Retrieved Jun., 20., 2012., from http://tools.ietf.org/html/rfc4252.
9 RFC4253 Retrieved Jun., 20., 2012., from http://tools.ietf.org/html/rfc4253.
10 P. Haffner, S. Sen, O. Spatscheck, and D. Wang, "ACAS: Automated construction of application signatures," in Proc. ACM SIGCOMM Workshop on Mining Network Data, New York, USA, Aug. 2005. pp. 197 -202.
11 F. Dijkstra, A. Friedl, Specification of advanced features for a multi-domain monitoring infrastructure, Feb. 2010. from http://www.geant.net/Media Centre/Media Library/Pages/Deliverables.aspx.
12 W. Li, M. Canini, A. W. Moore, and R. Bolla, "Efficient application identification and the temporal and spatial stability of classification schema," Computer Networks, vol. 53, no. 6, pp. 790-809, Apr. 2009.   DOI   ScienceOn
13 L. Bernaille and R. Teixeira, "Early recognition of encrypted applications," in Proc. Int. Conf. Passive and Active Measurement, Apr. 2007. pp. 165-175.
14 C. Wright, F. Monrose, and G. M. Masson, "HMM profiles for network traffic classification," in Proc. ACM Workshop on Visualization and Data Mining for Computer Security, Oct. 2004. pp. 9-15.
15 C. V. Wright, F. Monrose, and G. M. Masson, "On inferring application protocol behaviors in encrypted network traffic," J. Mach. Learn. Res., vol. 7, pp. 2745-2769, 2006.
16 F. Palmieri and U. Fiore, "A nonlinear, recurrence-based approach to traffic classification," Computer Networks, vol. 53, no. 6, pp. 761-773, Apr. 2009   DOI   ScienceOn
17 C. Fraley and A. E. Raftery, "How Many Clusters? Which Clustering Method? Answers Via Model-Based Cluster Analysis," The Comput. J., vol. 41, no. 08, pp. 578-588, 1998.   DOI   ScienceOn
18 Hyunuk Kim, Ha Yoon Song, "A Study on Characterizing the Human Mobility Pattern with EM(Expectation Maximization) Clustering", Korea Computer Congress, vol.38, no. 1(B), pp. 222-225, Jun. 2011.
19 Sung-ho Yoon, Myung-sup Kim, "A Study of Performance Improvement of Internet Application Traffic Identification using Flow Correlation", THE JOURNAL OF KOREA INFORMATION AND COMMUNICATIONS SOCIETY, vol. 36, no. 6, pp. 600-607, Jun. 2011.   과학기술학회마을   DOI   ScienceOn
20 Sang-woo Lee, Hyun-shin Lee,Mi-jung Choi, Myung-sup Kim, "Real-time Identification of Skype Application Traffic using Behavior Analysis", THE JOURNAL OF KOREA INFORMATION AND COMMUNICATIONS SOCIETY, vol. 36, no. 2, pp. 131-140, Feb. 2011.   과학기술학회마을   DOI   ScienceOn
21 WireShark, Retrieved Aug., 20., 2012., from http://www.wireshark.org/
22 WinPcap, Retrieved Aug., 20., 2012., from http://www.winpcap.org/
23 TCPDUMP, Retrieved Aug., 20., 2012., from http://www.tcpdump.org/
24 WEKA, Retrieved Aug., 20., 2012., from http://www.cs.waikato.ac.nz/ml/weka/