nach oben

International Journal of Information Security

Erschienen in:

11.06.2021 | regular contribution

An SSH predictive model using machine learning with web proxy session logs

verfasst von: Junwon Lee, Heejo Lee

Erschienen in: International Journal of Information Security | Ausgabe 2/2022

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

An adversary can use SSH communication as a route for information leakage or hacking. Many studies have focused on TCP header analysis to detect encrypted communication. However, SSH detection using TCP header analysis is limited when changing TCP port information or modifying components of the SSH protocol. Various machine-learning (ML) techniques have been introduced to enhance network traffic classification by analyzing TCP headers. Most ML-based traffic classification research has analyzed network packet flows. However, because of the complex structures and the various implementations of the TCP protocol, a lot of time and resources are required for the recombination of network packet flows. This paper presents a novel contribution to overcome the problems of network packet analysis that employs web proxy session logs, which do not require the recombination of packets to prepare a dataset for analysis. Moreover, we propose a hybrid predictive model that is useful for web proxy session log analysis. In the modeling process, we collected the web proxy logs from an actual network of ICT companies (more than 10,000 employees, Seoul, South Korea) and used the random forest and decision tree algorithms for the supervised learning. The detection rate (DR) for the training dataset was 99.9%, which is similar to or higher than that of other studies using ML and deep learning. Using the dataset of DARPA99, we proved that the DR and FPR for our proposed model were better than those achieved by Alshammari et al.’s model. We expect that the proposed predictive model can be used to block illegal attempts at SSH communication over HTTP CONNECT by changing the destination port and to detect novel illegal communication protocols.

Vorheriger Artikel The Agent Web Model: modeling web hacking for reinforcement learning

Nächster Artikel Optimization of parallel firewalls filtering rules

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Art. 25 GDPR—Data protection by design and by default. https://gdpr-info.eu/art-25-gdpr/

Alshammari, R., Zincir-Heywood, A.N.: A flow based approach for SSH traffic detection. In: 2007 IEEE International Conference on Systems, Man and Cybernetics, IEEE, pp. 296–301 (2007)

Alshammari, R., Zincir-Heywood, A.N.: Machine learning based encrypted traffic classification: Identifying SSH and skype. In: 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications, IEEE, pp. 1–8 (2009)

Alshammari, R., Zincir-Heywood, A.N.: Can encrypted traffic be identified without port numbers, ip addresses and payload inspection? Comput. Netw. 55(6), 1326–1350 (2011)CrossRef

Bagui, S., Fang, X., Kalaimannan, E., Bagui, S.C., Sheehan, J.: Comparison of machine-learning algorithms for classification of VPN network traffic flow using time-related features. J. Cyber Secur. Technol. 1(2), 108–126 (2017)CrossRef

Boutaba, R., Salahuddin, M.A., Limam, N., Ayoubi, S., Shahriar, N., Estrada-Solano, F., Caicedo, O.M.: A comprehensive survey on machine learning for networking: evolution, applications and research opportunities. J. Internet Serv. Appl. 9(1), 16 (2018)CrossRef

Brid, R.S.: Decision trees—a simple way to visualize a decision (2018). https://medium.com/greyatom/decision-trees-a-simple-way-to-visualize-a-decision-dc506a403aeb

Bujlow, T., Riaz, T., Pedersen, J.M.: A method for classification of network traffic based on c5. 0 machine learning algorithm. In: 2012 International Conference on Computing, Networking and Communications (ICNC), IEEE, pp. 237–241 (2012)

Cai, T., Zou, F.: Detecting http botnet with clustering network traffic. In: 2012 8th International Conference on Wireless Communications, Networking and Mobile Computing, IEEE, pp. 1–7 (2012)

10.

Chammem, M., Hamdi, M., Kim, T.H.: Extending advanced evasion techniques using combinatorial search. In: 2014 7th International Conference on Security Technology, IEEE, pp. 41–46 (2014)

11.

Dharmapurikar, S., Krishnamurthy, P., Sproull, T., Lockwood, J.: Deep packet inspection using parallel bloom filters. In: Proceedings of the 11th Symposium on High Performance Interconnects, 2003, IEEE, pp. 44–51 (2003)

12.

Ferrara, P., Spoto, F.: Static analysis for GDPR compliance. In: ITASEC (2018)

13.

Flow2session. https://github.com/junimirang/Flow2Session

14.

Lin, P.C., Lin, Y.D., Lai, Y.C., Lee, T.H.: Using string matching for deep packet inspection. Computer 41(4), 23–28 (2008)CrossRef

15.

Lotfollahi, M., Jafari Siavoshani, M., Shirali Hossein Zade, R., Mohammdsadegh, S.: Deep packet: a novel approach for encrypted traffic classification using deep learning. Soft. Comput. 24, 1999–2012 (2020)

16.

Marty, R.: Applied Security Visualization. Addison-Wesley, Upper Saddle River (2009)

17.

Mighan, S.N., Kahani, M.: A novel scalable intrusion detection system based on deep learning. Int. J. Inf. Secur. (2020). https://doi.org/10.1007/s10207-020-00508-5CrossRef

18.

Neupane, K., Haddad, R., Chen, L.: Next generation firewall for network security: a survey. In: SoutheastCon 2018, IEEE, pp. 1–6 (2018)

19.

Shah, A., Banakar, V., Shastri, S., Wasserman, M., Chidambaram, V.: Analyzing the impact of \(\{\)GDPR\(\}\) on storage systems. In: 11th \(\{\)USENIX\(\}\) Workshop on Hot Topics in Storage and File Systems (HotStorage 19) (2019)

20.

Shen, M., Zhang, J., Chen, S., Liu, Y., Zhu, L.: Machine learning classification on traffic of secondary encryption. In: 2019 IEEE Global Communications Conference (GLOBECOM), IEEE, pp. 1–6 (2019)

21.

Vinayakumar, R., Soman, KP., Poornachandran, Prabaharan.: Secure shell (ssh) traffic analysis with flow based features using shallow and deep networks. In: 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI), IEEE, pp. 2026–2032 (2017)

22.

Wagener, G., Dulaunoy, A., Engel, T.: Towards an estimation of the accuracy of TCP reassembly in network forensics. In: 2008 Second International Conference on Future Generation Communication and Networking, IEEE, vol. 2, pp. 273–278 (2008)

23.

Wold, S., Esbensen, K., Geladi, P.: Principal component analysis. Chemom. Intell. Lab. Syst. 2(1–3), 37–52 (1987)CrossRef

24.

Wullink, M., Moura, G.C., Müller, M., Hesselman, C.: Entrada: a high-performance network traffic data streaming warehouse. In: NOMS 2016-2016 IEEE/IFIP Network Operations and Management Symposium, IEEE, pp. 913–918 (2016)

25.

Xhemali, D., Hinde, J.C., Stone, G.R.: Naïve bayes vs. decision trees vs. neural networks in the classification of training web pages. Int. J. Comput. Sci. Issues 4(1), 16–23 (2009)

26.

Yamansavascilar, B., Guvensan, M.A., Yavuz, A.G., Karsligil, M.E.: Application identification via network traffic classification. In: 2017 International Conference on Computing, Networking and Communications (ICNC), IEEE, pp. 843–848 (2017)

27.

Yang, W., Cheng, Z., Cui, B.: Recombining TCP sessions based on finite state machine to detect cyber attackers. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy, pp. 138–142 (2019)

28.

Yoon, S.H., Park, J.W., Park, J.S., Oh, Y.S., Kim, M.S.: Internet application traffic classification using fixed ip-port. In: Asia-Pacific Network Operations and Management Symposium, Springer, pp. 21–30 (2009)

Titel: An SSH predictive model using machine learning with web proxy session logs
verfasst von: Junwon Lee
Heejo Lee
Publikationsdatum: 11.06.2021
Verlag: Springer Berlin Heidelberg
Erschienen in: International Journal of Information Security / Ausgabe 2/2022
Print ISSN: 1615-5262
Elektronische ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-021-00555-6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2022

Extending access control in AWS IoT through event-driven functions: an experimental evaluation using a smart lock system

Optimization of parallel firewalls filtering rules

A semantic-aware log generation method for network activities

Authenticated logarithmic-order supersingular isogeny group key exchange

The Agent Web Model: modeling web hacking for reinforcement learning

Automated benchmark network diversification for realistic attack simulation with application to moving target defense