An SSH predictive model using machine learning with web proxy session logs

Junwon Lee, Heejo Lee

    Research output: Contribution to journalArticlepeer-review

    Abstract

    An adversary can use SSH communication as a route for information leakage or hacking. Many studies have focused on TCP header analysis to detect encrypted communication. However, SSH detection using TCP header analysis is limited when changing TCP port information or modifying components of the SSH protocol. Various machine-learning (ML) techniques have been introduced to enhance network traffic classification by analyzing TCP headers. Most ML-based traffic classification research has analyzed network packet flows. However, because of the complex structures and the various implementations of the TCP protocol, a lot of time and resources are required for the recombination of network packet flows. This paper presents a novel contribution to overcome the problems of network packet analysis that employs web proxy session logs, which do not require the recombination of packets to prepare a dataset for analysis. Moreover, we propose a hybrid predictive model that is useful for web proxy session log analysis. In the modeling process, we collected the web proxy logs from an actual network of ICT companies (more than 10,000 employees, Seoul, South Korea) and used the random forest and decision tree algorithms for the supervised learning. The detection rate (DR) for the training dataset was 99.9%, which is similar to or higher than that of other studies using ML and deep learning. Using the dataset of DARPA99, we proved that the DR and FPR for our proposed model were better than those achieved by Alshammari et al.’s model. We expect that the proposed predictive model can be used to block illegal attempts at SSH communication over HTTP CONNECT by changing the destination port and to detect novel illegal communication protocols.

    Original languageEnglish
    JournalInternational Journal of Information Security
    DOIs
    Publication statusAccepted/In press - 2021

    Keywords

    • Decision tree
    • HTTP CONNECT
    • Machine learning
    • PCA
    • Random forest
    • SSH
    • TCP tunneling
    • Web proxy

    ASJC Scopus subject areas

    • Software
    • Information Systems
    • Safety, Risk, Reliability and Quality
    • Computer Networks and Communications

    Fingerprint

    Dive into the research topics of 'An SSH predictive model using machine learning with web proxy session logs'. Together they form a unique fingerprint.

    Cite this