Generalization of signatures for SSH encrypted traffic identification

Riyad Alshammari, Nur Zincir-Heywood
2009 2009 IEEE Symposium on Computational Intelligence in Cyber Security  
The objective of this work is to discover generalized signatures for identifying encrypted traffic where SSH is taken as an example application. What we mean by generalized signatures is that the signatures learned by training on one network are still valid when they are applied to traffic coming from a totally different network. We identified 13 signatures and 14 flow attributes for SSH traffic classification where IP addresses, source/destination ports and payload information are not
more » ... The signatures are able to identify encrypted traffic with high detection rate and low false positive rate. We can achieve up to 97% DR and 0.8% FPR for identifying SSH traffic.
doi:10.1109/cicybs.2009.4925105 dblp:conf/cics/AlshammariZ09 fatcat:6phfovkryffmjguttpljq7eepu