Secure shell (ssh) traffic analysis with flow based features using shallow and deep networks

Abstract

The primary objective of this work is to evaluate the effectiveness of various shallow and deep networks for characterizing and classifying the encrypted traffic such as secure shell (SSH). The SSH traffic statistical feature sets are estimated from various private and public traces. Private trace is NIMS (Network Information Management and Security Group) and public traces are MAWI (Measurement and Analysis on the WIDE Internet), NLANR's (National Laboratory for Applied Network Research) Active Measurement Project (AMP). To select optimal deep networks, experiments are done for various network parameters, network structures and network topologies. All the experiments are run up to 1000 epochs with learning rate in the range [0.01-0.5]. The various shallow and deep networks are trained using public traces and evaluated on the private trace and vice-versa. Results indicate that there is a possibility to detect SSH traffic with acceptable detection rate. The deep network has performed well in comparison to the shallow networks. Moreover, the performance of various shallow networks is comparable.