Detecting computers in cyber space maliciously exploited as SSH proxies

Idan Morad, Asaf Shabtai

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

Classifying encrypted traffic is a great challenge in the cyber security domain. Attackers can use the SSH protocol to hide the nature of their attack. This is done by enabling SSH tunneling to act as a proxy. In this study we present a technique for matching (encrypted) SSH incoming sessions with corresponding (encrypted) SSH outgoing sessions through a series of SSH servers. This is an indication of suspicious activity and therefore an important step in order to identify SSH servers that are potentially used as a stepping-stone in a chain of proxies.

Original languageEnglish
Title of host publicationInnovative Security Solutions for Information Technology and Communications - 8th International Conference, SECITC 2015, Revised Selected Papers
EditorsDavid Naccache, Emil Simion, Ion Bica
PublisherSpringer Verlag
Pages201-211
Number of pages11
ISBN (Print)9783319271781
DOIs
StatePublished - 1 Jan 2015
Event8th International Conference on Innovative Security Solutions for Information Technology and Communications, SECITC 2015 - Bucharest, Romania
Duration: 11 Jun 201512 Jun 2015

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume9522
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference8th International Conference on Innovative Security Solutions for Information Technology and Communications, SECITC 2015
Country/TerritoryRomania
CityBucharest
Period11/06/1512/06/15

Keywords

  • Cyberattack
  • Encrypted traffic
  • Machine learning
  • SSH

Fingerprint

Dive into the research topics of 'Detecting computers in cyber space maliciously exploited as SSH proxies'. Together they form a unique fingerprint.

Cite this