2022/9/28

Detecting Computers in Cyber Space Maliciously Exploited as SSH Proxies

Asaf Shabtai, Yuval Elovici

Detecting Computers in Cyber Space Maliciously Exploited as SSH Proxies Page 1 SSH
protocol may be maliciously exploited by hackers in order to hide the source, destination and
nature of an attack. This can be done by enabling SSH tunneling to act as a proxy through
which the malicious traffic is transmitted (eg, leaking sensitive data, or command and control
communications). As a case in point, the Flame virus detected in 2012 used SSL and SSH for
stealing sensitive information and the Duqu virus detected in 2011 used SSH port forwarding
to hide the command and control traffic and the IP of the control application. In this research
we propose and evaluate a method, based on machine learning techniques, for detecting an
SSH proxy server that is used to transmit malicious traffic. Specifically, we aim to: identify
tunneled SSH traffic, classify the application/protocol encrypted by the SSH tunnel and match (…