Detecting computers in cyber space maliciously exploited as SSH proxies

Idan Morad, Asaf Shabtai

Innovative Security Solutions for Information Technology and Communications …, 2015

Classifying encrypted traffic is a great challenge in the cyber security domain. Attackers can use the SSH protocol to hide the nature of their attack. This is done by enabling SSH tunneling to act as a proxy. In this study we present a technique for matching (encrypted) SSH incoming sessions with corresponding (encrypted) SSH outgoing sessions through a series of SSH servers. This is an indication of suspicious activity and therefore an important step in order to identify SSH servers that are potentially used as a stepping-stone in a chain of proxies.