Using GMM and SVM-Based Techniques for the Classification of SSH-Encrypted Traffic

When employing cryptographic tunnels such as the ones provided by Secure Shell (SSH) to protect their privacy on the Internet, users expect two forms of protection. First, they aim at preserving the privacy of their data. Second, they expect that their behavior, e.g., the type of applications they use, also remains private. In this paper we report on two statistical traffic analysis techniques that can be used to break the second type of protection when applied to SSH tunnels, at least under some restricting hypothesis. Experimental results show how current implementations of SSH can be susceptible to this type of analysis, and illustrate the effectiveness of our two classifiers both in terms of their capabilities in analyzing encrypted traffic and in terms of their relative computational complexity.