An adversary can use SSH communication as a route for information leakage or hacking. Many studies have focused on TCP header analysis to detect encrypted communication. However, SSH detection using TCP header analysis is limited when changing TCP port information or modifying components of the SSH protocol. Various machine-learning (ML) techniques have been introduced to enhance network traffic classification by analyzing TCP headers. Most ML-based traffic classification research has analyzed network packet flows. However, because of the complex structures and the various implementations of the TCP protocol, a lot of time and resources are required for the recombination of network packet flows. This paper presents a novel contribution to overcome the problems of network packet analysis that employs web proxy session logs, which do not require the recombination of packets to prepare a dataset for analysis. Moreover, we propose a hybrid predictive model that is useful for web proxy session log analysis. In the modeling process, we collected the web proxy logs from an actual network of ICT companies (more than 10,000 employees, Seoul, South Korea) and used the random forest and decision tree algorithms for the supervised learning. The detection rate (DR) for the training dataset was 99.9%, which is similar to or higher than that of other studies using ML and deep learning. Using the dataset of DARPA99, we proved that the DR and FPR for our proposed model were better than those achieved by Alshammari et al.’s model. We expect that the proposed predictive model can be used to block illegal attempts at SSH communication over HTTP CONNECT by changing the destination port and to detect novel illegal communication protocols.

攻击者可以使用 SSH 通信作为信息泄露或黑客攻击的途径。许多研究都集中在 TCP 头分析以检测加密通信。但是，在更改 TCP 端口信息或修改 SSH 协议的组件时，使用 TCP 标头分析的 SSH 检测是有限的。已经引入了各种机器学习 (ML) 技术，以通过分析 TCP 标头来增强网络流量分类。大多数基于 ML 的流量分类研究都分析了网络数据包流。但是，由于TCP协议结构复杂，实现方式多样，网络数据包流的重组需要大量的时间和资源。本文提出了一项新的贡献，以克服使用 Web 代理会话日志的网络数据包分析问题，不需要重新组合数据包来准备数据集进行分析。此外，我们提出了一种对 Web 代理会话日志分析有用的混合预测模型。在建模过程中，我们从 ICT 公司（超过 10,000 名员工，韩国首尔）的实际网络中收集 Web 代理日志，并使用随机森林和决策树算法进行监督学习。训练数据集的检测率 (DR) 为 99.9%，与其他使用 ML 和深度学习的研究相似或更高。使用 DARPA99 的数据集，我们证明了我们提出的模型的 DR 和 FPR 比 Alshammari 等人的模型实现的更好。