An SSH predictive model using machine learning with web proxy session logs

Junwon Lee, Heejo Lee

Research output: Contribution to journalArticlepeer-review


An adversary can use SSH communication as a route for information leakage or hacking. Many studies have focused on TCP header analysis to detect encrypted communication. However, SSH detection using TCP header analysis is limited when changing TCP port information or modifying components of the SSH protocol. Various machine-learning (ML) techniques have been introduced to enhance network traffic classification by analyzing TCP headers. Most ML-based traffic classification research has analyzed network packet flows. However, because of the complex structures and the various implementations of the TCP protocol, a lot of time and resources are required for the recombination of network packet flows. This paper presents a novel contribution to overcome the problems of network packet analysis that employs web proxy session logs, which do not require the recombination of packets to prepare a dataset for analysis. Moreover, we propose a hybrid predictive model that is useful for web proxy session log analysis. In the modeling process, we collected the web proxy logs from an actual network of ICT companies (more than 10,000 employees, Seoul, South Korea) and used the random forest and decision tree algorithms for the supervised learning. The detection rate (DR) for the training dataset was 99.9%, which is similar to or higher than that of other studies using ML and deep learning. Using the dataset of DARPA99, we proved that the DR and FPR for our proposed model were better than those achieved by Alshammari et al.’s model. We expect that the proposed predictive model can be used to block illegal attempts at SSH communication over HTTP CONNECT by changing the destination port and to detect novel illegal communication protocols.

Original languageEnglish
Pages (from-to)311-322
Number of pages12
JournalInternational Journal of Information Security
Issue number2
Publication statusPublished - 2022 Apr

Bibliographical note

Funding Information:
This work is supported in part by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2019-0-01343 Regional strategic industry convergence security core talent training business, No. 2019-0-01697 Development of Automated Vulnerability Discovery Technologies for Blockchain Platform Security, and No. 2020-0-01819 ICT Creative Consilience program).

Publisher Copyright:
© 2021, The Author(s), under exclusive licence to Springer-Verlag GmbH, DE.


  • Decision tree
  • Machine learning
  • PCA
  • Random forest
  • SSH
  • TCP tunneling
  • Web proxy

ASJC Scopus subject areas

  • Software
  • Information Systems
  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'An SSH predictive model using machine learning with web proxy session logs'. Together they form a unique fingerprint.

Cite this