I am develping a project in Python for analysing SSH.
Curently i am stuck at two things:
- Determining the idle time of a connection (percentage of time when no data was transferred over the connection)
- Determining the connection type ( shell, tunnel, scp etc..) -> What sort of channel is inside the connection
How to approach this problem?
Working with encrypted traffic can sometimes reveal a surprising amount of information when exploiting domain-specific details. It is worthwhile revisiting past research to understand the methodologies. For SSH in particular, I recommend reading Dawn Song's paper on inferring login passwords from SSH sessions.
Another example: Bro uses a heuristic discern successful from unsuccessful logins based on the number of bytes transferred at the beginning of the connection.
In general, I recommend recording traces of the activity you want to profile/classify later. This way, you have ground truth and can find out where SSH behaves differently from what you expect.
To determine the idle time of interactive sessions, you need to understand the noise, if any, that SSH injects during periods of no activity. Then you may create a time series of the number of bytes transferred and experiment with the time resolution to see what granularity models best your trace. Moreover, you can decompose the times series into two components, one being SSH protocol noise and one user activity.
This sounds like a classical unsupervised learning issue: clustering, e.g. k-means or mixtures. Coming up with the right set of features will probably involve some research. For example, determining an interactive session from a tunnel could be difficult if the tunnelled connection is also interactive. In your model, you could factor in the size delta or even include more context, such as in stepping stone detection.