The majority of local area networks today enforce security policies to control the traffic that crosses their boundaries. Security policies are usually implemented by combining two types of devices, firewalls and Application Level Gateways (ALGs). A very common setup is to have a firewall that allows only traffic that cross the ALG and leave the task of traffic control to the ALG. The ALG verifies through a thorough classification based analysis that the traffic that cross the network boundaries obeys the policies.
Through the recent years, however, the safety that can be guaranteed by this kind of devices is dramatically diminishing. Several factors are contributing to this trend: an example is given by the emergence of masquerading techniques that tunnel forbidden application protocols inside those that are allowed by the policies.
A solution to detect when the HTTP protocol is used to tunnel other application protocols on top of it, is reported in the paper by M. Crotti, M. Dusi, F. Gringoli, and L. Salgarelli titled “Detecting HTTP Tunnels with Statistical Mechanism” and published in the “Proceedings of the 42th IEEE International Conference on Communications” (ICC 2007), Glasgow, Scotland, June 2007.
Although effective for the HTTP protocol, the solution described in this paper is totally ineffective toward tunneling mechanisms that use encryption such as those that can be set up between any pair of Secure Shell client and server peers. These tunnels can be used to protect by means of cryptographic techniques any traffic stream flowing between a SSH client, the tunnel entry point, and a SSH server, the tunnel exit point: the resulting stream is not distinguishable from normal SSH traffic by the classifiers used within ALGs.
The SSH protocol is typically used to exchange traffic between a pair of peers on a secure connection when the network is not secure.
While in the case of HTTP tunnels, advanced ALG devices could analyze what is actually carried on top of the HTTP protocol, the same analysis can not be accomplished if the tunneling protocol encrypts the exchanged information.
From the above it follows an increasing need for a method that can determine whether or not an encrypted flow of packets belongs to a predefined class of flows, identifying for example non-legitimate activities such as tunnel activities over SSH, so as to avoid lock of flows belonging to this predefined class and to possibly block the encrypted flow not belonging to this predefined class.