Abstract
This paper presents a novel approach to detect SSH brute-force (BF) attacks in high-speed networks. Contrary to host-based approaches, we focus on network traffic analysis to identify attackers. Recent papers describe how to detect BF attacks using pure NetFlow data. However, our evaluation shows significant false-positive (FP) results of the current solution. To overcome the issue of high FP rate, we propose a machine learning (ML) approach to detection using specially extended IP Flows. The contributions of this paper are a new dataset from real environment, experimentally selected ML method, which performs with high accuracy and low FP rate, and an architecture of the detection system. The dataset for training was created using extensive evaluation of captured real traffic, manually prepared legitimate SSH traffic with characteristics similar to BF attacks, and, finally, using a packet trace with SSH logs from real production servers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdou, A.R., Barrera, D., van Oorschot, P.C.: What lies beneath? Analyzing automated SSH Bruteforce attacks. In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds.) PASSWORDS 2015. LNCS, vol. 9551, pp. 72–91. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29938-9_6
AbuseIPDB making the internet safer, one IP at a time, October 2019. https://www.abuseipdb.com/
Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: ACM Workshop on Artificial Intelligence and Security (2016)
Anderson, B., McGrew, D., Perricone, P., Hudson, B.: Joy - a package for capturing and analyzing network flow data and intraflow data, October 2019. https://github.com/cisco/joy
Cejka, T., Bartos, V., Truxa, L., Kubatova, H.: Using application-aware flow monitoring for SIP fraud detection. In: Latré, S., Charalambides, M., François, J., Schmitt, C., Stiller, B. (eds.) AIMS 2015. LNCS, vol. 9122, pp. 87–99. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20034-7_10
Cejka, T., et al.: NEMEA: a framework for network traffic analysis. In: 12th International Conference on Network and Service Management (CNSM) (2016)
Censys, October 2019. https://censys.io
Cisco 2018 annual cybersecurity report, October 2019. https://rfc-editor.org/rfc/rfc3954.txt
Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954, October 2004. https://doi.org/10.17487/RFC3954
Cusack, F., Forssen, M.: Generic message exchange authentication for the secure shell protocol (SSH). Technical report, January 2006. https://doi.org/10.17487/rfc4256
Fai12ban, October 2019. http://www.fai12ban.org/wiki/index.php/Main_Page
Hellemons, L., Hendriks, L., Hofstede, R., Sperotto, A., Sadre, R., Pras, A.: SSHCure: a flow-based SSH intrusion detection system. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 86–97. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30633-4_11
Hendriks, L., et al.: Threats and surprises behind IPv6 extension headers. In: Network Traffic Measurement and Analysis Conference (TMA) (2017)
Sadasivam, G.K., Hota, C., Anand, B.: Honeynet data analysis and distributed SSH Brute-force attacks. In: Chakraverty, S., Goel, A., Misra, S. (eds.) Towards Extensible and Adaptable Methods in Computing, pp. 107–118. Springer, Singapore (2018). https://doi.org/10.1007/978-981-13-2348-5_9
Jonker, M., Hofstede, R., Sperotto, A., Pras, A.: Unveiling flat traffic on the internet: an SSH attack case study. In: International Symposium on Integrated Network Management (IM) (2015)
Najafabadi, M.M., Khoshgoftaar, T.M., Kemp, C., Seliya, N., Zuech, R.: Machine learning for detecting brute force attacks at the network level. In: IEEE International Conference on Bioinformatics and Bioengineering (2014)
Najafabadi, M.M., Khoshgoftaar, T.M., Calvert, C., Kemp, C.: Detection of SSH Brute force attacks using aggregated netflow data. In: 14th International Conference on Machine Learning and Applications (ICMLA) (2015)
Ncrack - Network authentication cracking tool, October 2019. https://nmap.org/ncrack/
NEMEA Bruteforce detector, October 2019. https://github.com/CESNET/Nemea-Detectors/tree/master/brute_force_detector
Ponemon 2014 SSH security vulnerability report, October 2019. https://energycollection.us/Energy-Security/Ponemon-2014-SSH.pdf
Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP flow information export. RFC 5470, March 2009. https://doi.org/10.17487/RFC5470
Satoh, A., Nakamura, Y., Ikenaga, T.: SSH dictionary attack detection based on flow analysis. In: 12th International Symposium on Applications and the Internet IPSJ (2012)
Shodan, October 2019. https://www.shodan.io
Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden Markov model modeling of SSH Brute-force attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04989-7_13
Thames, J.L., Abler, R., Keeling, D.: A distributed active response architecture for preventing SSH dictionary attacks. In: IEEE SoutheastCon 2008, pp. 84–89 (2008)
THC HYDRA V. Hauser, The Hacker Choice (THC) - Hydra, October 2019. https://www.thc.org/thc-hydra/
Velan, P., Čeleda, P.: Next generation application-aware flow monitoring. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 173–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43862-6_20
Ylonen, T.: The Secure Shell (SSH) Transport Layer Protocol. Technical report, January 2006. https://doi.org/10.17487/rfc4253
Acknowledgment
This work was supported by the Grant Agency of the CTU in Prague, grant No. SGS20/210/OHK3/3T/18 funded by the MEYS of the Czech Republic and the project Reg. No. CZ.02.1.01/0.0/0.0/16_013/0001797 co-funded by the MEYS and ERDF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Hynek, K., Beneš, T., Čejka, T., Kubátová, H. (2020). Refined Detection of SSH Brute-Force Attackers Using Machine Learning. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-58201-2_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-58200-5
Online ISBN: 978-3-030-58201-2
eBook Packages: Computer ScienceComputer Science (R0)