Abstract
Data throughput of current high-speed networks makes it prohibitively expensive to detect attacks using conventional means of deep packet inspection. The network behavior analysis seemed to be a solution, but it lacks in several aspects. The academic research focuses on sophisticated and advanced detection schemes that are, however, often problematic to deploy into the production. In this paper we try different approach and take inspiration from industry practice of using relatively simple but effective solutions. We introduce a model of malicious traffic based on practical experience that can be used to create simple and effective detection methods. This model was used to develop a successful proof-of-concept method for protocol-independent detection of dictionary attacks that is validated with empirical data in this paper.
Chapter PDF
Similar content being viewed by others
References
Balland, P.: An Analysis of Network Beaconing Activity for Incident Response (2008), http://www.cert.org/flocon/2008/presentations/balland_flocon2008.pdf (retrieved online March 27, 2013)
Dasgupta, D., et al.: CIDS: An agent-based intrusion detection system. Computers & Security 24(5), 387–398 (2005)
Dragon Research Group: SSH Password Authentication Report (2013), http://www.dragonresearchgroup.org/insight/sshpwauth.txt (retrieved online February 22, 2013)
Hellemons, L., Hendriks, L., Hofstede, R., Sperotto, A., Sadre, R., Pras, A.: SSHCure: A Flow-Based SSH Intrusion Detection System. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 86–97. Springer, Heidelberg (2012)
Husák, M., Drašar, M.: Flow-based Monitoring of Honeypots. To Appear in: Proceedings of 7th International Conference on Security and Protection of Information (SPI 2013) (2013)
Menezes, A.J., Van Oorschot, P.C., Vanstone, S.A., Rivest, R.L.: Identification and Entity Authentication. In: Handbook of Applied Cryptography. CRC Press, Boca Raton (1997)
Seifert, C.: Analyzing Malicious SSH Login Attempts (2006), http://www.securityfocus.com/infocus/1876 (retrieved online March 27, 2013)
Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP Flow-Based Intrusion Detection. Communications Surveys Tutorials 12(3), 343–356 (2010)
Thames, J.L., Abler, R., Keeling, D.: A Distributed Active Response Architecture for Preventing SSH Dictionary Attacks. In: IEEE Southeastcon 2008, pp. 84–89 (2008)
Vizváry, M., Vykopal, J.: Flow-based Detection of RDP Brute-force Attacks. To Appear in: Proceedings of 7th International Conference on Security and Protection of Information (SPI 2013) (2013)
Vykopal, J.: A Flow-Level Taxonomy and Prevalence of Brute Force Attacks. In: Abraham, A., Lloret Mauri, J., Buford, J.F., Suzuki, J., Thampi, S.M. (eds.) ACC 2011, Part II. CCIS, vol. 191, pp. 666–675. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Drašar, M. (2013). Protocol-Independent Detection of Dictionary Attacks. In: Bauschert, T. (eds) Advances in Communication Networking. EUNICE 2013. Lecture Notes in Computer Science, vol 8115. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40552-5_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-40552-5_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40551-8
Online ISBN: 978-3-642-40552-5
eBook Packages: Computer ScienceComputer Science (R0)