Detecting stealthy, distributed SSH brute-forcing

Javed, Mobin; Paxson, Vern

doi:10.1145/2508859.2516719

Cited by 53 publications

(27 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Subsequently, he elaborated the concept of bad neighbourhoods on spam in [1], [2], [8]. A thorough study [4] focusing exclusively on SSH bruteforce attacks shows that some attacks are distributed as well as stealthy.…”

Section: Related Workmentioning

confidence: 99%

An analysis of correlations of intrusion alerts in an NREN

Bartoš

Žádník

2014

2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD)

View full text Add to dashboard Cite

An ever increasing impact and amount of network attacks have driven many organizations to deploy various network monitoring and analysis systems such as honeypots, intrusion detection systems, log analyzers and flow monitors. Besides improving these systems a logical next step is to collect and correlate alerts from multiple systems distributed across organizations. The idea is to leverage a joint effect of multiple monitoring systems to build a more robust and efficient system, ideally, lacking the shortcomings of the individual contributing systems. This paper presents an analysis of alert reports gathered from several such detectors deployed in national research and education network (NREN). The analysis focuses on the correlations of reported events in temporal domain as well as on the correlations of different event types.

show abstract

Section: Related Workmentioning

confidence: 99%

An analysis of correlations of intrusion alerts in an NREN

Bartoš

Žádník

2014

2014 IEEE 19th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD)

View full text Add to dashboard Cite

show abstract

“…Attackers may then either actively misuse targets or leave them aside for the time being. Note that not all attack phases need to be visible within a certain portion of network traffic, since attackers may choose to delay execution of attack phases or execute attack phases from different machines to evade detection [13]. The scan phase in the context of attacks against Web applications is different in nature from attacks against other applications.…”

Section: Start Endmentioning

confidence: 99%

Flow-Based Web Application Brute-Force Attack and Compromise Detection

et al. 2017

View full text Add to dashboard Cite

In the early days of network and service management, researchers paid much attention to the design of management frameworks and protocols. Since then the focus of research has shifted from the development of management technologies towards the analysis of management data. From the five FCAPS areas, security of networks and services has become a key challenge. For example, brute-force attacks against Web applications, and compromises resulting thereof, are widespread. Talks with several Top-10 Web hosting companies in the Netherlands reflect that detection of these attacks is often done based on log file analysis on servers, or by deploying host-based intrusion detection systems (IDSs) and firewalls. However, such host-based solutions have several problems. In this paper we therefore investigate the feasibility of a network-based monitoring approach, which detects brute-force attacks against and compromises of Web applications, even in encrypted environments. Our approach is based on per-connection histograms of packet payload sizes in flow data that are exported using IPFIX. We validate our approach using datasets collected in the production network of a large Web hoster in the Netherlands.

show abstract

“…Legitimate login failures on SSH server portrays a Beta-Binomial Distribution [8]. When there is a distributed brute-force attack, the Global Factor Indicator (GFI) would deviate from the mean of the normal user traffic distribution.…”

Section: Related Workmentioning

confidence: 99%

Detection of Severe SSH Attacks Using Honeypot Servers and Machine Learning Techniques

Sadasivam

Hota

Bhojan

2017

JSN

View full text Add to dashboard Cite

There are attacks on or using an SSH server -SSH port scanning, SSH brute-force attack, and attack using a compromised server. Attacks using a server could be DoS attack, Phishing attack, E-mail spamming and so on. Sometimes an attacker breaks into a public SSH server and uses it for the above activities. Mostly, it is hard to detect the compromised SSH servers that were used by the attackers. However, by analysing the system logs an organisation can know about the compromises. For an organisation holding several SSH servers, it would be tedious to analyse the log files manually. Also, high-speed networks demand better mechanisms to detect the compromises. In this paper, we detect a compromised SSH session that is carrying out malicious activities. We use flow-based approach and machine learning techniques to detect a compromised session. In a flow-based approach, individual packets are not scrutinised. Hence, it works better on a high-speed network. The data is extracted from a distributed honeypot. The paper also describes the machine learning techniques with appropriate parameters and feature selection technique. A real-time detection model that is tested on a public server is also Journal of Software Networking, 79-100. doi: 10.13052/jsn2445-9739.2017.005 c 2017 presented. Several analyses proved that J48 decision tree algorithm and the PART algorithm are best suited for detection of SSH compromises. It was inferred that inter-arrival time between packets and the size of a packet payload play a significant role in detecting compromises.

show abstract

Detecting stealthy, distributed SSH brute-forcing

Cited by 53 publications

References 10 publications

An analysis of correlations of intrusion alerts in an NREN

An analysis of correlations of intrusion alerts in an NREN

Flow-Based Web Application Brute-Force Attack and Compromise Detection

Detection of Severe SSH Attacks Using Honeypot Servers and Machine Learning Techniques

Contact Info

Product

Resources

About