SSH services are run on many hosts with various scopes other than just operation, so dictionary attack against the service is a common security threat. SANS has reported the emergence of distributed SSH dictionary attacks, which are very stealthy in comparison with a simple one. Since even one success of such an attack causes serious problems, administrators should implement countermeasures. SSH dictionary attacks have been detected in two basic ways that rely on either log files or network traffic. Both approaches, however, have limitations. The first approach imposes upon administrators heavy maintenance costs, which grow linearly with the number of hosts in networks. The second approach cannot distinguish between successful and unsuccessful attacks. Of more immediate concern, neither approach is effective against stealthy attacks because the login attempts of these attacks have little impact on log files or network traffic. An ideal method would be able to detect individual attacks and distinguish between an attack's success or failure, using information derived from only network traffic. In this paper, we describe such a method, which was developed by combining two novel elements. First, on the basis of our assumptions, we use two criteria: "existence of a connection protocol" and "difference in the inter-arrival time of an auth-packet". These criteria are not available, though, owing to the confidentiality and flexibility of the SSH protocol. Second, we resolve this problem by identifying transition points of a sub-protocol through flow features and machine learning algorithms. We evaluate the effectiveness of the proposed method through experiments on real traffic traces collected at the edge in our campus networks. The experimental results are encouraging for this research direction, though they are derived from reduced datasets of SSH dictionary attacks and under simplifying assumptions. The significant contribution is the demonstration that an ideal method for detecting SSH dictionary attacks seems feasible.
[1]
Dawn Xiaodong Song,et al.
Timing Analysis of Keystrokes and Timing Attacks on SSH
,
2001,
USENIX Security Symposium.
[2]
Yasuo Musashi,et al.
Detection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities
,
2009
.
[3]
W. Torgerson.
Multidimensional scaling: I. Theory and method
,
1952
.
[4]
E. Wegman.
Nonparametric probability density estimation
,
1972
.
[5]
William S. Cleveland,et al.
A Streaming Statistical Algorithm for Detection of SSH Keystroke Packets in TCP Connections
,
2011,
ICS 2011.
[6]
Yen-Ning Su,et al.
Developing the Upgrade Detection and Defense System of SSH Dictionary-Attack for Multi-Platform Environment
,
2011
.
[7]
J.L. Thames,et al.
A distributed active response architecture for preventing SSH dictionary attacks
,
2008,
IEEE SoutheastCon 2008.
[8]
Hiroshi Esaki,et al.
Traffic causality graphs: Profiling network applications through temporal and spatial causality of flows
,
2011,
2011 23rd International Teletraffic Congress (ITC).
[9]
Charles V. Wright,et al.
Using visual motifs to classify encrypted traffic
,
2006,
VizSEC '06.
[10]
J. H. Ward.
Hierarchical Grouping to Optimize an Objective Function
,
1963
.
[11]
Sugata Sanyal,et al.
A new protocol to counter online dictionary attacks
,
2006,
Comput. Secur..
[12]
Aiko Pras,et al.
Hidden Markov Model Modeling of SSH Brute-Force Attacks
,
2009,
DSOM.
[13]
Tatu Ylönen,et al.
The Secure Shell (SSH) Connection Protocol
,
2006,
RFC.
[14]
Tatu Ylönen,et al.
The Secure Shell (SSH) Authentication Protocol
,
2006,
RFC.
[15]
Tatu Ylönen,et al.
The Secure Shell (ssh) Transport Layer Protocol
,
2006
.
[16]
Paul C. van Oorschot,et al.
Revisiting Defenses against Large-Scale Online Password Guessing Attacks
,
2012,
IEEE Transactions on Dependable and Secure Computing.