Unveiling flat traffic on the Internet: An SSH attack case study

Many types of brute-force attacks are known to exhibit a characteristic `flat' behavior at the network-level, meaning that connections belonging to an attack feature a similar number of packets and bytes, and duration. Flat traffic usually results from repeating similar application-layer actions, such as login attempts in a brute-force attack. For typical attacks, hundreds of attempts span over multiple connections, with each connection containing the same, small number of attempts. The characteristic flat behavior is used by many Intrusion Detection Systems (IDSes), both for identifying the presence of attacks and - once detected - for observing deviations, pointing out potential compromises, for example. However, flatness of network traffic may become indistinct when TCP retransmissions and control information come into play. These TCP phenomena affect not only intrusion detection, but also other forms of network traffic analysis. The contribution of this work is twofold. First, we analyze the impact of retransmissions and control information on network traffic based on traffic measurements. To do so, we have developed a flow exporter extension that was deployed in both a campus and a backbone network. Second, we show that intrusion detection results improve dramatically by up to 16 percentage points once IDSes are able to `flatten' network traffic again, which we have validated by means of analyzing log files of almost 60 hosts over a period of one month.

[1]  Robert T. Braden,et al.  Requirements for Internet Hosts - Communication Layers , 1989, RFC.

[2]  T. V. Lakshman,et al.  The performance of TCP/IP for networks with high bandwidth-delay products and random loss , 1997, TNET.

[3]  Jean-Chrysostome Bolot,et al.  End-to-end packet delay and loss behavior in the internet , 1993, SIGCOMM '93.

[4]  Jan Vykopal,et al.  Flow-based detection of RDP brute-force attacks , 2013 .

[5]  Yutaka Nakamura,et al.  A flow-based detection method for stealthy dictionary attacks against Secure Shell , 2015, J. Inf. Secur. Appl..

[6]  Aiko Pras,et al.  SSH Compromise Detection using NetFlow/IPFIX , 2014, CCRV.

[7]  Jan Vykopal Flow-based Brute-force Attack Detection in Large and High-speed Networks , 2013 .

[8]  Martin Drasar Protocol-Independent Detection of Dictionary Attacks , 2013, EUNICE.

[9]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[10]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[11]  Benoit Claise,et al.  Ip Flow Information Export (ipfix) Applicability , 2009 .

[12]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information , 2013, RFC.

[13]  Benoit Claise,et al.  Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information , 2008, RFC.

[14]  Aiko Pras,et al.  Measurement Artifacts in NetFlow Data , 2013, PAM.

[15]  Aiko Pras,et al.  SSHCure: A Flow-Based SSH Intrusion Detection System , 2012, AIMS.