Detection of SSH Brute Force Attacks Using Aggregated Netflow Data

The SSH Brute force attack is one of the most prevalent attacks in computer networks. These attacks aim to gain ineligible access to users' accounts by trying plenty of different password combinations. The detection of this type of attack at the network level can overcome the scalability issue of host-based detection methods. In this paper, we provide a machine learning approach for the detection of SSH brute force attacks at the network level. Since extracting discriminative features for any machine learning task is a fundamental step, we explain the process of extracting discriminative features for the detection of brute force attacks. We incorporate domain knowledge about SSH brute force attacks as well as the analysis of a representative collection of the data to define the features. We collected real SSH traffic from a campus network. We also generated some failed login data that a legitimate user who has forgotten his/her password can produce as normal traffic that can be similar to the SSH brute force attack traffic. Our inspection on the collected brute force Netflow data and the manually produced SSH failed login data showed that the Netflow features are not discriminative enough to discern brute force traffic from the failed login traffic produced by a legitimate user. We introduced an aggregation of Netflows to extract the proper features for building machine learning models. Our results show that the models built upon these features provide excellent performances for the detection of brute force attacks.

[1]  Wei-Yang Lin,et al.  Intrusion detection by machine learning: A review , 2009, Expert Syst. Appl..

[2]  Taghi M. Khoshgoftaar,et al.  Experimental perspectives on learning from imbalanced data , 2007, ICML '07.

[3]  Vern Paxson,et al.  Detecting stealthy, distributed SSH brute-forcing , 2013, CCS.

[4]  Maryam M. Najafabadi The Importance of Representative Network Data on Classification Models for the Detection of Specific Network Attacks , 2015 .

[5]  Anita K. Jones,et al.  Computer System Intrusion Detection: A Survey , 2000 .

[6]  Phurivit Sangkatsanee,et al.  Practical real-time intrusion detection using machine learning approaches , 2011, Comput. Commun..

[7]  Taghi M. Khoshgoftaar,et al.  Machine Learning for Detecting Brute Force Attacks at the Network Level , 2014, 2014 IEEE International Conference on Bioinformatics and Bioengineering.

[8]  Niva Das Survey on Host and Network Based Intrusion Detection System , 2014 .

[9]  Philipp Winter,et al.  Flow-based Brute-force Attack Detection , 2013 .

[10]  Karen A. Scarfone,et al.  Guide to Intrusion Detection and Prevention Systems (IDPS) , 2007 .

[11]  Mahdi Zamani,et al.  Machine Learning Techniques for Intrusion Detection , 2013, ArXiv.

[12]  Hua Tang,et al.  Machine Learning-based Intrusion Detection Algorithms , 2009 .

[13]  Aiko Pras,et al.  SSH Compromise Detection using NetFlow/IPFIX , 2014, CCRV.

[14]  Md. Enamul Haque,et al.  Adaptive Hybrid Model for Network Intrusion Detection and Comparison among Machine Learning Algorithms , 2015 .

[15]  Ian H. Witten,et al.  The WEKA data mining software: an update , 2009, SKDD.

[16]  Maryam M. Najafabadi Attack Commonalities: Extracting New Features for Network Intrusion Detection , 2015 .