Data analytics for modeling and visualizing attack behaviors: A case study on SSH brute force attacks

In this research, we explore a data analytics based approach for modeling and visualizing attack behaviors. To this end, we employ Self-Organizing Map and Association Rule Mining algorithms to analyze and interpret the behaviors of SSH brute force attacks and SSH normal traffic as a case study. The experimental results based on four different data sets show that the patterns extracted and interpreted from the SSH brute force attack data sets are similar to each other but significantly different from those extracted from the SSH normal traffic data sets. The analysis of the attack traffic provides insight into behavior modeling for brute force SSH attacks. Furthermore, this sheds light into how data analytics could help in modeling and visualizing attack behaviors in general in terms of data acquisition and feature extraction.

[1]  Teuvo Kohonen,et al.  Self-Organizing Maps , 2010 .

[2]  L. M. Khanli,et al.  Intrusion Detection in the Cloud Environment Using Multi-Level Fuzzy Neural Networks , 2015 .

[3]  Gopinath Ganapathy,et al.  A Fuzzy Logic Based Defense Mechanism against Distributed Denial of Services Attack in Cloud Environment , 2014, Int. J. Commun. Networks Inf. Secur..

[4]  Ramesh Karri,et al.  BRAIN: BehavioR Based Adaptive Intrusion Detection in Networks: Using Hardware Performance Counters to Detect DDoS Attacks , 2016, 2016 29th International Conference on VLSI Design and 2016 15th International Conference on Embedded Systems (VLSID).

[5]  A.N. Zincir-Heywood,et al.  On the capability of an SOM based intrusion detection system , 2003, Proceedings of the International Joint Conference on Neural Networks, 2003..

[6]  David S. Ebert,et al.  Case Study: Visualization and Information Retrieval Techniques for Network Intrusion Detection , 2001, VisSym.

[7]  Worachai Srimuang,et al.  Improving performance of classification intrusion detection model by Weighted extreme learning using behavior analysis of the attack , 2015, 2015 International Computer Science and Engineering Conference (ICSEC).

[8]  A. Nur Zincir-Heywood,et al.  Benchmarking the Effect of Flow Exporters and Protocol Filters on Botnet Traffic Classification , 2016, IEEE Systems Journal.

[9]  Das Amrita,et al.  Mining Association Rules between Sets of Items in Large Databases , 2013 .

[10]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[11]  Mansour Sheikhan,et al.  Intrusion detection using reduced-size RNN based on feature grouping , 2010, Neural Computing and Applications.

[12]  Mansour Sheikhan,et al.  Flow-based anomaly detection in high-speed links using modified GSA-optimized neural network , 2012, Neural Computing and Applications.