Clustering of SSH brute-force attack logs using k-clique percolation

The brute-force attacks to SSH service still persist in the server environments. The existing methods have not applied graph theory to analyze authentication log that records this attack. Therefore, we model the log as a graph and propose k-clique percolation to cluster auth.log file to assist the system administrators to inspect this incident. The k-clique percolation has proven in clustering of biological networks and we will deploy it to this problem. We then provide the mechanism for edge removal to separate the generated clusters and make clear the clustering outputs. The experimental results show that this approach is appropriate to cluster raw logs of SSH brute-force attacks.

[1]  Chokchai Leangsuksun,et al.  Baler: deterministic, lossless log message clustering tool , 2011, Computer Science - Research and Development.

[2]  Fergal Reid,et al.  Percolation Computation in Complex Networks , 2012, 2012 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining.

[3]  Boleslaw K. Szymanski,et al.  Overlapping community detection in networks: The state-of-the-art and comparative study , 2011, CSUR.

[4]  Aric Hagberg,et al.  Exploring Network Structure, Dynamics, and Function using NetworkX , 2008, Proceedings of the Python in Science Conference.

[5]  Álvaro Herrero,et al.  Classification of SSH Anomalous Connections , 2013, SOCO-CISIS-ICEUTE.

[6]  Aiko Pras,et al.  Unveiling flat traffic on the Internet: An SSH attack case study , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).

[7]  Béla Bollobás,et al.  Random Graphs: Notation , 2001 .

[8]  Paul C. van Oorschot,et al.  What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks , 2015, PASSWORDS.

[9]  T. Vicsek,et al.  Weighted network modules , 2007, cond-mat/0703706.

[10]  Risto Vaarandi,et al.  LogCluster - A data clustering and pattern mining algorithm for event logs , 2015, 2015 11th International Conference on Network and Service Management (CNSM).

[11]  Evangelos E. Milios,et al.  Clustering event logs using iterative partitioning , 2009, KDD.

[12]  Béla Bollobás,et al.  Random Graphs , 1985 .

[13]  Aiko Pras,et al.  SSH Compromise Detection using NetFlow/IPFIX , 2014, CCRV.

[14]  T. Vicsek,et al.  Uncovering the overlapping community structure of complex networks in nature and society , 2005, Nature.

[15]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[16]  Illés J. Farkas,et al.  CFinder: locating cliques and overlapping modules in biological networks , 2006, Bioinform..

[17]  Julia Hirschberg,et al.  V-Measure: A Conditional Entropy-Based External Cluster Evaluation Measure , 2007, EMNLP.

[18]  J. Kumpula,et al.  Sequential algorithm for fast clique percolation. , 2008, Physical review. E, Statistical, nonlinear, and soft matter physics.

[19]  Mathieu Bastian,et al.  Gephi: An Open Source Software for Exploring and Manipulating Networks , 2009, ICWSM.

[20]  T. Vicsek,et al.  Clique percolation in random networks. , 2005, Physical review letters.