Refined Detection of SSH Brute-Force Attackers Using Machine Learning

This paper presents a novel approach to detect SSH brute-force (BF) attacks in high-speed networks. Contrary to host-based approaches, we focus on network traffic analysis to identify attackers. Recent papers describe how to detect BF attacks using pure NetFlow data. However, our evaluation shows significant false-positive (FP) results of the current solution. To overcome the issue of high FP rate, we propose a machine learning (ML) approach to detection using specially extended IP Flows. The contributions of this paper are a new dataset from real environment, experimentally selected ML method, which performs with high accuracy and low FP rate, and an architecture of the detection system. The dataset for training was created using extensive evaluation of captured real traffic, manually prepared legitimate SSH traffic with characteristics similar to BF attacks, and, finally, using a packet trace with SSH logs from real production servers.

[1]  Taghi M. Khoshgoftaar,et al.  Machine Learning for Detecting Brute Force Attacks at the Network Level , 2014, 2014 IEEE International Conference on Bioinformatics and Bioengineering.

[2]  Aiko Pras,et al.  Threats and surprises behind IPv6 extension headers , 2017, 2017 Network Traffic Measurement and Analysis Conference (TMA).

[3]  Frank Cusack,et al.  Generic Message Exchange Authentication for the Secure Shell Protocol (SSH) , 2006, RFC.

[4]  Jürgen Quittek,et al.  Architecture for IP Flow Information Export , 2009, RFC.

[5]  Blake Anderson,et al.  Identifying Encrypted Malware Traffic with Contextual Flow Data , 2016, AISec@CCS.

[6]  Pavel Celeda,et al.  Next Generation Application-Aware Flow Monitoring , 2014, AIMS.

[7]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[8]  J.L. Thames,et al.  A distributed active response architecture for preventing SSH dictionary attacks , 2008, IEEE SoutheastCon 2008.

[9]  Aiko Pras,et al.  Hidden Markov Model Modeling of SSH Brute-Force Attacks , 2009, DSOM.

[10]  Tatu Ylönen,et al.  The Secure Shell (ssh) Transport Layer Protocol , 2006 .

[11]  Taghi M. Khoshgoftaar,et al.  Detection of SSH Brute Force Attacks Using Aggregated Netflow Data , 2015, 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA).

[12]  Aiko Pras,et al.  SSHCure: A Flow-Based SSH Intrusion Detection System , 2012, AIMS.

[13]  Hana Kubatova,et al.  NEMEA: A framework for network traffic analysis , 2016, 2016 12th International Conference on Network and Service Management (CNSM).

[14]  Hana Kubatova,et al.  Using Application-Aware Flow Monitoring for SIP Fraud Detection , 2015, AIMS.

[15]  Yutaka Nakamura,et al.  SSH Dictionary Attack Detection Based on Flow Analysis , 2012, 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet.

[16]  Bhojan Anand,et al.  Honeynet Data Analysis and Distributed SSH Brute-Force Attacks , 2018 .

[17]  Paul C. van Oorschot,et al.  What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks , 2015, PASSWORDS.

[18]  Aiko Pras,et al.  Unveiling flat traffic on the Internet: An SSH attack case study , 2015, 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM).