Skip to main content
SpringerLink
Log in

Refined Detection of SSH Brute-Force Attackers Using Machine Learning

  • Conference paper
  • First Online:
ICT Systems Security and Privacy Protection (SEC 2020)

Part of the book series: IFIP Advances in Information and Communication Technology ((IFIPAICT,volume 580))

Abstract

This paper presents a novel approach to detect SSH brute-force (BF) attacks in high-speed networks. Contrary to host-based approaches, we focus on network traffic analysis to identify attackers. Recent papers describe how to detect BF attacks using pure NetFlow data. However, our evaluation shows significant false-positive (FP) results of the current solution. To overcome the issue of high FP rate, we propose a machine learning (ML) approach to detection using specially extended IP Flows. The contributions of this paper are a new dataset from real environment, experimentally selected ML method, which performs with high accuracy and low FP rate, and an architecture of the detection system. The dataset for training was created using extensive evaluation of captured real traffic, manually prepared legitimate SSH traffic with characteristics similar to BF attacks, and, finally, using a packet trace with SSH logs from real production servers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 129.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/CESNET/traffic-datasets/tree/master/ssh/f2b.

  2. 2.

    https://github.com/CESNET/traffic-datasets/tree/master/ssh/.

References

  1. Abdou, A.R., Barrera, D., van Oorschot, P.C.: What lies beneath? Analyzing automated SSH Bruteforce attacks. In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds.) PASSWORDS 2015. LNCS, vol. 9551, pp. 72–91. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29938-9_6

    Chapter  Google Scholar 

  2. AbuseIPDB making the internet safer, one IP at a time, October 2019. https://www.abuseipdb.com/

  3. Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: ACM Workshop on Artificial Intelligence and Security (2016)

    Google Scholar 

  4. Anderson, B., McGrew, D., Perricone, P., Hudson, B.: Joy - a package for capturing and analyzing network flow data and intraflow data, October 2019. https://github.com/cisco/joy

  5. Cejka, T., Bartos, V., Truxa, L., Kubatova, H.: Using application-aware flow monitoring for SIP fraud detection. In: Latré, S., Charalambides, M., François, J., Schmitt, C., Stiller, B. (eds.) AIMS 2015. LNCS, vol. 9122, pp. 87–99. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-20034-7_10

    Chapter  Google Scholar 

  6. Cejka, T., et al.: NEMEA: a framework for network traffic analysis. In: 12th International Conference on Network and Service Management (CNSM) (2016)

    Google Scholar 

  7. Censys, October 2019. https://censys.io

  8. Cisco 2018 annual cybersecurity report, October 2019. https://rfc-editor.org/rfc/rfc3954.txt

  9. Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954, October 2004. https://doi.org/10.17487/RFC3954

  10. Cusack, F., Forssen, M.: Generic message exchange authentication for the secure shell protocol (SSH). Technical report, January 2006. https://doi.org/10.17487/rfc4256

  11. Fai12ban, October 2019. http://www.fai12ban.org/wiki/index.php/Main_Page

  12. Hellemons, L., Hendriks, L., Hofstede, R., Sperotto, A., Sadre, R., Pras, A.: SSHCure: a flow-based SSH intrusion detection system. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds.) AIMS 2012. LNCS, vol. 7279, pp. 86–97. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30633-4_11

    Chapter  Google Scholar 

  13. Hendriks, L., et al.: Threats and surprises behind IPv6 extension headers. In: Network Traffic Measurement and Analysis Conference (TMA) (2017)

    Google Scholar 

  14. Sadasivam, G.K., Hota, C., Anand, B.: Honeynet data analysis and distributed SSH Brute-force attacks. In: Chakraverty, S., Goel, A., Misra, S. (eds.) Towards Extensible and Adaptable Methods in Computing, pp. 107–118. Springer, Singapore (2018). https://doi.org/10.1007/978-981-13-2348-5_9

    Chapter  Google Scholar 

  15. Jonker, M., Hofstede, R., Sperotto, A., Pras, A.: Unveiling flat traffic on the internet: an SSH attack case study. In: International Symposium on Integrated Network Management (IM) (2015)

    Google Scholar 

  16. Najafabadi, M.M., Khoshgoftaar, T.M., Kemp, C., Seliya, N., Zuech, R.: Machine learning for detecting brute force attacks at the network level. In: IEEE International Conference on Bioinformatics and Bioengineering (2014)

    Google Scholar 

  17. Najafabadi, M.M., Khoshgoftaar, T.M., Calvert, C., Kemp, C.: Detection of SSH Brute force attacks using aggregated netflow data. In: 14th International Conference on Machine Learning and Applications (ICMLA) (2015)

    Google Scholar 

  18. Ncrack - Network authentication cracking tool, October 2019. https://nmap.org/ncrack/

  19. NEMEA Bruteforce detector, October 2019. https://github.com/CESNET/Nemea-Detectors/tree/master/brute_force_detector

  20. Ponemon 2014 SSH security vulnerability report, October 2019. https://energycollection.us/Energy-Security/Ponemon-2014-SSH.pdf

  21. Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP flow information export. RFC 5470, March 2009. https://doi.org/10.17487/RFC5470

  22. Satoh, A., Nakamura, Y., Ikenaga, T.: SSH dictionary attack detection based on flow analysis. In: 12th International Symposium on Applications and the Internet IPSJ (2012)

    Google Scholar 

  23. Shodan, October 2019. https://www.shodan.io

  24. Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden Markov model modeling of SSH Brute-force attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04989-7_13

    Chapter  Google Scholar 

  25. Thames, J.L., Abler, R., Keeling, D.: A distributed active response architecture for preventing SSH dictionary attacks. In: IEEE SoutheastCon 2008, pp. 84–89 (2008)

    Google Scholar 

  26. THC HYDRA V. Hauser, The Hacker Choice (THC) - Hydra, October 2019. https://www.thc.org/thc-hydra/

  27. Velan, P., Čeleda, P.: Next generation application-aware flow monitoring. In: Sperotto, A., Doyen, G., Latré, S., Charalambides, M., Stiller, B. (eds.) AIMS 2014. LNCS, vol. 8508, pp. 173–178. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43862-6_20

    Chapter  Google Scholar 

  28. Ylonen, T.: The Secure Shell (SSH) Transport Layer Protocol. Technical report, January 2006. https://doi.org/10.17487/rfc4253

Download references

Acknowledgment

This work was supported by the Grant Agency of the CTU in Prague, grant No. SGS20/210/OHK3/3T/18 funded by the MEYS of the Czech Republic and the project Reg. No. CZ.02.1.01/0.0/0.0/16_013/0001797 co-funded by the MEYS and ERDF.

Author information

Authors and Affiliations

  1. FIT CTU, Prague, Czech Republic

    Karel Hynek, Tomáš Beneš & Hana Kubátová

  2. CESNET a.l.e., Prague, Czech Republic

    Karel Hynek, Tomáš Beneš & Tomáš Čejka

Authors
  1. Karel Hynek
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tomáš Beneš
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tomáš Čejka
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hana Kubátová
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Karel Hynek .

Editor information

Editors and Affiliations

  1. University of Maribor, Maribor, Slovenia

    Marko Hölbl

  2. Goethe University Frankfurt, Frankfurt, Germany

    Kai Rannenberg

  3. University of Maribor, Maribor, Slovenia

    Tatjana Welzer

Rights and permissions

Reprints and permissions

Copyright information

© 2020 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hynek, K., Beneš, T., Čejka, T., Kubátová, H. (2020). Refined Detection of SSH Brute-Force Attackers Using Machine Learning. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds) ICT Systems Security and Privacy Protection. SEC 2020. IFIP Advances in Information and Communication Technology, vol 580. Springer, Cham. https://doi.org/10.1007/978-3-030-58201-2_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58201-2_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58200-5

  • Online ISBN: 978-3-030-58201-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation