Classification of SSH Anomalous Connections

  • Silvia GonzálezEmail author
  • Javier Sedano
  • Urko Zurutuza
  • Enaitz Ezpeleta
  • Diego Martínez
  • Álvaro Herrero
  • Emilio Corchado
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 239)


The Secure Shell Protocol (SSH) is a well-known standard protocol for remote login and used as well for other secure network services over an insecure network. It is mainly used for remotely accessing shell accounts on Unix-liked operating systems to perform administrative tasks. For this reason, the SSH service has been for years an attractive target for attackers, aiming to guess root passwords performing dictionary attacks, or to directly exploit the service itself. To test the classification performance of different classifiers and combinations of them, this study gathers and analyze SSH data coming from a honeynet and then it is analysed by means of a wide range of classifiers. The high-rate classification results lead to positive conclusions about the identification of malicious SSH connections.


Secure Shell Protocol SSH Honeynet Honeypot Intrusion Detection Classifier Ensemble 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Myerson, J.M.: Identifying Enterprise Network Vulnerabilities. International Journal of Network Management 12, 135–144 (2002)CrossRefGoogle Scholar
  2. 2.
    Computer Security Threat Monitoring and Surveillance. Technical Report. James P. Anderson Co. (1980)Google Scholar
  3. 3.
    Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13, 222–232 (1987)CrossRefGoogle Scholar
  4. 4.
    Chih-Fong, T., Yu-Feng, H., Chia-Ying, L., Wei-Yang, L.: Intrusion Detection by Machine Learning: A Review. Expert Systems with Applications 36, 11994–12000 (2009)CrossRefGoogle Scholar
  5. 5.
    Abraham, A., Grosan, C., Martin-Vide, C.: Evolutionary Design of Intrusion Detection Programs. International Journal of Network Security 4, 328–339 (2007)Google Scholar
  6. 6.
    Julisch, K.: Data Mining for Intrusion Detection: A Critical Review. In: Barbará, D., Jajodia, S. (eds.) Applications of Data Mining in Computer Security, pp. 33–62. Kluwer Academic Publishers (2002)Google Scholar
  7. 7.
    Giacinto, G., Roli, F., Didaci, L.: Fusion of Multiple Classifiers for Intrusion Detection in Computer Networks. Pattern Recognition Letters 24, 1795–1803 (2003)CrossRefGoogle Scholar
  8. 8.
    Chebrolu, S., Abraham, A., Thomas, J.P.: Feature Deduction and Ensemble Design of Intrusion Detection Systems. Computers & Security 24, 295–307 (2005)CrossRefGoogle Scholar
  9. 9.
    Kim, H.K., Im, K.H., Park, S.C.: DSS for Computer Security Incident Response Applying CBR and Collaborative Response. Expert Systems with Applications 37, 852–870 (2010)CrossRefGoogle Scholar
  10. 10.
    Tajbakhsh, A., Rahmati, M., Mirzaei, A.: Intrusion Detection using Fuzzy Association Rules. Applied Soft Computing 9, 462–469 (2009)CrossRefGoogle Scholar
  11. 11.
    Sarasamma, S.T., Zhu, Q.M.A., Huff, J.: Hierarchical Kohonenen Net for Anomaly Detection in Network Security. IEEE Transactions on Systems Man and Cybernetics, Part B 35, 302–312 (2005)CrossRefGoogle Scholar
  12. 12.
    Herrero, Á., Corchado, E., Gastaldo, P., Zunino, R.: Neural Projection Techniques for the Visual Inspection of Network Traffic. Neurocomputing 72, 3649–3658 (2009)CrossRefGoogle Scholar
  13. 13.
    Zhang, C., Jiang, J., Kamel, M.: Intrusion Detection using Hierarchical Neural Networks. Pattern Recognition Letters 26, 779–791 (2005)CrossRefGoogle Scholar
  14. 14.
    Marchette, D.J.: Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint. Springer-Verlag New York, Inc. (2001)Google Scholar
  15. 15.
    Roesch, M.: Snort–Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference (LISA 1999), pp. 229–238 (1999)Google Scholar
  16. 16.
    SANS Institute’s Internet Storm Center,
  17. 17.
    Charles, K.A.: Decoy Systems: A New Player in Network Security and Computer Incident Response. International Journal of Digital Evidence 2 (2004)Google Scholar
  18. 18.
    Provos, N.: A Virtual Honeypot Framework. In: 13th USENIX Security Symposium, vol. 132 (2004)Google Scholar
  19. 19.
    Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.: The Nepenthes Platform: An Efficient Approach to Collect Malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-service Activity. ACM Transactions on Computer Systems 24, 115–139 (2006)CrossRefGoogle Scholar
  21. 21.
    Herrero, Á., Zurutuza, U., Corchado, E.: A Neural-Visualization IDS for Honeynet Data. International Journal of Neural Systems 22, 1–18 (2012)CrossRefGoogle Scholar
  22. 22.
    Song, D.X., Wagner, D., Tian, X.: Timing Analysis of Keystrokes and Timing Attacks on SSH. In: Proceedings of the 10th Conference on USENIX Security Symposium, vol. 10, p. 25. USENIX Association, Washington, D.C. (2001)Google Scholar
  23. 23.
    Coster, D.D., Woutersen, D.: Beyond the SSH Brute Force Attacks. In: 10th GOVCERT.NL Symposium (2011)Google Scholar
  24. 24.
    Koniaris, I., Papadimitriou, G., Nicopolitidis, P.: Analysis and Visualization of SSH Attacks Using Honeypots. In: IEEE European Conference on Computer as a Tool (IEEE EUROCON 2013) (2013)Google Scholar
  25. 25.
    Friedman, J.H., Tukey, J.W.: A Projection Pursuit Algorithm for Exploratory Data-Analysis. IEEE Transactions on Computers 23, 881–890 (1974)zbMATHCrossRefGoogle Scholar
  26. 26.
    Bishop, C.M.: Pattern Recognition and Machine Learning. Springer (2007)Google Scholar
  27. 27.
    Seni, G., Elder, J.: Ensemble Methods in Data Mining: Improving Accuracy Through Combining Predictions. Morgan and Claypool Publishers (2010)Google Scholar
  28. 28.
    Freund, Y., Schapire, R.E.: Large Margin Classification Using the Perceptron Algorithm. Mach. Learn. 37, 277–296 (1999)zbMATHCrossRefGoogle Scholar
  29. 29.
    Moody, J., Darken, C.J.: Fast Learning in Networks of Locally-tuned Processing Units. Neural Computation 1, 281–294 (1989)CrossRefGoogle Scholar
  30. 30.
    Bailey, T., Jain, A.: A Note on Distance-Weighted k-Nearest Neighbor Rules. IEEE Transactions on Systems, Man and Cybernetics 8, 311–313 (1978)zbMATHCrossRefGoogle Scholar
  31. 31.
    Breiman, L., Friedman, J.H., Olshen, R.A., Stone, C.J.: Classification and Regression Trees, p. 358. Wadsworth Inc., Belmont (1984)zbMATHGoogle Scholar
  32. 32.
    Zhao, Y., Zhang, Y.: Comparison of Decision Tree Methods for Finding Active Objects. Advances in Space Research 41, 1955–1959 (2008)CrossRefGoogle Scholar
  33. 33.
    Breiman, L.: Bagging Predictors. Machine Learning 24, 123–140 (1996)MathSciNetzbMATHGoogle Scholar
  34. 34.
    Freund, Y., Schapire, R.E.: Experiments with a New Boosting Algorithm. In: International Conference on Machine Learning, pp. 148–156 (1996)Google Scholar
  35. 35.
    Friedman, J., Hastie, T., Tibshirani, R.: Additive Logistic Regression: a Statistical View of Boosting. The Annals of Statistics 28, 337–407 (2000)MathSciNetzbMATHCrossRefGoogle Scholar
  36. 36.
    Seewald, A.K.: How to Make Stacking Better and Faster While Also Taking Care of an Unknown Weakness. In: Nineteenth International Conference on Machine Learning. Morgan Kaufmann Publishers Inc. (2002)Google Scholar
  37. 37.
    Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA Data Mining Software: An Update. ACM SIGKDD Explorations Newsletter 11, 10–18 (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Silvia González
    • 1
    Email author
  • Javier Sedano
    • 1
  • Urko Zurutuza
    • 2
  • Enaitz Ezpeleta
    • 2
  • Diego Martínez
    • 3
  • Álvaro Herrero
    • 3
  • Emilio Corchado
    • 4
  1. 1.Instituto Tecnológico de Castilla y LeónBurgosSpain
  2. 2.Electronics and Computing DepartmentMondragon UniversityArrasate-MondragonSpain
  3. 3.Department of Civil EngineeringUniversity of BurgosBurgosSpain
  4. 4.Departamento de Informática y AutomáticaUniversidad de SalamancaSalamancaSpain

Personalised recommendations