Hidden Markov Model Modeling of SSH Brute-Force Attacks

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5841)


Nowadays, network load is constantly increasing and high-speed infrastructures (1-10Gbps) are becoming increasingly common. In this context, flow-based intrusion detection has recently become a promising security mechanism. However, since flows do not provide any information on the content of a communication, it also became more difficult to establish a ground truth for flow-based techniques benchmarking. A possible approach to overcome this problem is the usage of synthetic traffic traces where the generation of malicious traffic is driven by models. In this paper, we propose a flow time series model of SSH brute-force attacks based on Hidden Markov Models. Our results show that the model successfully emulates an attacker behavior, generating meaningful flow time series.


Time Series Hide Markov Model Intrusion Detection Hide State Discrete Time Markov Chain 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP Flow-based Intrusion Detection. IEEE Communications Surveys & Tutorials (to appear, 2009)Google Scholar
  2. 2.
    Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX). RFC 3917 (Informational)Google Scholar
  3. 3.
    NfSen - Netflow Sensor (May 2009),
  4. 4.
    Sperotto, A., Sadre, R., van Vliet, D.F., Pras, A.: A Labeled Data Set For Flow-based Intrusion Detection. In: Nunzi, G., Scoglio, C., Li, X. (eds.) IPOM 2009. LNCS, vol. 5843, pp. 39–50. Springer, Heidelberg (2009)Google Scholar
  5. 5.
    Brauckhoff, D., Wagner, A., Mays, M.: FLAME: a flow-level anomaly modeling engine. In: Proc. of the Workshop on Cyber Security Experimentation and Test, CSET 2008 (2008)Google Scholar
  6. 6.
    Sommers, J., Yegneswaran, V., Barford, P.: A framework for malicious workload generation. In: Proc. of the 4th ACM SIGCOMM conference on Internet measurement, IMC 2004 (2004)Google Scholar
  7. 7.
    Camastra, F., Vinciarelli, A.: Markovian models for sequential data. Machine Learning for Audio, Image and Video Analysis (2008)Google Scholar
  8. 8.
    Baum, L.E., Petrie, T., Soules, G., Weiss, N.: A Maximization Technique Occurring in the Statistical Analysis of Probabilistic Functions of Markov Chains. The Annals of Mathematical Statistics 41 (1970)Google Scholar
  9. 9.
    Durbin, R., Eddy, S.R., Krogh, A., Mitchison, G.: Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids. Cambridge University Press, Cambridge (1998)CrossRefzbMATHGoogle Scholar
  10. 10.
    Rabiner, L.R.: A tutorial on hidden Markov models and selected applications in speech recognition. Proceedings of the IEEE (1989)Google Scholar
  11. 11.
    Fink, G.A.: Markov Models for Pattern Recognition: From Theory to Applications. Springer, New York (2007)Google Scholar
  12. 12.
    Wright, C.V., Monrose, F., Masson, G.M.: HMM Profiles for Network Traffic Classification. In: Workshop on Visualization and Data Mining for Computer Security VizSEC/DMSEC 2004 (2004)Google Scholar
  13. 13.
    Dainotti, A., Pescapé, A., Rossi, P.S., Palmieri, F., Ventre, G.: Internet traffic modeling by means of Hidden Markov Models. Computer Networks 52(14) (2008)Google Scholar
  14. 14.
    Dainotti, A., de Donato, W., Pescape, A., Rossi, P.: Classification of Network Traffic via Packet-Level Hidden Markov Models. In: Proc. of IEEE Global Telecommunications Conference, GLOBECOM 2008 (2008)Google Scholar
  15. 15.
    Gao, D., Reiter, M.K., Song, D.X.: Behavioral Distance Measurement Using Hidden Markov Models. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 19–40. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions Using System Calls: Alternative Data Models. In: Proc. of the 1999 IEEE Symposium on Security and Privacy (1999)Google Scholar
  17. 17.
    Khanna, R., Liu, H.: System approach to intrusion detection using hidden Markov model. In: Proceedings of the 2006 International Conference on Wireless communications and mobile computing, IWCMC 2006 (2006)Google Scholar
  18. 18.
    Seifert, C.: Analyzing malicious ssh login attempts (September 2006),
  19. 19.
    SANS Institute: Top-20 2007 Security Risks (2007 Annual Update), (May 2009)
  20. 20.
    Sperotto, A., Sadre, R., Pras, A.: Anomaly Characterization in Flow-Based Traffic Time Series. In: Akar, N., Pioro, M., Skianis, C. (eds.) IPOM 2008. LNCS, vol. 5275, pp. 15–27. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Andrieu, C., Doucet, A.: Simulated Annealing for Maximum A Posteriori Parameter Estimation of Hidden Markov Models. IEEE Transactions on Information Theory 46 (2000)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2009

Authors and Affiliations

  1. 1.Centre for Telematics and Information Technology, Faculty of Electrical Engineering, Mathematics and Computer ScienceUniversity of TwenteEnschedeThe Netherlands

Personalised recommendations