Honeynet Data Analysis and Distributed SSH Brute-Force Attacks

Sadasivam, Gokul Kannan; Hota, Chittaranjan; Anand, Bhojan

doi:10.1007/978-981-13-2348-5_9

Gokul Kannan Sadasivam⁴,
Chittaranjan Hota⁴ &
Bhojan Anand⁵

688 Accesses
11 Citations

Abstract

Due to the increase in the number of network attacks, it has become essential to gain deeper insight into the malicious activities carried out by the attackers. In this paper, the authors have analysed malicious network traffic captured using a honeynet and provided a deeper understanding of brute-force attacks. Initially, the overall attack behaviour is known. Since the most attacked service was SSH, it was scrutinised to know more about distributed brute-force attacks. It is highly unlikely that the distributed brute-force attacks are from a single botnet. The authors have proposed a methodology to detect individual botnets from a set of password-guessing attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Hardcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

Calyptix. (2015). Top 7 network attack types in 2015. https://www.calyptix.com/top-threats/top-7-network-attack-types-in-2015-so-far.
McAfee. (2015). Mcafee labs threats report. https://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf.
Sadasivam, G., & Hota, C. (2015). Scalable honeypot architecture for identifying malicious network activities. In 2015 International Conference on Emerging Information Technology and Engineering Solutions (EITES) (pp. 27–31). https://doi.org/10.1109/eites.2015.15.
Spitzner, L. (2002). Honeypots: Tracking hackers. Addison-Wesley Longman Publishing Co.
Google Scholar
Abdou, A., Barrera, D., & van Oorschot, P. C. (2016). What lies beneath? Analyzing automated SSH bruteforce attacks (pp. 72–91). Cham: Springer International Publishing. https://doi.org/10.1007/978-3-319-29938-9_6. https://doi.org/10.1007/978-3-319-29938-9_6.
Owens, J., & Matthews, J. (2008). A study of passwords and methods used in brute-force SSH attacks. Technical Report. http://people.clarkson.edu/~jmatthew/publications/leet08.pdf.
Rabadia, P., & Valli, C. (2014). Finding evidence of wordlists being deployed against SSH honeypots—Implications and impacts. In 12th Australian Digital Forensics Conference (pp. 114–121). http://ro.ecu.edu.au/adf/141.
Sokol, P., & Kopčová, V. (2016). Lessons learned from correlation of honeypots’ data and spatial data. In 2016 8th International Conference on Electronics, Computers and Artificial Intelligence (ECAI) (pp. 1–8). https://doi.org/10.1109/ecai.2016.7861111.
Javed, M., & Paxson, V. (2013). Detecting stealthy, distributed SSH brute-forcing. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security (pp. 85–96). ACM.
Google Scholar
Malecot, E. L., Hori, Y., Sakurai, K., Ryou, J. C., & Lee, H. (2008). (Visually) Tracking distributed SSH brute force attacks? In Proceedings of the 3rd International Joint Workshop on Information Security and Its Applications (IJWISA 2008) (pp. 1–8).
Google Scholar
Saito, S., Maruhashi, K., Takenaka, M., & Torii, S. (2016). Topase: Detection and prevention of brute force attacks with disciplined IPs from IDs logs. Journal of Information Processing, 24(2), 217–226. https://doi.org/10.2197/ipsjjip.24.217.
Article Google Scholar
Geolocation utilities (2017). https://www.maxmind.com.
Iana source port (2017). https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml.
Kippo. https://www.cert.pl/en/news/single/in-depth-look-at-kippo-an-integration-perspective/.
Seifert, C. (2006). Analyzing malicious SSH login attempts. https://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts.
Hofstede, R., Hendriks, L., Sperotto, A., & Pras, A. (2014). SSH compromise detection using NetFlow/IPFIX. SIGCOMM Computer Communication Review, 44(5), 20–26. https://doi.org/10.1145/2677046.2677050. http://doi.acm.org/10.1145/2677046.2677050.
Article Google Scholar
Hansteen, P. N. M. (2013). The Hail Mary Cloud data. http://bsdly.blogspot.in/2013/10/the-hail-mary-cloud-and-lessons-learned.html.

Download references

Author information

Authors and Affiliations

Department of Computer Science, BITS, Pilani, Hyderabad Campus, Hyderabad, Telangana, India
Gokul Kannan Sadasivam & Chittaranjan Hota
School of Computing, National University of Singapore, Computing 1, 13 Computing Drive, Singapore, Singapore
Bhojan Anand

Authors

Gokul Kannan Sadasivam
View author publications
You can also search for this author in PubMed Google Scholar
Chittaranjan Hota
View author publications
You can also search for this author in PubMed Google Scholar
Bhojan Anand
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Gokul Kannan Sadasivam .

Editor information

Editors and Affiliations

Department of Computer Engineering, Netaji Subhas Institute of Technology, University of Delhi, New Delhi, India
Shampa Chakraverty
SAP Canada, Waterloo, ON, Canada
Anil Goel
Department of Electrical and Information Engineering, Covenant University, Ota, Nigeria
Sanjay Misra

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Sadasivam, G.K., Hota, C., Anand, B. (2018). Honeynet Data Analysis and Distributed SSH Brute-Force Attacks. In: Chakraverty, S., Goel, A., Misra, S. (eds) Towards Extensible and Adaptable Methods in Computing. Springer, Singapore. https://doi.org/10.1007/978-981-13-2348-5_9

Download citation

DOI: https://doi.org/10.1007/978-981-13-2348-5_9
Published: 05 November 2018
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-2347-8
Online ISBN: 978-981-13-2348-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics