Different approaches for the detection of SSH anomalous connections

The Secure Shell Protocol (SSH) is a well-known standard protocol, mainly used for remotely accessing shell accounts on Unix-like operating systems to perform administrative tasks. As a result, the SSH service has been an appealing target for attackers, aiming to guess root passwords performing dictionary attacks or to directly exploit the service itself. To identify such situations, this article addresses the detection of SSH anomalous connections from an intrusion detection perspective. The main idea is to compare several strategies and approaches for a better detection of SSH-based attacks. To test the classification performance of different classifiers and combinations of them, SSH data coming from a real-world honeynet are gathered and analysed. For comparison purposes and to draw conclusions about data collection, both packet-based and flow data are analysed. A wide range of classifiers and ensembles are applied to these data, as well as different validation schemes for better analysis of the obtained results. The high-rate classification results lead to positive conclusions about the identification of malicious SSH connections

Different approaches for the detection of SSH anomalous connections

Abstract The Secure Shell Protocol (SSH) is a well-known standard protocol, mainly used for remotely accessing shell accounts on Unix-like operating systems to perform administrative tasks. As a result, the SSH service has been an appealing target for attackers, aiming to guess root passwords performing dictionary attacks or to directly exploit the service itself. To identify such situations, this article addresses the detection of SSH anomalous connections from an intrusion detection perspective. The main idea is to compare several strategies and approaches for a better detection of SSH-based attacks. To test the classification performance of different classifiers and combinations of them, SSH data coming from a real-world honeynet are gathered and analysed. For comparison purposes and to draw conclusions about data collection, both packet-based and flow data are analysed. A wide range of classifiers and ensembles are applied to these data, as well as different validation schemes for better analysis of the obtained results. The high-rate classification results lead to positive conclusions about the identification of malicious SSH connections

Distributed Analysis of SSH Brute Force and Dictionary Based Attacks

When designing and implementing a new system, one of the most common misuse cases a system administrator or security architect anticipates is the fact that their system will be attacked with brute force and dictionary-based methods. These attack vectors are commonplace and as such, common defenses have been designed to help mitigate a successful attack. However, the common defenses employed are anticipated and mitigated by even the most novice of attackers. In order to better understand that nature and evolution of brute-force and dictionary attacks, research needs to evaluate the progression of the attack vectors as well as new variables to identify the risk of systems. The research that follows is designed to look at brute force and dictionary-based attacks from a geographical standpoint. Specifically, the data gathered will be analyzed to define attack anomalies based on date, time, location, operating system, and attacking clients in order to ascertain if such variables are viable attack indication markers for defense purposes