University of Twente Student Theses


Flow-based SSH Dictionary Attack Detection: the Effects of Aggregation

Jonker, M. (2014) Flow-based SSH Dictionary Attack Detection: the Effects of Aggregation.

[img] PDF
Abstract:Many types of brute-force attacks are known to exhibit a characteristic flat behavior at the network-level, meaning that connections feature a similar number of packets and bytes, and duration. Flat traffic is usually caused by repeating similar application-layer actions, such as login attempts in a brute-force attack. This characteristic is used by many intrusion detection systems, both for identifying the presence of attacks and --~once detected~-- for observing deviations, pointing out potential compromises, for example. However, the flatness of network traffic may become indistinct when TCP retransmissions and control information come into play. In this paper, we show exactly that, based on an SSH attack case study. More specifically, we show that our approach dramatically improves the number of true detections of a state-of-the-art detection algorithm up to 20 percentage points, as well as increasing its accuracy -- at no cost for analysis applications.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page