Flow-based SSH Dictionary Attack Detection: the Effects of Aggregation

Jonker, M. (2014) Flow-based SSH Dictionary Attack Detection: the Effects of Aggregation.

[img]
Preview
PDF
835kB
Abstract:Many types of brute-force attacks are known to exhibit a characteristic flat behavior at the network-level, meaning that connections feature a similar number of packets and bytes, and duration. Flat traffic is usually caused by repeating similar application-layer actions, such as login attempts in a brute-force attack. This characteristic is used by many intrusion detection systems, both for identifying the presence of attacks and --~once detected~-- for observing deviations, pointing out potential compromises, for example. However, the flatness of network traffic may become indistinct when TCP retransmissions and control information come into play. In this paper, we show exactly that, based on an SSH attack case study. More specifically, we show that our approach dramatically improves the number of true detections of a state-of-the-art detection algorithm up to 20 percentage points, as well as increasing its accuracy -- at no cost for analysis applications.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:http://purl.utwente.nl/essays/65855
Export this item as:BibTeX
EndNote
HTML Citation
Reference Manager

 

Repository Staff Only: item control page