Refined Detection of SSH Brute-Force Attackers Using Machine Learning - ICT Systems Security and Privacy Protection
Conference Papers Year : 2020

Refined Detection of SSH Brute-Force Attackers Using Machine Learning

Abstract

This paper presents a novel approach to detect SSH brute-force (BF) attacks in high-speed networks. Contrary to host-based approaches, we focus on network traffic analysis to identify attackers. Recent papers describe how to detect BF attacks using pure NetFlow data. However, our evaluation shows significant false-positive (FP) results of the current solution. To overcome the issue of high FP rate, we propose a machine learning (ML) approach to detection using specially extended IP Flows. The contributions of this paper are a new dataset from real environment, experimentally selected ML method, which performs with high accuracy and low FP rate, and an architecture of the detection system. The dataset for training was created using extensive evaluation of captured real traffic, manually prepared legitimate SSH traffic with characteristics similar to BF attacks, and, finally, using a packet trace with SSH logs from real production servers.
Fichier principal
Vignette du fichier
497034_1_En_4_Chapter.pdf (300.33 Ko) Télécharger le fichier
Origin Files produced by the author(s)

Dates and versions

hal-03440815 , version 1 (22-11-2021)

Licence

Identifiers

Cite

Karel Hynek, Tomáš Beneš, Tomáš Čejka, Hana Kubátová. Refined Detection of SSH Brute-Force Attackers Using Machine Learning. 35th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2020, Maribor, Slovenia. pp.49-63, ⟨10.1007/978-3-030-58201-2_4⟩. ⟨hal-03440815⟩
274 View
170 Download

Altmetric

Share

More