Flow-based detection of RDP brute-force attacks
The result's identifiers
Result code in IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F13%3A00065720" target="_blank" >RIV/00216224:14610/13:00065720 - isvavai.cz</a>
Result on the web
—
DOI - Digital Object Identifier
—
Alternative languages
Result language
angličtina
Original language name
Flow-based detection of RDP brute-force attacks
Original language description
This paper describes a design and evaluation of a network-based detection of brute-force attacks on authentication of Microsoft Windows RDP. The network flow data provides sufficient information about communication of two nodes in network, even though the RDP communication is encrypted. An analysis was based on the network flow data collected in the Masaryk University network and host-based data from logs of a server with opened Remote Desktop Connection. These data helped us to improve the flow detection using the information gathered from the server event log. Despite the fact that RDP is encrypted, flow data gives us a sufficient amount of information to determine whether the connection is an authentication or regular remote desktop session. We implemented the attacks detection as a plugin for the widely used NfSen collector. The plugin is involved in the active defense of the network of Masaryk University.
Czech name
—
Czech description
—
Classification
Type
D - Article in proceedings
CEP classification
IN - Informatics
OECD FORD branch
—
Result continuities
Project
<a href="/en/project/VG20132015103" target="_blank" >VG20132015103: Cybernetic Proving Ground</a><br>
Continuities
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)
Others
Publication year
2013
Confidentiality
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Data specific for result type
Article name in the collection
Security and Protection of Information 2013
ISBN
9788072319220
ISSN
—
e-ISSN
—
Number of pages
8
Pages from-to
131-138
Publisher name
Univerzita obrany
Place of publication
Brno
Event location
Brno
Event date
May 22, 2013
Type of event by nationality
WRD - Celosvětová akce
UT code for WoS article
—