Refined detection of SSH brute-force attackers using machine learning

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F63839172%3A_____%2F20%3A10133296" target="_blank" >RIV/63839172:_____/20:10133296 - isvavai.cz</a>

Nalezeny alternativní kódy

RIV/68407700:21240/20:00341783

Výsledek na webu

<a href="http://dx.doi.org/10.1007/978-3-030-58201-2_4" target="_blank" >http://dx.doi.org/10.1007/978-3-030-58201-2_4</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1007/978-3-030-58201-2_4" target="_blank" >10.1007/978-3-030-58201-2_4</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Refined detection of SSH brute-force attackers using machine learning

Popis výsledku v původním jazyce

This paper presents a novel approach to detect SSH brute-force (BF) attacks in high-speed networks. Contrary to host-based approaches, we focus on network traffic analysis to identify attackers. Recent papers describe how to detect BF attacks using pure NetFlow data. However, our evaluation shows significant false-positive (FP) results of the current solution. To overcome the issue of high FP rate, we propose a machine learning (ML) approach to detection using specially extended IP Flows. The contributions of this paper are a new dataset from real environment, experimentally selected ML method, which performs with high accuracy and low FP rate, and an architecture of the detection system. The dataset for training was created using extensive evaluation of captured real traffic, manually prepared legitimate SSH traffic with characteristics similar to BF attacks, and, finally, using a packet trace with SSH logs from real production servers.

Název v anglickém jazyce

Refined detection of SSH brute-force attackers using machine learning

Popis výsledku anglicky

This paper presents a novel approach to detect SSH brute-force (BF) attacks in high-speed networks. Contrary to host-based approaches, we focus on network traffic analysis to identify attackers. Recent papers describe how to detect BF attacks using pure NetFlow data. However, our evaluation shows significant false-positive (FP) results of the current solution. To overcome the issue of high FP rate, we propose a machine learning (ML) approach to detection using specially extended IP Flows. The contributions of this paper are a new dataset from real environment, experimentally selected ML method, which performs with high accuracy and low FP rate, and an architecture of the detection system. The dataset for training was created using extensive evaluation of captured real traffic, manually prepared legitimate SSH traffic with characteristics similar to BF attacks, and, finally, using a packet trace with SSH logs from real production servers.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

20202 - Communication engineering and systems

Projekt

<a href="/cs/project/EF16_013%2F0001797" target="_blank" >EF16_013/0001797: E-infrastruktura CESNET - modernizace</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2020

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

ICT Systems Security and Privacy Protection

ISBN

978-3-030-58200-5

ISSN

1868-4238

e-ISSN

—

Počet stran výsledku

15

Strana od-do

49-63

Název nakladatele

Springer

Místo vydání

Švýcarsko

Místo konání akce

Maribor

Datum konání akce

21. 9. 2020

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

—