{"title":"Who is Trying to Compromise Your SSH Server ? An Analysis of Authentication Logs and Detection of Bruteforce Attacks","authors":"Pratibha Khandait, Namrata Tiwari, N. Hubballi","doi":"10.1145/3427477.3429772","DOIUrl":null,"url":null,"abstract":"Secure Socket Shell (SSH) allows users to connect and access the system remotely through a publicly exposed interface. These systems often become the target of attacks where an intruder attempts to break into a system by guessing login credentials. These login attempts are generally recorded into a log file by the server. Our contribution in this paper is twofold. First we report on a case study using logs of an SSH server deployed in a production environment. Using a dataset collected over a span of one month with more than one hundred thousand connection records, we study various types of failed login attempts, common usernames being attempted, recurrence of attack sources over time and geographical location of attackers. Our case study reveals that attackers attempt various methods to break into the system, there are few common usernames which were tried persistently, origin of attacks are well spread and more than a handful number of sources make repeated attempts to break into the system spanning weeks. As a second contribution, we propose a method to differentiate failed and successful login attempts using network flow level statistics and subsequently use them to detect attacks. We experiment with flow records labelled with ground truth and show that proposed method is able to identify logins which are failed as well as successful.","PeriodicalId":435827,"journal":{"name":"Adjunct Proceedings of the 2021 International Conference on Distributed Computing and Networking","volume":"39 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-12-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Adjunct Proceedings of the 2021 International Conference on Distributed Computing and Networking","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3427477.3429772","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 3
Abstract
Secure Socket Shell (SSH) allows users to connect and access the system remotely through a publicly exposed interface. These systems often become the target of attacks where an intruder attempts to break into a system by guessing login credentials. These login attempts are generally recorded into a log file by the server. Our contribution in this paper is twofold. First we report on a case study using logs of an SSH server deployed in a production environment. Using a dataset collected over a span of one month with more than one hundred thousand connection records, we study various types of failed login attempts, common usernames being attempted, recurrence of attack sources over time and geographical location of attackers. Our case study reveals that attackers attempt various methods to break into the system, there are few common usernames which were tried persistently, origin of attacks are well spread and more than a handful number of sources make repeated attempts to break into the system spanning weeks. As a second contribution, we propose a method to differentiate failed and successful login attempts using network flow level statistics and subsequently use them to detect attacks. We experiment with flow records labelled with ground truth and show that proposed method is able to identify logins which are failed as well as successful.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
