Abstract
The Secure Shell (SSH) has served for years as the primary protocol to securely control networked remote devices. In particular, administrators of Linux and, to an increasing degree, also Windows operating systems with powerful rights capitalize on the speed and convenience of SSH. Consequentially, villains zero in on acquiring these mighty privileges, preferably by attempting a myriad of credentials until success or exhaustion. All known pertinent scientific resources limit themselves to compiling descriptive statistics or detecting such brute force attacks. The reviewed articles and papers neglect that each penetration attempt implies a differing hazard for an aim. This contribution bridges the gap by surveying relevant academical material and elaborating the blind spot of monitoring the risk of SSH brute force attacks in realtime. Beyond that, this document formally verifies the hazardously raised likeliness of SSH brute force attacks that knowingly or unwittingly use the same patterns as the passwords of their targets. Based on that, it presents a viable solution with a Condition Monitoring System (CMS) that monitors SSH brute force attacks and assesses their jeopardy in real time.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Blumenthal, U., Wijnen, B.: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). RFC 3414 (Internet Standard), December 2002. https://doi.org/10.17487/RFC3414
Cao, P.M., et al.: CAUDIT: continuous auditing of SSH servers to mitigate brute-force attacks. In: Proceedings of the 16th USENIX Conference on Networked Systems Design and Implementation, pp. 667–682. USENIX Association, February 2019. https://www.usenix.org/system/files/nsdi19-cao.pdf
Case, J.D., Fedor, M., Schoffstall, M.L., Davin, J.R.: A Simple Network Management Protocol (SNMP). RFC 1157 (Historic), May 1990. https://doi.org/10.17487/RFC1157
Eastlake, D., Hansen, T.: US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). RFC 6234 (Informational), May 2011. https://doi.org/10.17487/RFC6234
Fahrnberger, G.: Reliable condition monitoring of telecommunication services with time-varying load characteristic. In: Negi, A., Bhatnagar, R., Parida, L. (eds.) ICDCIT 2018. LNCS, vol. 10722, pp. 173–188. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72344-0_14
Fahrnberger, G.: Outlier removal for the reliable condition monitoring of telecommunication services. In: 2019 20th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT), pp. 240–246, December 2019. https://doi.org/10.1109/PDCAT46702.2019.00052
Fahrnberger, G.: Threshold pair selection for the reliable condition monitoring of telecommunication services. In: Krieger, U.R., Eichler, G., Erfurth, C., Fahrnberger, G. (eds.) I4CS 2021. CCIS, vol. 1404, pp. 9–21. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75004-6_2
Faust, J.: Distributed Analysis of SSH Brute Force and Dictionary Based Attacks. Master’s thesis, Saint Cloud State University, May 2018. https://repository.stcloudstate.edu/cgi/viewcontent.cgi?article=1083&context=msia_etds
Fernández, G.C., Xu, S.: A case study on using deep learning for network intrusion detection. In: 2019 IEEE Military Communications Conference (MILCOM), MILCOM 2019, pp. 1–6. IEEE, November 2019. https://doi.org/10.1109/MILCOM47813.2019.9020824
Hamming, R.W.: Error detecting and error correcting codes. Bell Syst. Tech. J. 29(2), 147–160 (1950). https://doi.org/10.1002/j.1538-7305.1950.tb00463.x
Hancock, J., Khoshgoftaar, T.M., Leevy, J.L.: Detecting SSH and FTP brute force attacks in big data. In: 2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 760–765. IEEE, December 2021. https://doi.org/10.1109/ICMLA52953.2021.00126
Hossain, M.D., Ochiai, H., Doudou, F., Kadobayashi, Y.: SSH and FTP brute-force attacks detection in computer networks: LSTM and machine learning approaches. In: 2020 5th International Conference on Computer and Communication Systems (ICCCS), pp. 491–497. IEEE, May 2020. https://doi.org/10.1109/ICCCS49078.2020.9118459
Hynek, K., Beneš, T., Čejka, T., Kubátová, H.: Refined detection of SSH brute-force attackers using machine learning. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds.) SEC 2020. IAICT, vol. 580, pp. 49–63. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58201-2_4
Kantor, B.: BSD Rlogin. RFC 1282 (Informational), December 1991. https://doi.org/10.17487/RFC1282
Kenna, C.: Analysis of and Response to SSH Brute Force Attacks, April 2010. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.587.8707&rep=rep1&type=pdf
Kennedy, D., O’Gorman, J., Kearns, D., Aharoni, M.: Metasploit: The Penetration Tester’s Guide. No Starch Press, July 2011
Kim, J., Shin, Y., Choi, E.: An intrusion detection model based on a convolutional neural network. J. Multimed. Inf. Syst. 6(4), 165–172 (2019). https://doi.org/10.33851/JMIS.2019.6.4.165
Lee, J.K., Kim, S.J., Hong, T.: A denied-events based detection method against SSH brute-force attack in supercomputing service environment. In: The 2016 International Conference on Security and Management (SAM 2016), pp. 351–352. CSREA Press, July 2016. https://worldcomp-proceedings.com/proc/p2016/SAM9761.pdf
Lee, J.K., Kim, S.J., Hong, T.: Brute-force attacks analysis against SSH in HPC multi-user service environment. Indian J. Sci. Technol. 9(24) (2016). http://ischolar.info/index.php/indjst/article/view/134547
Lee, J.K., Kim, S.J., Park, C.Y., Hong, T., Chae, H.: Heavy-tailed distribution of the SSH brute-force attack duration in a multi-user environment. J. Korean Phys. Soc. 69(2), 253–258 (2016). https://doi.org/10.3938/jkps.69.253
Lehtinen, S., Lonvick, C.: The Secure Shell (SSH) Protocol Assigned Numbers. RFC 4250 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4250
McDougall, R., Gillespie, N., Guster, D.: Using an enhanced dictionary to facilitate auditing techniques related to brute force SSH and FTP attacks. In: 44th Midwest Instruction and Computing Symposium (MICS). Midwest Instruction and Computing Symposium (MICS), April 2011. https://micsymposium.org/mics_2011_proceedings/mics2011_submission_10.pdf
Najafabadi, M.M., Khoshgoftaar, T.M., Calvert, C., Kemp, C.: Detection of SSH brute force attacks using aggregated netflow data. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 283–288. IEEE, December 2015. https://doi.org/10.1109/ICMLA.2015.20
Owens, J., Matthews, J.: A Study of Passwords and Methods Used in Brute-Force SSH Attacks, February 2008. https://people.clarkson.edu/~jmatthew/publications/leet08.pdf
Park, J., Kim, J., Gupta, B.B., Park, N.: Network log-based SSH brute-force attack detection model. Comput. Mater. Continua 68(1), 887–901 (2021). https://doi.org/10.32604/cmc.2021.015172
Postel, J., Reynolds, J.K.: Telnet Protocol Specification. RFC 854 (Internet Standard), May 1983. https://doi.org/10.17487/RFC0854
Postel, J., Reynolds, J.K.: File Transfer Protocol. RFC 959 (Internet Standard), October 1985. https://doi.org/10.17487/RFC0959
Raikar, M.M., Maralappanavar, M.: SSH brute force attack mitigation in Internet of Things (IoT) network: an edge device security measure. In: 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC), pp. 72–77, May 2021. https://doi.org/10.1109/ICSCCC51823.2021.9478131
Reed, I.S.: A class of multiple-error-correcting codes and the decoding scheme. Inf. Theory Trans. IRE Prof. Group 4(4), 38–49 (1954). https://doi.org/10.1109/TIT.1954.1057465
Sadasivam, G.K., Hota, C., Anand, B.: Honeynet data analysis and distributed SSH brute-force attacks. In: Chakraverty, S., Goel, A., Misra, S. (eds.) Towards Extensible and Adaptable Methods in Computing, pp. 107–118. Springer, Singapore (2018). https://doi.org/10.1007/978-981-13-2348-5_9
Seifert, C.: Analyzing Malicious SSH Login Attempts, September 2006. https://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts
Shmagin, D.: Utilizing Machine Learning Classifiers to Identify SSH Brute Force Attacks, May 2019. https://scholarworks.wm.edu/honorstheses/1416
Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden Markov model modeling of SSH brute-force attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04989-7_13
Studiawan, H., Pratomo, B.A., Anggoro, R.: Clustering of SSH brute-force attack logs using k-Clique percolation. In: 2016 International Conference on Information Communication Technology and Systems (ICTS), pp. 39–42. IEEE, October 2016. https://doi.org/10.1109/ICTS.2016.7910269
Wanjau, S.K., Wambugu, G.M., Kamau, G.N.: SSH-brute force attack detection model based on deep learning. Int. J. Comput. Appl. Technol. Res. (IJCATR) 10(1), 42–50 (2021). https://ijcat.com/archieve/volume10/issue1/ijcatr10011008.pdf
Wu, Y., Cao, P.M., Withers, A., Kalbarczyk, Z.T., Iyer, R.K.: Mining threat intelligence from billion-scale SSH brute-force attacks. In: Proceedings of Decentralized IoT Systems and Security (DISS) Workshop 2020, February 2020. https://www.ndss-symposium.org/wp-content/uploads/2020/04/diss2020-23007-paper.pdf
Yao, C., Luo, X., Zincir-Heywood, A.N.: Data analytics for modeling and visualizing attack behaviors: a case study on SSH brute force attacks. In: 2017 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1–8. IEEE, December 2017. https://doi.org/10.1109/SSCI.2017.8280913
Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Authentication Protocol. RFC 4252 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4252
Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Connection Protocol. RFC 4254 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4254
Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4251
Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4253
Acknowledgments
Many thanks to Bettina Baumgartner from the University of Vienna for proofreading this paper!
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Fahrnberger, G. (2022). Realtime Risk Monitoring of SSH Brute Force Attacks. In: Phillipson, F., Eichler, G., Erfurth, C., Fahrnberger, G. (eds) Innovations for Community Services. I4CS 2022. Communications in Computer and Information Science, vol 1585. Springer, Cham. https://doi.org/10.1007/978-3-031-06668-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-06668-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-06667-2
Online ISBN: 978-3-031-06668-9
eBook Packages: Computer ScienceComputer Science (R0)