Skip to main content
SpringerLink
Log in

Realtime Risk Monitoring of SSH Brute Force Attacks

  • Conference paper
  • First Online:
Innovations for Community Services (I4CS 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1585))

Included in the following conference series:

Abstract

The Secure Shell (SSH) has served for years as the primary protocol to securely control networked remote devices. In particular, administrators of Linux and, to an increasing degree, also Windows operating systems with powerful rights capitalize on the speed and convenience of SSH. Consequentially, villains zero in on acquiring these mighty privileges, preferably by attempting a myriad of credentials until success or exhaustion. All known pertinent scientific resources limit themselves to compiling descriptive statistics or detecting such brute force attacks. The reviewed articles and papers neglect that each penetration attempt implies a differing hazard for an aim. This contribution bridges the gap by surveying relevant academical material and elaborating the blind spot of monitoring the risk of SSH brute force attacks in realtime. Beyond that, this document formally verifies the hazardously raised likeliness of SSH brute force attacks that knowingly or unwittingly use the same patterns as the passwords of their targets. Based on that, it presents a viable solution with a Condition Monitoring System (CMS) that monitors SSH brute force attacks and assesses their jeopardy in real time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 69.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 89.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Blumenthal, U., Wijnen, B.: User-based Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3). RFC 3414 (Internet Standard), December 2002. https://doi.org/10.17487/RFC3414

  2. Cao, P.M., et al.: CAUDIT: continuous auditing of SSH servers to mitigate brute-force attacks. In: Proceedings of the 16th USENIX Conference on Networked Systems Design and Implementation, pp. 667–682. USENIX Association, February 2019. https://www.usenix.org/system/files/nsdi19-cao.pdf

  3. Case, J.D., Fedor, M., Schoffstall, M.L., Davin, J.R.: A Simple Network Management Protocol (SNMP). RFC 1157 (Historic), May 1990. https://doi.org/10.17487/RFC1157

  4. Eastlake, D., Hansen, T.: US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF). RFC 6234 (Informational), May 2011. https://doi.org/10.17487/RFC6234

  5. Fahrnberger, G.: Reliable condition monitoring of telecommunication services with time-varying load characteristic. In: Negi, A., Bhatnagar, R., Parida, L. (eds.) ICDCIT 2018. LNCS, vol. 10722, pp. 173–188. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-72344-0_14

    Chapter  Google Scholar 

  6. Fahrnberger, G.: Outlier removal for the reliable condition monitoring of telecommunication services. In: 2019 20th International Conference on Parallel and Distributed Computing, Applications and Technologies (PDCAT), pp. 240–246, December 2019. https://doi.org/10.1109/PDCAT46702.2019.00052

  7. Fahrnberger, G.: Threshold pair selection for the reliable condition monitoring of telecommunication services. In: Krieger, U.R., Eichler, G., Erfurth, C., Fahrnberger, G. (eds.) I4CS 2021. CCIS, vol. 1404, pp. 9–21. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-75004-6_2

    Chapter  Google Scholar 

  8. Faust, J.: Distributed Analysis of SSH Brute Force and Dictionary Based Attacks. Master’s thesis, Saint Cloud State University, May 2018. https://repository.stcloudstate.edu/cgi/viewcontent.cgi?article=1083&context=msia_etds

  9. Fernández, G.C., Xu, S.: A case study on using deep learning for network intrusion detection. In: 2019 IEEE Military Communications Conference (MILCOM), MILCOM 2019, pp. 1–6. IEEE, November 2019. https://doi.org/10.1109/MILCOM47813.2019.9020824

  10. Hamming, R.W.: Error detecting and error correcting codes. Bell Syst. Tech. J. 29(2), 147–160 (1950). https://doi.org/10.1002/j.1538-7305.1950.tb00463.x

    Article  MathSciNet  MATH  Google Scholar 

  11. Hancock, J., Khoshgoftaar, T.M., Leevy, J.L.: Detecting SSH and FTP brute force attacks in big data. In: 2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 760–765. IEEE, December 2021. https://doi.org/10.1109/ICMLA52953.2021.00126

  12. Hossain, M.D., Ochiai, H., Doudou, F., Kadobayashi, Y.: SSH and FTP brute-force attacks detection in computer networks: LSTM and machine learning approaches. In: 2020 5th International Conference on Computer and Communication Systems (ICCCS), pp. 491–497. IEEE, May 2020. https://doi.org/10.1109/ICCCS49078.2020.9118459

  13. Hynek, K., Beneš, T., Čejka, T., Kubátová, H.: Refined detection of SSH brute-force attackers using machine learning. In: Hölbl, M., Rannenberg, K., Welzer, T. (eds.) SEC 2020. IAICT, vol. 580, pp. 49–63. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58201-2_4

    Chapter  Google Scholar 

  14. Kantor, B.: BSD Rlogin. RFC 1282 (Informational), December 1991. https://doi.org/10.17487/RFC1282

  15. Kenna, C.: Analysis of and Response to SSH Brute Force Attacks, April 2010. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.587.8707&rep=rep1&type=pdf

  16. Kennedy, D., O’Gorman, J., Kearns, D., Aharoni, M.: Metasploit: The Penetration Tester’s Guide. No Starch Press, July 2011

    Google Scholar 

  17. Kim, J., Shin, Y., Choi, E.: An intrusion detection model based on a convolutional neural network. J. Multimed. Inf. Syst. 6(4), 165–172 (2019). https://doi.org/10.33851/JMIS.2019.6.4.165

    Article  Google Scholar 

  18. Lee, J.K., Kim, S.J., Hong, T.: A denied-events based detection method against SSH brute-force attack in supercomputing service environment. In: The 2016 International Conference on Security and Management (SAM 2016), pp. 351–352. CSREA Press, July 2016. https://worldcomp-proceedings.com/proc/p2016/SAM9761.pdf

  19. Lee, J.K., Kim, S.J., Hong, T.: Brute-force attacks analysis against SSH in HPC multi-user service environment. Indian J. Sci. Technol. 9(24) (2016). http://ischolar.info/index.php/indjst/article/view/134547

  20. Lee, J.K., Kim, S.J., Park, C.Y., Hong, T., Chae, H.: Heavy-tailed distribution of the SSH brute-force attack duration in a multi-user environment. J. Korean Phys. Soc. 69(2), 253–258 (2016). https://doi.org/10.3938/jkps.69.253

    Article  Google Scholar 

  21. Lehtinen, S., Lonvick, C.: The Secure Shell (SSH) Protocol Assigned Numbers. RFC 4250 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4250

  22. McDougall, R., Gillespie, N., Guster, D.: Using an enhanced dictionary to facilitate auditing techniques related to brute force SSH and FTP attacks. In: 44th Midwest Instruction and Computing Symposium (MICS). Midwest Instruction and Computing Symposium (MICS), April 2011. https://micsymposium.org/mics_2011_proceedings/mics2011_submission_10.pdf

  23. Najafabadi, M.M., Khoshgoftaar, T.M., Calvert, C., Kemp, C.: Detection of SSH brute force attacks using aggregated netflow data. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 283–288. IEEE, December 2015. https://doi.org/10.1109/ICMLA.2015.20

  24. Owens, J., Matthews, J.: A Study of Passwords and Methods Used in Brute-Force SSH Attacks, February 2008. https://people.clarkson.edu/~jmatthew/publications/leet08.pdf

  25. Park, J., Kim, J., Gupta, B.B., Park, N.: Network log-based SSH brute-force attack detection model. Comput. Mater. Continua 68(1), 887–901 (2021). https://doi.org/10.32604/cmc.2021.015172

    Article  Google Scholar 

  26. Postel, J., Reynolds, J.K.: Telnet Protocol Specification. RFC 854 (Internet Standard), May 1983. https://doi.org/10.17487/RFC0854

  27. Postel, J., Reynolds, J.K.: File Transfer Protocol. RFC 959 (Internet Standard), October 1985. https://doi.org/10.17487/RFC0959

  28. Raikar, M.M., Maralappanavar, M.: SSH brute force attack mitigation in Internet of Things (IoT) network: an edge device security measure. In: 2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC), pp. 72–77, May 2021. https://doi.org/10.1109/ICSCCC51823.2021.9478131

  29. Reed, I.S.: A class of multiple-error-correcting codes and the decoding scheme. Inf. Theory Trans. IRE Prof. Group 4(4), 38–49 (1954). https://doi.org/10.1109/TIT.1954.1057465

    Article  MathSciNet  Google Scholar 

  30. Sadasivam, G.K., Hota, C., Anand, B.: Honeynet data analysis and distributed SSH brute-force attacks. In: Chakraverty, S., Goel, A., Misra, S. (eds.) Towards Extensible and Adaptable Methods in Computing, pp. 107–118. Springer, Singapore (2018). https://doi.org/10.1007/978-981-13-2348-5_9

    Chapter  Google Scholar 

  31. Seifert, C.: Analyzing Malicious SSH Login Attempts, September 2006. https://www.symantec.com/connect/articles/analyzing-malicious-ssh-login-attempts

  32. Shmagin, D.: Utilizing Machine Learning Classifiers to Identify SSH Brute Force Attacks, May 2019. https://scholarworks.wm.edu/honorstheses/1416

  33. Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden Markov model modeling of SSH brute-force attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04989-7_13

    Chapter  Google Scholar 

  34. Studiawan, H., Pratomo, B.A., Anggoro, R.: Clustering of SSH brute-force attack logs using k-Clique percolation. In: 2016 International Conference on Information Communication Technology and Systems (ICTS), pp. 39–42. IEEE, October 2016. https://doi.org/10.1109/ICTS.2016.7910269

  35. Wanjau, S.K., Wambugu, G.M., Kamau, G.N.: SSH-brute force attack detection model based on deep learning. Int. J. Comput. Appl. Technol. Res. (IJCATR) 10(1), 42–50 (2021). https://ijcat.com/archieve/volume10/issue1/ijcatr10011008.pdf

  36. Wu, Y., Cao, P.M., Withers, A., Kalbarczyk, Z.T., Iyer, R.K.: Mining threat intelligence from billion-scale SSH brute-force attacks. In: Proceedings of Decentralized IoT Systems and Security (DISS) Workshop 2020, February 2020. https://www.ndss-symposium.org/wp-content/uploads/2020/04/diss2020-23007-paper.pdf

  37. Yao, C., Luo, X., Zincir-Heywood, A.N.: Data analytics for modeling and visualizing attack behaviors: a case study on SSH brute force attacks. In: 2017 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1–8. IEEE, December 2017. https://doi.org/10.1109/SSCI.2017.8280913

  38. Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Authentication Protocol. RFC 4252 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4252

  39. Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Connection Protocol. RFC 4254 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4254

  40. Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Protocol Architecture. RFC 4251 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4251

  41. Ylönen, T., Lonvick, C.: The Secure Shell (SSH) Transport Layer Protocol. RFC 4253 (Proposed Standard), January 2006. https://doi.org/10.17487/RFC4253

Download references

Acknowledgments

Many thanks to Bettina Baumgartner from the University of Vienna for proofreading this paper!

Author information

Authors and Affiliations

  1. University of Hagen, Hagen, North Rhine-Westphalia, Germany

    Günter Fahrnberger

Authors
  1. Günter Fahrnberger
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Günter Fahrnberger .

Editor information

Editors and Affiliations

  1. Netherlands Organisation for Applied Scientific Research, The Hague, The Netherlands

    Frank Phillipson

  2. Deutsche Telekom Technology & Innovation, Darmstadt, Germany

    Gerald Eichler

  3. University of Applied Sciences Jena, Jena, Germany

    Christian Erfurth

  4. University of Hagen, Hagen, Germany

    Günter Fahrnberger

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Fahrnberger, G. (2022). Realtime Risk Monitoring of SSH Brute Force Attacks. In: Phillipson, F., Eichler, G., Erfurth, C., Fahrnberger, G. (eds) Innovations for Community Services. I4CS 2022. Communications in Computer and Information Science, vol 1585. Springer, Cham. https://doi.org/10.1007/978-3-031-06668-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-06668-9_8

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-06667-2

  • Online ISBN: 978-3-031-06668-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation