Skip to main content
Springer Nature Link
Log in

Classification of SSH Anomalous Connections

  • Conference paper
International Joint Conference SOCO’13-CISIS’13-ICEUTE’13

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 239))

Abstract

The Secure Shell Protocol (SSH) is a well-known standard protocol for remote login and used as well for other secure network services over an insecure network. It is mainly used for remotely accessing shell accounts on Unix-liked operating systems to perform administrative tasks. For this reason, the SSH service has been for years an attractive target for attackers, aiming to guess root passwords performing dictionary attacks, or to directly exploit the service itself. To test the classification performance of different classifiers and combinations of them, this study gathers and analyze SSH data coming from a honeynet and then it is analysed by means of a wide range of classifiers. The high-rate classification results lead to positive conclusions about the identification of malicious SSH connections.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Myerson, J.M.: Identifying Enterprise Network Vulnerabilities. International Journal of Network Management 12, 135–144 (2002)

    Article  Google Scholar 

  2. Computer Security Threat Monitoring and Surveillance. Technical Report. James P. Anderson Co. (1980)

    Google Scholar 

  3. Denning, D.E.: An Intrusion-Detection Model. IEEE Transactions on Software Engineering 13, 222–232 (1987)

    Article  Google Scholar 

  4. Chih-Fong, T., Yu-Feng, H., Chia-Ying, L., Wei-Yang, L.: Intrusion Detection by Machine Learning: A Review. Expert Systems with Applications 36, 11994–12000 (2009)

    Article  Google Scholar 

  5. Abraham, A., Grosan, C., Martin-Vide, C.: Evolutionary Design of Intrusion Detection Programs. International Journal of Network Security 4, 328–339 (2007)

    Google Scholar 

  6. Julisch, K.: Data Mining for Intrusion Detection: A Critical Review. In: Barbará, D., Jajodia, S. (eds.) Applications of Data Mining in Computer Security, pp. 33–62. Kluwer Academic Publishers (2002)

    Google Scholar 

  7. Giacinto, G., Roli, F., Didaci, L.: Fusion of Multiple Classifiers for Intrusion Detection in Computer Networks. Pattern Recognition Letters 24, 1795–1803 (2003)

    Article  Google Scholar 

  8. Chebrolu, S., Abraham, A., Thomas, J.P.: Feature Deduction and Ensemble Design of Intrusion Detection Systems. Computers & Security 24, 295–307 (2005)

    Article  Google Scholar 

  9. Kim, H.K., Im, K.H., Park, S.C.: DSS for Computer Security Incident Response Applying CBR and Collaborative Response. Expert Systems with Applications 37, 852–870 (2010)

    Article  Google Scholar 

  10. Tajbakhsh, A., Rahmati, M., Mirzaei, A.: Intrusion Detection using Fuzzy Association Rules. Applied Soft Computing 9, 462–469 (2009)

    Article  Google Scholar 

  11. Sarasamma, S.T., Zhu, Q.M.A., Huff, J.: Hierarchical Kohonenen Net for Anomaly Detection in Network Security. IEEE Transactions on Systems Man and Cybernetics, Part B 35, 302–312 (2005)

    Article  Google Scholar 

  12. Herrero, Á., Corchado, E., Gastaldo, P., Zunino, R.: Neural Projection Techniques for the Visual Inspection of Network Traffic. Neurocomputing 72, 3649–3658 (2009)

    Article  Google Scholar 

  13. Zhang, C., Jiang, J., Kamel, M.: Intrusion Detection using Hierarchical Neural Networks. Pattern Recognition Letters 26, 779–791 (2005)

    Article  Google Scholar 

  14. Marchette, D.J.: Computer Intrusion Detection and Network Monitoring: A Statistical Viewpoint. Springer-Verlag New York, Inc. (2001)

    Google Scholar 

  15. Roesch, M.: Snort–Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference (LISA 1999), pp. 229–238 (1999)

    Google Scholar 

  16. SANS Institute’s Internet Storm Center, https://isc.sans.edu/port.html?port=22

  17. Charles, K.A.: Decoy Systems: A New Player in Network Security and Computer Incident Response. International Journal of Digital Evidence 2 (2004)

    Google Scholar 

  18. Provos, N.: A Virtual Honeypot Framework. In: 13th USENIX Security Symposium, vol. 132 (2004)

    Google Scholar 

  19. Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.: The Nepenthes Platform: An Efficient Approach to Collect Malware. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  20. Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-service Activity. ACM Transactions on Computer Systems 24, 115–139 (2006)

    Article  Google Scholar 

  21. Herrero, Á., Zurutuza, U., Corchado, E.: A Neural-Visualization IDS for Honeynet Data. International Journal of Neural Systems 22, 1–18 (2012)

    Article  Google Scholar 

  22. Song, D.X., Wagner, D., Tian, X.: Timing Analysis of Keystrokes and Timing Attacks on SSH. In: Proceedings of the 10th Conference on USENIX Security Symposium, vol. 10, p. 25. USENIX Association, Washington, D.C. (2001)

    Google Scholar 

  23. Coster, D.D., Woutersen, D.: Beyond the SSH Brute Force Attacks. In: 10th GOVCERT.NL Symposium (2011)

    Google Scholar 

  24. Koniaris, I., Papadimitriou, G., Nicopolitidis, P.: Analysis and Visualization of SSH Attacks Using Honeypots. In: IEEE European Conference on Computer as a Tool (IEEE EUROCON 2013) (2013)

    Google Scholar 

  25. Friedman, J.H., Tukey, J.W.: A Projection Pursuit Algorithm for Exploratory Data-Analysis. IEEE Transactions on Computers 23, 881–890 (1974)

    Article  MATH  Google Scholar 

  26. Bishop, C.M.: Pattern Recognition and Machine Learning. Springer (2007)

    Google Scholar 

  27. Seni, G., Elder, J.: Ensemble Methods in Data Mining: Improving Accuracy Through Combining Predictions. Morgan and Claypool Publishers (2010)

    Google Scholar 

  28. Freund, Y., Schapire, R.E.: Large Margin Classification Using the Perceptron Algorithm. Mach. Learn. 37, 277–296 (1999)

    Article  MATH  Google Scholar 

  29. Moody, J., Darken, C.J.: Fast Learning in Networks of Locally-tuned Processing Units. Neural Computation 1, 281–294 (1989)

    Article  Google Scholar 

  30. Bailey, T., Jain, A.: A Note on Distance-Weighted k-Nearest Neighbor Rules. IEEE Transactions on Systems, Man and Cybernetics 8, 311–313 (1978)

    Article  MATH  Google Scholar 

  31. Breiman, L., Friedman, J.H., Olshen, R.A., Stone, C.J.: Classification and Regression Trees, p. 358. Wadsworth Inc., Belmont (1984)

    MATH  Google Scholar 

  32. Zhao, Y., Zhang, Y.: Comparison of Decision Tree Methods for Finding Active Objects. Advances in Space Research 41, 1955–1959 (2008)

    Article  Google Scholar 

  33. Breiman, L.: Bagging Predictors. Machine Learning 24, 123–140 (1996)

    MathSciNet  MATH  Google Scholar 

  34. Freund, Y., Schapire, R.E.: Experiments with a New Boosting Algorithm. In: International Conference on Machine Learning, pp. 148–156 (1996)

    Google Scholar 

  35. Friedman, J., Hastie, T., Tibshirani, R.: Additive Logistic Regression: a Statistical View of Boosting. The Annals of Statistics 28, 337–407 (2000)

    Article  MathSciNet  MATH  Google Scholar 

  36. Seewald, A.K.: How to Make Stacking Better and Faster While Also Taking Care of an Unknown Weakness. In: Nineteenth International Conference on Machine Learning. Morgan Kaufmann Publishers Inc. (2002)

    Google Scholar 

  37. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., Witten, I.H.: The WEKA Data Mining Software: An Update. ACM SIGKDD Explorations Newsletter 11, 10–18 (2009)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Instituto Tecnológico de Castilla y León, C/ López Bravo 70, Pol. Ind. Villalonquejar, 09001, Burgos, Spain

    Silvia González & Javier Sedano

  2. Electronics and Computing Department, Mondragon University, Goiru Kalea, 2, 20500, Arrasate-Mondragon, Spain

    Urko Zurutuza & Enaitz Ezpeleta

  3. Department of Civil Engineering, University of Burgos, C/ Francisco de Vitoria s/n, 09006, Burgos, Spain

    Diego Martínez & Álvaro Herrero

  4. Departamento de Informática y Automática, Universidad de Salamanca, Plaza de la Merced, s/n, 37008, Salamanca, Spain

    Emilio Corchado

Authors
  1. Silvia González
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Javier Sedano
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Urko Zurutuza
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Enaitz Ezpeleta
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Diego Martínez
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Álvaro Herrero
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Emilio Corchado
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Silvia González .

Editor information

Editors and Affiliations

  1. Department of Civil Engineering, University of Burgos, Burgos, Spain

    Álvaro Herrero

  2. Department of Civil Engineering, University of Burgos, Burgos, Spain

    Bruno Baruque

  3. German Workforce ADL Partnership Laboratory, Waltershausen, Germany

    Fanny Klett

  4. Scientific Network for Innovation and Research Excellence, Machine Intelligence Research Labs (MIR Labs), Auburn, Washington, USA

    Ajith Abraham

  5. Department of Computer Science Faculty of Ele. Eng. & Computer Science, VŠB-TU Ostrava, Ostrava, Czech Republic

    Václav Snášel

  6. Department of Computer Science, University of Sao Paulo at Sao Carlos, Sao Carlos, Brazil

    André C.P.L.F. de Carvalho

  7. DeustoTech Computing, University of Deusto, Bilbao, Spain

    Pablo García Bringas

  8. Department of Computer Science Faculty of Elec. Eng. and Comp. Science, VŠB-TU Ostrava, Ostrava, Czech Republic

    Ivan Zelinka

  9. University of Salamanca, Salamanca, Spain

    Héctor Quintián

  10. University of Salamanca, Salamanca, Spain

    Emilio Corchado

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

González, S. et al. (2014). Classification of SSH Anomalous Connections. In: Herrero, Á., et al. International Joint Conference SOCO’13-CISIS’13-ICEUTE’13. Advances in Intelligent Systems and Computing, vol 239. Springer, Cham. https://doi.org/10.1007/978-3-319-01854-6_49

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-01854-6_49

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-01853-9

  • Online ISBN: 978-3-319-01854-6

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics