Abstract
Many of the network services (protocols like SSH, Telnet, HTTP, and FTP) implement password-based authentication for accessing system resources. Malicious entities carry out password guessing attacks to exploit network services. Existing security tools detect aggressive password guessing attacks (i.e., a high number of login attempts in a short duration of time). In order to evade detection, the attackers are guessing the logins in a slow manner (for example, a login attempt every few minutes/hours/days). These attacks are called as stealthy password guessing attacks. These attacks have caused damage to the company’s servers and try to exploit vulnerable IoT devices. The current literature detects stealthy distributed password guessing attacks, but no attempt is made to detect stealthy single-source password guessing attacks. The authors have proposed a cluster-based approach to handle this problem. The model uses a data set obtained from a honeypot system. The clusters are well-formed (high-performance metric), validating the detection of these attacks.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Availability of data and material
Not applicable
References
Abdou A, Barrera D, van Oorschot PC (2016) What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks, vol 9551, Springer International Publishing, chap 6, pp 72–91. https://doi.org/10.1007/978-3-319-29938-9_6
Alata E (2007) Observation, characterization and modeling of attack processes on the internet. PhD thesis, INSA of Toulouse, URL https://tel.archives-ouvertes.fr/tel-00280126/file/THESE_ERIC_ALATA_TSF.pdf
Antonakakis M, April T, Bailey M, Bernhard M, Bursztein E, Cochran J, Durumeric Z, Halderman JA, Invernizzi L, Kallitsis M, Kumar D, Lever C, Ma Z, Mason J, Menscher D, Seaman C, Sullivan N, Thomas K, Zhou Y (2017) Understanding the mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 17), USENIX Association, Vancouver, BC, pp 1093–1110, URL https://www.usenix.org/conference/usenixsecurity17/technical-sessions/presentation/antonakakis
Bezut R, Bernet-Rollande V (2010) Study of dictionary attacks on ssh. Tech. rep., Universite de Technologie Compiegne, Compiegne, France, URL https://files.xdec.net/TX_EN_Bezut_Bernet-Rollande_BruteForce_SSH.pdf
Choi H, Lee H, Kim H (2009) Fast detection and visualization of network attacks on parallel coordinates. Comput Security 28(5):276–288. https://doi.org/10.1016/j.cose.2008.12.003, URL http://www.sciencedirect.com/science/article/pii/S0167404808001363
Chopde A (2005) Blockhosts. URL https://www.aczoom.com/tools/blockhosts/blockhosts.html
Conti G, Abdullah K (2004) Passive visual fingerprinting of network attack tools. In: Proceedings of the CCS Workshop on Visualization and Data Mining for Computer Security, ACM, New York, NY, USA, VizSEC/DMSEC ’04, pp 45–54, https://doi.org/10.1145/1029208.1029216
Davenport S (2013) Slow brute force attack. URL https://github.blog/2013-11-20-weak-passwords-brute-forced/
Dunn JE (2018) Poorly secured ssh servers targeted by chalubo botnet. URL https://nakedsecurity.sophos.com/2018/10/24/poorly-secured-ssh-servers-targeted-by-chalubo-botnet/
ESET, Malik M (2017) Linux shishiga malware using lua scripts. URL https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts
Gamblin J (2017) Source code of mirai botnet. URL https://github.com/jgamblin/Mirai-Source-Code
Gerzo D (2005) bruteforceblocker. URL http://danger.rulez.sk/projects/bruteforceblocker/
Ghourabi A, Abbes T, Bouhoula A (2014) Behavior Analysis of Web Service Attacks, vol 428, Springer, Berlin, Heidelberg, pp 366–379. https://doi.org/10.1007/978-3-642-55415-5_31
Goldberg D, Ziv O (2018) Bread and butter attacks. URL https://www.guardicore.com/2018/11/butter-brute-force-ssh-attack-tool-evolution
Hansteen P (2008a) The hail mary cloud and the lessons learned. URL https://home.nuug.no/~peter/hailmary2013/thenumbers.html
Hansteen P (2008b) A low intensity, distributed bruteforce attempt. URL http://bsdly.blogspot.in/2008/12/low-intensity-distributed-bruteforce.html
Honda S, Takenaka M, Unno Y, Maruhashi K, Torii S (2014) Detection of novel-type brute force attacks used ephemeral springboard ips as camouflage. J Adv Comput Netw 2(4):279–286. https://doi.org/10.7763/JACN.2014.V2.126
Jaquier C (2015) Fail2ban. URL http://www.fail2ban.org
Javed M, Paxson V (2013) Detecting stealthy, distributed ssh brute-forcing. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, ACM, New York, NY, USA, CCS ’13, pp 85–96, https://doi.org/10.1145/2508859.2516719
Kalnai P, Malik M (2016) New linux/rakos threat: devices and servers under ssh scan (again). URL https://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/
MacTane K (2009) Sshblock. URL http://kagan.mactane.org/software/sshblock
Malecot EL, Hori Y, Sakurai K, Ryou JC, Lee H (2008) (visually) tracking distributed ssh brute force attacks? In: Proceedings of the 3rd international joint workshop on information security and its applications (IJWISA 2008), pp 1–8
Mazzucchi M, Jones, Zheng K (2017) Sshguard. URL https://www.sshguard.net
Nicomette V, Kaâniche M, Alata E, Herrb M (2011) Set-up and deployment of a high-interaction honeypot: experiment and lessons learned. J Comput Virol 7(2):143–157. https://doi.org/10.1007/s11416-010-0144-2
P-N Tan, Steinbach M, Kumar V (2019) DBSCAN”, in Introduction to Data Mining, 7th edn, Pearson India Education Services Pvt. Ltd., India, chap 8, pp 518–524
P-N Tan, Steinbach M, Kumar V (2019) “Issues in Proximity Calculation”. In: Introduction to data mining, 7th edn, Pearson India Education Services Pvt. Ltd., India, chap 2, p 83
P-N Tan, Steinbach M, Kumar V (2019) “Missing values”. In: Introduction to data mining, 7th edn, Pearson India Education Services Pvt. Ltd., India, chap 2, pp 40–41
Pouget F, Dacier M (2004) Honeypot-based forensics. In: In AusCERT Asia Pacific information technology security conference 2004 (AusCERT2004, Brisbane, AUSTRALIA, URL http://www.eurecom.fr/publication/1417
Rash M (2010) A new ssh password guessing botnet. URL http://cipherdyne.org/blog/2010/08/a-new-ssh-password-guessing-botnet-dd_ssh.html
RGregory (2010) sshdfilter. URL http://abatis.org.uk/sshdfilter/
Sadasivam GK, Hota C (2015) Scalable honeypot architecture for identifying malicious network activities. In: Emerging information technology and engineering solutions (EITES), 2015 international conference on, Pune, India, pp 27–31. https://doi.org/10.1109/EITES.2015.15
Saito S, Maruhashi K, Takenaka M, Torii S (2016) Topase: detection and prevention of brute force attacks with disciplined ips from ids logs. J Inform Process 24(2):217–226. https://doi.org/10.2197/ipsjjip.24.217
Schwartz P (2008) Denyhosts. URL http://www.denyhosts.net
Scikit-learn (2018) Clustering performance evaluation. URL https://scikit-learn.org/0.20/modules/clustering.html#clustering-performance-evaluation
Sqalli MH, Firdous SN, Salah K, Abu-Amara M (2013) Classifying malicious activities in honeynets using entropy and volume-based thresholds. Security Commun Netw 6(5):567–583. https://doi.org/10.1002/SEC.575, URL https://onlinelibrary.wiley.com/doi/abs/10.1002/sec.575
Thonnard O, Dacier M (2008) A framework for attack patterns’ discovery in honeynet data. Digital Investigation 5:S128–S139, https://doi.org/10.1016/J.DIIN.2008.05.012, URL http://www.sciencedirect.com/science/article/pii/S1742287608000431, the Proceedings of the Eighth Annual DFRWS Conference
Wikipedia (2018) Entropy. URL https://en.wikipedia.org/wiki/Entropy_(information_theory)
Ylonen T, Lonvick C (2006a) The secure shell (ssh) authentication protocol. RFC 4252, RFC Editor, URL http://www.rfc-editor.org/rfc/rfc4252.txt
Ylonen T, Lonvick C (2006b) The secure shell (ssh) connection protocol. RFC 4254, RFC Editor, URL http://www.rfc-editor.org/rfc/rfc4254.txt
Ylonen T, Lonvick C (2006c) The secure shell (ssh) transport layer protocol. RFC 4253, RFC Editor, URL http://www.rfc-editor.org/rfc/rfc4253.txt
Zhu Y, Zheng WX (2019) Observer-based control for cyber-physical systems with periodic dos attacks via a cyclic switching strategy. IEEE Transactions on Automatic Control pp 1–1, https://doi.org/10.1109/TAC.2019.2953210
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
Not applicable
Funding
Not applicable
Code availability
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sadasivam, G., Hota, C. & Bhojan, A. Detection of stealthy single-source SSH password guessing attacks. Evolving Systems 13, 1–15 (2022). https://doi.org/10.1007/s12530-020-09360-3
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12530-020-09360-3