Detection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities

Takemori, Keisuke; Romaña, Dennis Arturo Ludeña; Kubota, Shinichiro; Sugitani, Kenichi; Musashi, Yasuo

doi:10.22266/ijies2009.1231.05

Cited by 7 publications

(7 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…From the experimental results, we intend to continue improving our method with the ultimate goal of being able to detect the dictionary attacks against many services to enable secure networks. Thames et al (Thames et al, 2008) log file high low yes yes no no Su et al (Su et al, 2011) log file high low yes yes no no Sperotto et al (Sperotto et al, 2009) traffic low not clear yes no no no Takemori et al (Takemori et al, 2009) traffic low high yes no no no Our work traffic low moderate yes yes yes yes j o u r n a l o f i n f o r m a t i o n s e c u r i t y a n d a p p l i c a t i o n s x x x ( 2 0 1 4 ) 1 e1 1…”

Section: Resultsmentioning

confidence: 99%

“…Sperotto et al (2009) showed that such attacks typically consist of three phases, and the authors represented their behaviors at flow level by Hidden Markov Model. Takemori et al (2009) discovered a significant upsurge in the number of PTR resource records in DNS traffic while the attacks were underway. This approach limits the above costs because its requirement is to only capture traffic at a few observation points.…”

Section: Related Workmentioning

confidence: 99%

“…Since even one success of these attacks causes serious problems, such as leaks of confidential information, transmission of spam email, and deployment of phishing sites, administrators should be prepared to cope with them. SSH dictionary attacks have been detected in two basic ways that rely on either log files (Thames et al, 2008;Su et al, 2011) or network traffic (Sperotto et al, 2009;Takemori et al, 2009). The first approach parses the log file of all hosts in large networks, and thereby imposes heavy maintenance costs on administrators.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A flow-based detection method for stealthy dictionary attacks against Secure Shell

Satoh

Nakamura

Ikenaga

2015

Journal of Information Security and Applications

View full text Add to dashboard Cite

Section: Resultsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

A flow-based detection method for stealthy dictionary attacks against Secure Shell

Satoh

Nakamura

Ikenaga

2015

Journal of Information Security and Applications

View full text Add to dashboard Cite

“…Hellemons et al [10] showed that such attacks typically consist of three phases, and the authors represented their behaviors at the flow level by using a hidden Markov model. Takemori et al [11] discovered a significant upsurge in the number of pointer (PTR) resource records in DNS traffic while attacks were underway. To resolve the problems of these studies, we proposed a new approach [12] that detects dictionary attacks and their success or failure.…”

Section: Related Work and Limitationsmentioning

confidence: 99%

A New Approach to Identify User Authentication Methods toward SSH Dictionary Attack Detection

Satoh

Nakamura

Ikenaga

2015

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

SUMMARYA dictionary attack against SSH is a common security threat. Many methods rely on network traffic to detect SSH dictionary attacks because the connections of remote login, file transfer, and TCP/IP forwarding are visibly distinct from those of attacks. However, these methods incorrectly judge the connections of automated operation tasks as those of attacks due to their mutual similarities. In this paper, we propose a new approach to identify user authentication methods on SSH connections and to remove connections that employ non-keystroke based authentication. This approach is based on two perspectives: (1) an SSH dictionary attack targets a host that provides keystroke based authentication; and (2) automated tasks through SSH need to support non-keystroke based authentication. Keystroke based authentication relies on a character string that is input by a human; in contrast, non-keystroke based authentication relies on information other than a character string. We evaluated the effectiveness of our approach through experiments on real network traffic at the edges in four campus networks, and the experimental results showed that our approach provides high identification accuracy with only a few errors. key words: SSH dictionary attack, user authentication method, flow analysis, network operation

show abstract

“…Previously, on the other hand, we reported that the DNS traffic and entropy based detection technologies of the inbound-and outbound SSH dictionary attacks in the campus network [9][10][11][12]. The DNS based detection system has a merit which observes only the DNS query request packet traffic between the DNS server and its clients i.e.…”

Section: Introductionmentioning

confidence: 99%

SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network

Kumagai

Musashi

Romaña

et al. 2010

2010 Third International Conference on Intelligent Networks and Intelligent Systems

Self Cite

View full text Add to dashboard Cite

We performed statistical analysis on the total PTR resource record (RR) based DNS query packet traffic from a university campus network to the top domain DNS server through March 14th, 2009, when the network servers in the campus network were under inbound SSH dictionary attack. The interesting results are obtained, as follows: (1) the network servers, especially, they have a function of SSH services, generated the significant PTR RR based DNS query request packet traffic through 07:30-08:30 in March 14th, 2009, (2) we calculated sample variance for the DNS query request packet traffic, and (3) the variance can change in a sharp manner through 07:30-08:30. From these results, it is clearly concluded that we can detect the inbound SSH dictionary attack to the network server by only observing the variance of the total PTR RR based DNS query request packet traffic from the network servers in the campus network. Keywords-DNS based Detection; SSH dictionary attack; SSH brute force attack

show abstract

Detection of NS Resource Record DNS Resolution Traffic, Host Search, and SSH Dictionary Attack Activities

Cited by 7 publications

References 7 publications

A flow-based detection method for stealthy dictionary attacks against Secure Shell

A flow-based detection method for stealthy dictionary attacks against Secure Shell

A New Approach to Identify User Authentication Methods toward SSH Dictionary Attack Detection

SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network

Contact Info

Product

Resources

About