SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network

Kumagai, Masaya; Musashi, Yasuo; Romaña, Dennis Arturo Ludeña; Takemori, Keisuke; Kubota, Shinichiro; Sugitani, Kenichi

doi:10.1109/icinis.2010.9

Cited by 9 publications

(8 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Kumagai et al [11] calculated the sample variance of the total PTR resource record based DNS query packet traffic of campus networks servers which were under brute force attack. Their observations show there is a change in this statistical value when the SSH brute force attack occurs.…”

Section: Related Workmentioning

confidence: 99%

Machine Learning for Detecting Brute Force Attacks at the Network Level

Najafabadi

Khoshgoftaar

Kemp

et al. 2014

2014 IEEE International Conference on Bioinformatics and Bioengineering

View full text Add to dashboard Cite

The tremendous growth in computer network and Internet usage, combined with the growing number of attacks makes network security a topic of serious concern. One of the most prevalent network attacks that can threaten computers connected to the network is brute force attack. In this work we investigate the use of machine learners for detecting brute force attacks (on the SSH protocol) at the network level. We base our approach on applying machine learning algorithms on a newly generated dataset based upon network flow data collected at the network level. Applying detection at the network level makes the detection approach more scalable. It also provides protection for the hosts who do not have their own protection. The new dataset consists of real-world network data collected from a production network. We use four different classifiers to build brute force attack detection models. The use of different classifiers facilitates a relatively comprehensive study on the effectiveness of machine learners in the detection of brute force attack on the SSH protocol at the network level. Empirical results show that the machine learners were quite successful in detecting the brute force attacks with a high detection rate and low false alarms. We also investigate the effectiveness of using ports as features during the learning process. We provide a detailed analysis of how the models built can change as a result of including or excluding port features.Keywords -Brute force attack, network flow, network-level attack detection, machine learning.

show abstract

Section: Related Workmentioning

confidence: 99%

Machine Learning for Detecting Brute Force Attacks at the Network Level

Najafabadi

Khoshgoftaar

Kemp

et al. 2014

2014 IEEE International Conference on Bioinformatics and Bioengineering

View full text Add to dashboard Cite

show abstract

“…O registro reverso (PTR) é útil para identificar enderec ¸os IPs válidos, pois cada IP acessível na Internet deve possuir um nome reverso [Barr 1996]. Em ataques de reconhecimento de rede, o registro PTR é mais utilizado [Kumagai et al 2010]. Ataques de dicionário contra o servic ¸o SSH podem ser identificados através da distribuic ¸ão de frequência do registro reverso [Shibata et al 2012].…”

Section: Antonakakis Et Al (unclassified

Identificação e Caracterização de Comportamentos Suspeitos Através da Análise do Tráfego DNS

Barbosa¹,

Souto²,

Feitosa³

et al. 2014

Anais Do XIV Simpósio Brasileiro De Segurança Da Informação E De Sistemas Computacionais (SBSeg 2014)

View full text Add to dashboard Cite

O Sistema de Nomes de Domínios (DNS) fornece mecanismos para traduzir os nomes de domínios em endereços IP. Este serviço é usado tanto por usuários legítimos quanto aplicações suspeitas que podem solicitar endereços dos servidores de email antes de enviar spam. Este trabalho apresenta uma metodologia que utiliza teoria dos grafos para distinguir padrões entre consultas legítimas e maliciosas no tráfego. As resoluções de nomes são modeladas em um grafo que ilustra o padrão de comunicação entre hosts e como as consultas foram realizadas. Para validação da proposta, o tráfego DNS do domínio .br é investigado. Os resultados mostram uma redução de 35% do total de hosts a serem analisados e a presença de comportamentos suspeitos.

show abstract

“…Intrusion detection systems (IDS) are powerful security information and event management (SIEM) tools that help network operators protect vulnerable devices by monitoring malicious activities and automatically recording intrusion events within the network. Current IDS systems utilize three main methods to detect network attacks, namely (1) predefined rules or virus signatures [3][4][5][6]12], (2) anomaly detection [12][13][14][15][16], and (3) artificial intelligence [17][18][19][20][21][22][23][24][25][26] (machine-learning or deep-learning models). However, predefined detection methods require the identification and implementation of effective rules in advance and/or the extensive collection and update of potential virus signatures.…”

Section: Introductionmentioning

confidence: 99%

A Quantitative Logarithmic Transformation-Based Intrusion Detection System

Lan¹,

Wei³

et al. 2023

IEEE Access

View full text Add to dashboard Cite

Intrusion detection systems (IDS) play a vital role in protecting networks from malicious attacks. Modern IDS use machine-learning or deep-learning models to deal with the diversity of attacks that malicious users may employ. However, effective machine-learning methods incur a considerable cost in both the pretraining stage and the online detection process itself. Accordingly, this study proposes a quantitative logarithmic transformation-based intrusion detection system (QLT-IDS) that uses a straightforward statistical approach to analyze network behavior. Compared with machine-learning or deeplearning-based IDS methods, the proposed system requires neither a time-consuming and expensive data collection and training process, nor a GPU-included device to achieve a real-time detection performance. Furthermore, the system can deal not only with North-South attacks, but also East-West attacks, which pose a significant risk in real-world operations. The effectiveness of the proposed system is evaluated for both real-world campus network traffic and simulated traffic. The results confirm that QLT-IDS is able to detect a wide range of malicious attacks with a high precision, even under high down-sampling rate of the NetFlow records.

show abstract

SSH Dictionary Attack and DNS Reverse Resolution Traffic in Campus Network

Cited by 9 publications

References 4 publications

Machine Learning for Detecting Brute Force Attacks at the Network Level

Machine Learning for Detecting Brute Force Attacks at the Network Level

Identificação e Caracterização de Comportamentos Suspeitos Através da Análise do Tráfego DNS

A Quantitative Logarithmic Transformation-Based Intrusion Detection System

Contact Info

Product

Resources

About