Detecting Stealthy, Distributed SSH Brute-Forcing
Title | Detecting Stealthy, Distributed SSH Brute-Forcing |
Publication Type | Conference Paper |
Year of Publication | 2013 |
Authors | Javed, M., & Paxson V. |
Other Numbers | 3720 |
Abstract | In this work we propose a general approach for detecting distributed malicious activity in which individual attack sources eachoperate in a stealthy, low-profile manner. We base our approach onobserving statistically significant changes in a parameter that summarizesaggregateactivity, bracketing a distributed attack in time,and then determining which sources present during that intervalappear to have coordinated their activity. We apply this approachto the problem of detecting stealthy distributed SSH bruteforcingactivity, showing that we can model the process of legitimate usersfailing to authenticate using a beta-binomial distribution, which enables us to tune a detector that trades off an expected level of falsepositives versus time-to-detection. Using the detector we study theprevalence of distributed bruteforcing, finding dozens of instancesin an extensive 8-year dataset collected from a site with severalthousand SSH users. Many of the attackssome of which lastmonthswould be quite difficult to detect individually. While anumber of the attacks reflect indiscriminant global probing, we alsofind attacks that targeted only the local site, as well as occasionalattacks that succeeded. |
Acknowledgment | This work was partially supported by funding provided to ICSI through U.S. Army Research Office MURI grant W911NF-09-1-0553, and through National Science Foundation grants CNS : 0831535 (Comprehensive Application Analysis and Control), CNS : 1161799 ("Characterizing Enterprise Networks"), and CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the U.S. Army Research Office or the National Science Foundation. |
URL | http://www.icsi.berkeley.edu/pubs/networking/detectingstealthy13.pdf |
Bibliographic Notes | Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013), Berlin, Germany |
Abbreviated Authors | M. Javed and V. Paxson |
ICSI Research Group | Networking and Security |
ICSI Publication Type | Article in conference proceedings |