Detecting Stealthy, Distributed SSH Brute-Forcing

TitleDetecting Stealthy, Distributed SSH Brute-Forcing
Publication TypeConference Paper
Year of Publication2013
AuthorsJaved, M., & Paxson V.
Other Numbers3720
Abstract

In this work we propose a general approach for detecting distributed malicious activity in which individual attack sources eachoperate in a stealthy, low-profile manner. We base our approach onobserving statistically significant changes in a parameter that summarizesaggregateactivity, bracketing a distributed attack in time,and then determining which sources present during that intervalappear to have coordinated their activity. We apply this approachto the problem of detecting stealthy distributed SSH bruteforcingactivity, showing that we can model the process of legitimate usersfailing to authenticate using a beta-binomial distribution, which enables us to tune a detector that trades off an expected level of falsepositives versus time-to-detection. Using the detector we study theprevalence of distributed bruteforcing, finding dozens of instancesin an extensive 8-year dataset collected from a site with severalthousand SSH users. Many of the attacks—some of which lastmonths—would be quite difficult to detect individually. While anumber of the attacks reflect indiscriminant global probing, we alsofind attacks that targeted only the local site, as well as occasionalattacks that succeeded.

Acknowledgment

This work was partially supported by funding provided to ICSI through U.S. Army Research Office MURI grant W911NF-09-1-0553, and through National Science Foundation grants CNS : 0831535 (“Comprehensive Application Analysis and Control”), CNS : 1161799 ("Characterizing Enterprise Networks"), and CNS : 1237265 ("Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the U.S. Army Research Office or the National Science Foundation.

URLhttp://www.icsi.berkeley.edu/pubs/networking/detectingstealthy13.pdf
Bibliographic Notes

Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS 2013), Berlin, Germany

Abbreviated Authors

M. Javed and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings