Abstract
Secure Socket Shell exposes a secure interface for login to remote users. Password based authentication mechanism used by remote users is vulnerable to bruteforcing. In this attack an adversary systematically tries many passwords. These attacks can either be generated from a single source or collectively from a set of sources. In this paper we propose a method to detect such bruteforcing attacks and subsequently classify these attempts into three types as originating from single source, single domain and distributed attacks. We develop Petri-Net based model which identifies SSH connections corresponding to failed login attempts using network flow characteristics. The model also keeps track of sources of failed login attempts using which it subsequently labels a time interval as experiencing bruteforcing or not and if the interval is experiencing bruteforcing which type of attack it is. We experiment with network traffic collected from a production level server and also generated within a testbed setup and show that our model can detect attacks and also classify them. We also experiment with stealth attack variant where attacker keeps a low profile of attacks and suggest methods to handle such attack instances.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: IEEE Transactions on Network and Service Management
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
