Hidden Markov Model Modeling of SSH Brute-Force Attacks

Authors:
Anna Sperotto;Ramin Sadre;Pieter-Tjerk Boer;Aiko Pras
Affiliations:
Centre for Telematics and Information Technology, Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands 7500 AE;Centre for Telematics and Information Technology, Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands 7500 AE;Centre for Telematics and Information Technology, Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands 7500 AE;Centre for Telematics and Information Technology, Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, Enschede, The Netherlands 7500 AE
Venue:
DSOM '09 Proceedings of the 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management: Integrated Management of Systems, Services, Processes and People in IT
Year:
2009

Citing 10
Cited 2

A framework for malicious workload generation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
HMM profiles for network traffic classification

Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
System approach to intrusion detection using hidden Markov model

Proceedings of the 2006 international conference on Wireless communications and mobile computing
Markov Models for Pattern Recognition: From Theory to Applications

Markov Models for Pattern Recognition: From Theory to Applications
Internet traffic modeling by means of Hidden Markov Models

Computer Networks: The International Journal of Computer and Telecommunications Networking
Anomaly Characterization in Flow-Based Traffic Time Series

IPOM '08 Proceedings of the 8th IEEE international workshop on IP Operations and Management
FLAME: a flow-level anomaly modeling engine

CSET'08 Proceedings of the conference on Cyber security experimentation and test
A Labeled Data Set for Flow-Based Intrusion Detection

IPOM '09 Proceedings of the 9th IEEE International Workshop on IP Operations and Management
Behavioral distance measurement using hidden markov models

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Simulated annealing for maximum a posteriori parameter estimation of hidden Markov models

IEEE Transactions on Information Theory

BotTrack: tracking botnets using NetFlow and PageRank

NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
SSHCure: a flow-based SSH intrusion detection system

AIMS'12 Proceedings of the 6th IFIP WG 6.6 international autonomous infrastructure, management, and security conference on Dependable Networks and Services

Quantified Score

Hi-index	0.00

Visualization

Abstract

Nowadays, network load is constantly increasing and high-speed infrastructures (1-10Gbps) are becoming increasingly common. In this context, flow-based intrusion detection has recently become a promising security mechanism. However, since flows do not provide any information on the content of a communication, it also became more difficult to establish a ground truth for flow-based techniques benchmarking. A possible approach to overcome this problem is the usage of synthetic traffic traces where the generation of malicious traffic is driven by models. In this paper, we propose a flow time series model of SSH brute-force attacks based on Hidden Markov Models. Our results show that the model successfully emulates an attacker behavior, generating meaningful flow time series.