A Study of Using NetFlow Traffic Data to Detect and Track SSH Dictionary Attack

• Main Authors: Yu-Jen Hsueh, 薛昱仁
• Other Authors: Han-Wei Hsiao
• Format: Others
• Language: zh-TW
• Published: 2009
• Online Access: http://ndltd.ncl.edu.tw/handle/06556425740792050670

碩士 === 國立高雄大學 === 亞太工商管理學系碩士班 === 97 === With the rapid growth of technology, there are many applications system needs to authenticate in the Internet environment. User account and password is a simply and general way for authentication in network. The dictionary attack means that attackers attempt to login some user accounts illegally by trying all possible password. There are a lot of login failed SSH service login records in the system authentication logs file, that become a usually situation on the Taiwan Academic Network environment. It implies that dictionary attack is a serious intrusive event. In this paper, we propose a classification-based detection module to detect SSH dictionary attack. We used three data mining classification algorithms, Naïve Bayes, decision tree and SVM to build our SSH dictionary attack detection module. We collected real world NetFlow traffic data in a month as our training samples to build our detection system. Our empirical evaluation results show that the proposed detection module reaches above 90% detection accuracy. Further, we used detection module and NetFlow history data to develop the SSH dictionary attack tracking algorithm. We try to find out the topology of IP address that launched SSH dictionary attack, and try to trace back the origin of SSH dictionary attacker. This research result that could be helps the network managers to detect implicit dictionary attack behaviors to improve the network security.