Hidden Markov Model modeling of SSH brute-force attacks

Anna Sperotto, R. Sadre, Pieter-Tjerk de Boer, Aiko Pras

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    37 Citations (Scopus)
    414 Downloads (Pure)

    Abstract

    Nowadays, network load is constantly increasing and high-speed infrastructures (1-10Gbps) are becoming increasingly common. In this context, flow-based intrusion detection has recently become a promising security mechanism. However, since flows do not provide any information on the content of a communication, it also became more difficult to establish a ground truth for flow-based techniques benchmarking. A possible approach to overcome this problem is the usage of synthetic traffic traces where the generation of malicious traffic is driven by models. In this paper, we propose a flow time series model of SSH brute-force attacks based on Hidden Markov Models. Our results show that the model successfully emulates an attacker behavior, generating meaningful flow time series.
    Original languageUndefined
    Title of host publicationIntegrated Management of Systems, Services, Processes and People in IT, Proceedings of the 20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM 2009
    Place of PublicationBerlin
    PublisherSpringer
    Pages164-176
    Number of pages13
    ISBN (Print)978-3-642-04988-0
    DOIs
    Publication statusPublished - 21 Oct 2009
    Event20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM 2009: Integrated Management of Systems, Services, Processes and People in IT - Venice, Italy
    Duration: 27 Oct 200928 Oct 2009
    Conference number: 20

    Publication series

    NameLecture Notes in Computer Science
    PublisherSpringer Verlag
    Volume5841/2009
    ISSN (Print)0302-9743
    ISSN (Electronic)1611-3349

    Conference

    Conference20th IFIP/IEEE International Workshop on Distributed Systems: Operations and Management, DSOM 2009
    Abbreviated titleDSOM
    Country/TerritoryItaly
    CityVenice
    Period27/10/0928/10/09

    Keywords

    • METIS-264131
    • EWI-16470
    • IR-68309

    Cite this