Další formáty:
BibTeX
LaTeX
RIS
@inproceedings{830854, author = {Vykopal, Jan and Plesník, Tomáš and Minařík, Pavel}, address = {Brno}, booktitle = {Security and Protection of Information 2009, Proceeding of the Conference}, keywords = {dictionary attack; SSH; NetFlow; attack pattern; validation; honeypot}, language = {eng}, location = {Brno}, isbn = {978-80-7231-641-0}, pages = {128-136}, publisher = {University of Defence}, title = {Validation of the Network-based Dictionary Attack Detection}, year = {2009} }
TY - JOUR ID - 830854 AU - Vykopal, Jan - Plesník, Tomáš - Minařík, Pavel PY - 2009 TI - Validation of the Network-based Dictionary Attack Detection PB - University of Defence CY - Brno SN - 9788072316410 KW - dictionary attack KW - SSH KW - NetFlow KW - attack pattern KW - validation KW - honeypot N2 - This paper presents a study of successful dictionary attacks against a SSH server and their network-based detection. On the basis of experience in the protection of university network we developed a detection algorithm based on a generic SSH authentication pattern. Thanks to the network-based approach, the detection algorithm is host independent and highly scalable. We deployed a high-interaction honeypot based on VMware to validate the SSH dictionary attack pattern that is able to recognize a successful attack. The honeypot provides several user accounts secured by both weak and strong passwords. All the communication between the honeypot and other hosts was logged at the host and even network layer (the relevant NetFlow data were stored too). After successful or unsuccessful break-in attempt, we could reliably determine detection accuracy (the false positive and negative rate). The pattern was implemented using a dynamic decision tree technique, so we can propose some modifications of its parameters based on the results. In addition, we could validate the improved pattern because the detection relies only on the NetFlow data. This study also discusses the performance details of detection method and reveals methods and behaviour of present successful attackers. Next, these findings are compared to the conclusions of the previous study. In our future work, we will focus on an extension of the detection method to other network services and protocols than SSH. Further, the method should also provide some reasons for the decision that the attack occurred (e. g., distributed dictionary attack). ER -
VYKOPAL, Jan, Tomáš PLESNÍK a Pavel MINAŘÍK. Validation of the Network-based Dictionary Attack Detection. In \textit{Security and Protection of Information 2009, Proceeding of the Conference}. Brno: University of Defence, 2009, s.~128-136, 190 s. ISBN~978-80-7231-641-0.
|