D 2009

Validation of the Network-based Dictionary Attack Detection

VYKOPAL, Jan, Tomáš PLESNÍK and Pavel MINAŘÍK

Basic information

Original name

Validation of the Network-based Dictionary Attack Detection

Name in Czech

Validace síťové detekce slovníkových útoků

Authors

VYKOPAL, Jan (203 Czech Republic, guarantor, belonging to the institution), Tomáš PLESNÍK (203 Czech Republic, belonging to the institution) and Pavel MINAŘÍK (203 Czech Republic, belonging to the institution)

Edition

Brno, Security and Protection of Information 2009, Proceeding of the Conference, p. 128-136, 190 pp. 2009

Publisher

University of Defence

Other information

Language

English

Type of outcome

Stať ve sborníku

Field of Study

10201 Computer sciences, information science, bioinformatics

Country of publisher

Czech Republic

Confidentiality degree

není předmětem státního či obchodního tajemství

RIV identification code

RIV/00216224:14610/09:00040910

Organization unit

Institute of Computer Science

ISBN

978-80-7231-641-0

Keywords in English

dictionary attack; SSH; NetFlow; attack pattern; validation; honeypot

Tags

International impact, Reviewed
Změněno: 10/3/2011 10:53, doc. RNDr. Jan Vykopal, Ph.D.

Abstract

V originále

This paper presents a study of successful dictionary attacks against a SSH server and their network-based detection. On the basis of experience in the protection of university network we developed a detection algorithm based on a generic SSH authentication pattern. Thanks to the network-based approach, the detection algorithm is host independent and highly scalable. We deployed a high-interaction honeypot based on VMware to validate the SSH dictionary attack pattern that is able to recognize a successful attack. The honeypot provides several user accounts secured by both weak and strong passwords. All the communication between the honeypot and other hosts was logged at the host and even network layer (the relevant NetFlow data were stored too). After successful or unsuccessful break-in attempt, we could reliably determine detection accuracy (the false positive and negative rate). The pattern was implemented using a dynamic decision tree technique, so we can propose some modifications of its parameters based on the results. In addition, we could validate the improved pattern because the detection relies only on the NetFlow data. This study also discusses the performance details of detection method and reveals methods and behaviour of present successful attackers. Next, these findings are compared to the conclusions of the previous study. In our future work, we will focus on an extension of the detection method to other network services and protocols than SSH. Further, the method should also provide some reasons for the decision that the attack occurred (e. g., distributed dictionary attack).

In Czech

Článek pojednává o studii úspěšných slovníkových útoků na SSH server a jejich detekci. Na základě zkušeností s ochranou univerzitní sítě jsme vyvinuli detekční algoritmus založený na obecném vzoru SSH autentizace. Díky síťovému pohledu je tento algoritmus nezávislý na koncových strojích a je škálovatelný. Abychom ověřili vzor útoku schopný rozeznat úspěšný útok, nasadili jsme high-interaction honeypot na platformě VMware a monitorovací sondu NetFlow. Po úspěšných i neúspěšných pokusech jsme tak byli schopni určit přesnost detekce. Detekční vzor byl implementován pomocí dynamického rozhodovacího stromu, jehož parametry lze modifikovat. Článek dále popisuje naměřený výkon vzoru a odhaluje metody dnešních skutečných útočníků (vč. srovnání se studiemi z předchozích let jiných autorů).

Links

OVMASUN200801, research and development project
Name: CYBER ? Bezpečnost informačních a komunikačních systémů AČR - on line monitorování, vizualizace a filtrace paketů. Rozvoj schopností Computer Incident Response Capability v prostředí Cyber Defence. (Acronym: CYBER)
Investor: Ministry of Defence of the CR, CYBER - Security of Czech Army Information and Communication Systems - On-line Monitoring, Visualization and Packet Filtration. Computer Incident Response Capability Development in the Cyber Defence Environment