Journal Article SSHパスワードクラッキング攻撃におけるデータサイズを用いる検知手法の提案と運用評価
Proposal for a Detection Method Using Data Size of SSH Password Cracking Attacks and its Operational Evaluations

清水, 光司  ,  小刀稱, 知哉  ,  池部, 実  ,  吉田, 和幸

58 ( 3 )  , pp.695 - 707 , 2017-03-15
There are many malicious attacks in the Internet. In particular, there are many illegal accesses into SSH servers. So, we have been developing a SSH Password Cracking Attack Detection system (called SCRAD) in order to detection for SSH password cracking attacks. Our system detects attacker's connection using the number of packets per connection between a SSH client and server. We analyzed the operational results of SCRAD system. We found some false positives. The cause of false positives was a small amount of data communication using scp or rsync commands by normal users. Therefore, we investigated the connection of scp's communication. As a result, the number of packets is similar to the scp and attacker's connection. However, data size in the scp connection is larger than data size in the attacker's connection. In this paper, we propose a new detection method using data size to avoid the false positives. We compared the packet counts based method and the data size based method. In the experimental results, the attacker detection rate was the same of the two methods. However, the normal user discrimination rate of the data size based method was 22.1% higher than the packet counts based method. We confirmed that the proposed method is effective for the SSH password cracking attacks. In addition, we are operating the SCRAD system with data size based detection method. We report the operational results of SCRAD from February 2015 to May 2016. The SCRAD was detected 99.7% of attacker's connections. On the other hand, normal user connection discrimination rate was 72.2%. The operational results show that SCRAD reduced the risk of penetrated SSH servers, and SCRAD occured some false positives.

Number of accesses :  

Other information