A New Approach to Identify User Authentication Methods toward SSH Dictionary Attack Detection

Akihiro SATOH  Yutaka NAKAMURA  Takeshi IKENAGA  

IEICE TRANSACTIONS on Information and Systems   Vol.E98-D   No.4   pp.760-768
Publication Date: 2015/04/01
Publicized: 2014/12/04
Online ISSN: 1745-1361
DOI: 10.1587/transinf.2014ICP0005
Type of Manuscript: Special Section PAPER (Special Section on Information and Communication System Security―Against Cyberattacks―)
Category: Authentication
SSH dictionary attack,  user authentication method,  flow analysis,  network operation,  

Full Text: PDF>>
Buy this Article

A dictionary attack against SSH is a common security threat. Many methods rely on network traffic to detect SSH dictionary attacks because the connections of remote login, file transfer, and TCP/IP forwarding are visibly distinct from those of attacks. However, these methods incorrectly judge the connections of automated operation tasks as those of attacks due to their mutual similarities. In this paper, we propose a new approach to identify user authentication methods on SSH connections and to remove connections that employ non-keystroke based authentication. This approach is based on two perspectives: (1) an SSH dictionary attack targets a host that provides keystroke based authentication; and (2) automated tasks through SSH need to support non-keystroke based authentication. Keystroke based authentication relies on a character string that is input by a human; in contrast, non-keystroke based authentication relies on information other than a character string. We evaluated the effectiveness of our approach through experiments on real network traffic at the edges in four campus networks, and the experimental results showed that our approach provides high identification accuracy with only a few errors.