Mining threat intelligence from billion-scale SSH brute-force attacks

Wu, Yuming

Permalink

https://hdl.handle.net/2142/108105 Copy

Description

Title

Mining threat intelligence from billion-scale SSH brute-force attacks

Author(s)

Wu, Yuming

Issue Date

2020-04-13

Director of Research (if dissertation) or Advisor (if thesis)

• Iyer, Ravishankar K
• Kalbarczyk, Zbigniew T

Department of Study

Electrical & Computer Eng

Discipline

Electrical & Computer Engr

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

M.S.

Degree Level

Thesis

Keyword(s)

• SSH honeypot
• SSH brute-force attack
• SSH key
• SSH client version

Abstract

This thesis first presents Continuous Auditing of Secure Shell (SSH) Servers to Mitigate Brute-Force Attacks (CAUDIT), an operational system deployed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. One of CAUDIT’s key features includes a honeypot, which attracted and recorded 11 billion SSH brute-force attack attempts targeting the operational system at NCSA from February 2017 to November 2019. Based on the attack data, this thesis then presents a comprehensive study to characterize the attack nature of the 11 billion attack attempts. We report the nature of these attacks in terms of i) persistence (i.e., consecutively attacking over an entire year), ii) targeted strategies (i.e., using stolen SSH keys), iii) large-scale evasion techniques (i.e., using randomized SSH client versions) to bypass signature detectors, and iv) behaviors of human- supervised botnet. The significance of our analyses for security operators include i) discerning cross-country attacks versus persistent attacks, ii) notifying cloud providers and IoT vendors regarding stolen SSH keys for them to verify the effectiveness of software patches, iii) deterring the above evasion techniques by using anomaly detectors/rate limiters, and iv) differentiating between fully automated attacks versus more sophisticated attacks driven by human. The work in this thesis is completed in two stages along with two papers. The first paper is published in 16th USENIX Symposium on Networked Systems Design and Implementation (NSDI’19), and the second paper is to be published in Workshop on Decentralized IoT Systems and Security (DISS) 2020. We collaborated with NCSA, which provided us with the network operational system and attack data. The research and analysis were performed jointly with the co-authors in the two papers. My specific contribution is highlighted in this thesis is threat intelligence analysis.

Graduation Semester

2020-05

Type of Resource

Thesis

Permalink

http://hdl.handle.net/2142/108105

Copyright and License Information

Copyright 2020 Yuming Wu

Owning Collections