Similarities and Differences in Patterns and Geolocation of SSH Attack Data

Abstract

Cyber attacks are becoming more prevalent across all sectors of government, business, and academia. Academic networks can be more vulnerable to attack because of a lack of resources and funding. This thesis analyzed unsuccessful Secure Shell (SSH) login attempts with data extracted from the DenyHosts service on the Naval Postgraduate School's (NPS) network, and compared it to SSH logon data from a Kippo SSH honeypot independent from the NPS network to determine patterns in activity associated with geolocation. Additionally, this thesis analyzed the frequency of the originating IP address, then tried to determine if proxies were being used and how regularly. We identified similar characteristics of attacking hosts for both networks, and noted an excessive of use of vulnerable platforms and ports. Our methodology did not allow us to ascertain if any of the attacks were automated, but we have high confidence that the remote sites were compromised because of their preponderant use of vulnerable software. Also we identified common use of ports 5060 and 8080 suggesting possible botnet activity associated to these sites.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Sep 01, 2015
Accession Number
ADA632450

Entities

People

  • Jeffry P. Macy Ii

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Cyber
  • Space

DTIC Thesaurus Topics

  • Computer Access Control
  • Computer Networks
  • Computer Science
  • Data Analysis
  • Data Sets
  • Detection
  • Geolocation
  • Internet
  • Internet Of Things
  • Lessons Learned
  • Network Protocols
  • Network Science
  • Networks
  • Operating Systems
  • Transport Protocols
  • United States
  • Voice Over Internet Protocol

Fields of Study

  • Computer science

Readers

  • Cybersecurity.
  • Systems Analysis and Design

Technology Areas

  • Cyber