以網路流量偵測SSH字典攻擊之研究

Abstract

隨著各式網際網路應用程式的快速發展，在網路上進行身份認證是無可避免的流程，密碼認證的方法是目前仍無法取代的認證方式。而字典攻擊手法為利用字典中經常出現的字詞猜測使用者可能的密碼，所以這類字典攻擊的技術仍被入侵者拿來做為主要的入侵手段之一。近年來觀察台灣學術網路，經常有許多入侵者以字典攻擊的方法試圖入侵學校的主機，這類的攻擊方法因為網路程式的技術日益發達，有許多利用字典攻擊自動入侵的機制被發展出來，所以這類的攻擊事件有越來越嚴重的趨勢，造成了各級網管人員的困擾。\n本研究利用了網路 NetFlow 的流量資料，蒐集了針對 SSH 進行字典攻擊的流量記錄，以資料探勘中分類分析的技術建立了一個有效的偵測模組。在本研究中實證了這個偵測模組有很好的效果，在預測準確率上可達 90% 以上的正確率。相信這個研究的結果未來可以有效的提供網路管理人員從網路流量的記錄中自動找出那些潛在進行的SSH字典攻擊行為，對於提高網路安全防護具有很大的幫助。

With the rapid growth of technology, there are a lot of applications system needs to authenticate on the Internet environment. Password is an intrinsic way for authentication in our daily life. Adversaries attempt to login accounts by trying all possible password is called dictionary attack. When we inspected the server authentication logs in the TANET environment, there are a lot of login failed records. It implies that dictionary attack is a serious intrusive event. and is needed to defend .\nIn this paper, we proposed an SSH dictionary attack detection module. We used two well-known data mining classification algorithms, Naive Bayes and C4.5 to build our detection module. We collected real world SSH normal and dictionary attack NetFlow data in a month as training samples. As a research result, This detection module has over and above 90% accuracy detection rate. In the future, we hope this research result that could be helpful for network managers to detect implicit dictionary attack behaviors using network traffic data and improve the network security.