Open Access
ARTICLE
Network Log-Based SSH Brute-Force Attack Detection Model
1 Department of Convergence Information Security, Graduate School, Jeju National University, Jeju, 63243, Korea
2 Department of Computer Engineering, National Institute of Technology Kurukshetra, Kurukshetra, 136119, India
* Corresponding Author: Namje Park. Email:
(This article belongs to the Special Issue: Management of Security, Privacy and Trust of Multimedia Data in Mobile devices communication)
Computers, Materials & Continua 2021, 68(1), 887-901. https://doi.org/10.32604/cmc.2021.015172
Received 09 November 2020; Accepted 15 February 2021; Issue published 22 March 2021
Abstract
The rapid advancement of IT technology has enabled the quick discovery, sharing and collection of quality information, but has also increased cyberattacks at a fast pace at the same time. There exists no means to block these cyberattacks completely, and all security policies need to consider the possibility of external attacks. Therefore, it is crucial to reduce external attacks through preventative measures. In general, since routers located in the upper part of a firewall can hardly be protected by security systems, they are exposed to numerous unblocked cyberattacks. Routers block unnecessary services and accept necessary ones while taking appropriate measures to reduce vulnerability, block unauthorized access, and generate relevant logs. Most logs created through unauthorized access are caused by SSH brute-force attacks, and therefore IP data of the attack can be collected through the logs. This paper proposes a model to detect SSH brute-force attacks through their logs, collect their IP address, and control access from that IP address. In this paper, we present a model that extracts and fragments the specific data required from the packets of collected routers in order to detect indiscriminate SSH input attacks. To do so, the model multiplies a user’s access records in each packet by weights and adds them to the blacklist according to a final calculated result value. In addition, the model can specify the internal IP of an attack attempt and defend against the first 29 destination IP addresses attempting the attack.Keywords
Cite This Article
Citations
This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.