Files in this item



application/pdfWU-THESIS-2020.pdf (757kB)Restricted to U of Illinois
(no description provided)PDF


Title:Mining threat intelligence from billion-scale SSH brute-force attacks
Author(s):Wu, Yuming
Advisor(s):Iyer, Ravishankar K; Kalbarczyk, Zbigniew T
Department / Program:Electrical & Computer Eng
Discipline:Electrical & Computer Engr
Degree Granting Institution:University of Illinois at Urbana-Champaign
Subject(s):SSH honeypot
SSH brute-force attack
SSH key
SSH client version
Abstract:This thesis first presents Continuous Auditing of Secure Shell (SSH) Servers to Mitigate Brute-Force Attacks (CAUDIT), an operational system deployed at the National Center for Supercomputing Applications (NCSA) at the University of Illinois. One of CAUDIT’s key features includes a honeypot, which attracted and recorded 11 billion SSH brute-force attack attempts targeting the operational system at NCSA from February 2017 to November 2019. Based on the attack data, this thesis then presents a comprehensive study to characterize the attack nature of the 11 billion attack attempts. We report the nature of these attacks in terms of i) persistence (i.e., consecutively attacking over an entire year), ii) targeted strategies (i.e., using stolen SSH keys), iii) large-scale evasion techniques (i.e., using randomized SSH client versions) to bypass signature detectors, and iv) behaviors of human- supervised botnet. The significance of our analyses for security operators include i) discerning cross-country attacks versus persistent attacks, ii) notifying cloud providers and IoT vendors regarding stolen SSH keys for them to verify the effectiveness of software patches, iii) deterring the above evasion techniques by using anomaly detectors/rate limiters, and iv) differentiating between fully automated attacks versus more sophisticated attacks driven by human. The work in this thesis is completed in two stages along with two papers. The first paper is published in 16th USENIX Symposium on Networked Systems Design and Implementation (NSDI’19), and the second paper is to be published in Workshop on Decentralized IoT Systems and Security (DISS) 2020. We collaborated with NCSA, which provided us with the network operational system and attack data. The research and analysis were performed jointly with the co-authors in the two papers. My specific contribution is highlighted in this thesis is threat intelligence analysis.
Issue Date:2020-04-13
Rights Information:Copyright 2020 Yuming Wu
Date Available in IDEALS:2020-08-26
Date Deposited:2020-05

This item appears in the following Collection(s)

Item Statistics