BruSSH: Early Detection of Distributed Brute Force SSH Attacks Using LSTM

Abstract

Secure Socket Shell, also known as Secure Shell, refers to the cryptographic network protocol and suite of implementation utilities that helps users connect a computer over an unsecured network. Although SSH provides a strong authentication and encryption mechanism to protect the data shared between an SSH client and an SSH server, cybercriminals relentlessly exploit SSH servers through brute force attacks using the common username and password combinations. These attacks are still prevalent because many servers are misconfigured; some servers might be using default usernames and passwords, and some can be using predictable usernames and easily guessed passwords. Moreover, these attacks pose significant challenges to the existing detection methods because attackers use distributed brute-forcing in which multiple sources are involved to repeatedly attempt to log into an SSH server by guessing the possible username and password combinations. Distributed brute-forcing attacks are harder to detect because IP addresses and port numbers change every time. Additionally, the majority of traditional detection systems rely on post-event analysis, which leads to delayed response times and increased vulnerability. To overcome the aforementioned problems, we present BruSSH, which utilizes a Long Short-Term Memory (LSTM) neural network for the early and accurate detection of distributed brute-force SSH attacks. Leveraging the capabilities of LSTM, we train our model using cumulative login failure counts per event, allowing for forecasting future login failure counts. Furthermore, BruSSH identifies the suspicious IP addresses associated with malicious activity. To verify the validity of our proposed method, we tested BruSSH with two publicly available datasets. The experimental results show that our method achieves favorable results in the detection of distributed brute-force SSH attacks. © 2024 IEEE.