Similarities and Differences in Patterns and Geolocation of SSH Attack Data.

摘要

Cyber attacks are becoming more prevalent across all sectors of government, business, and academia. Academic networks can be more vulnerable to attack because of a lack of resources and funding. This thesis analyzed unsuccessful Secure Shell (SSH) login attempts with data extracted from the DenyHosts service on the Naval Postgraduate School's (NPS) network, and compared it to SSH logon data from a Kippo SSH honeypot independent from the NPS network to determine patterns in activity associated with geolocation. Additionally, this thesis analyzed the frequency of the originating IP address, then tried to determine if proxies were being used and how regularly. We identified similar characteristics of attacking hosts for both networks, and noted an excessive of use of vulnerable platforms and ports. Our methodology did not allow us to ascertain if any of the attacks were automated, but we have high confidence that the remote sites were compromised because of their preponderant use of vulnerable software. Also we identified common use of ports 5060 and 8080 suggesting possible botnet activity associated to these sites.