Network detection of interactive SSH impostors using deep learning
Article No.: 240, Pages 4283 - 4300
Abstract
Impostors who have stolen a user's SSH login credentials can inflict significant harm to the systems to which the user has remote access. We consider the problem of identifying such imposters when they conduct interactive SSH logins by detecting discrepancies in the timing and sizes of the client-side data packets, which generally reflect the typing dynamics of the person sending keystrokes over the connection.
The problem of keystroke authentication using unknown freeform text has received limited-scale study to date. We develop a supervised approach based on using a transformer (a sequence model from the ML deep learning literature) and a custom "partition layer" that, once trained, takes as input the sequence of client packet timings and lengths, plus a purported user label, and outputs a decision regarding whether the sequence indeed corresponds to that user. We evaluate the model on 5 years of labeled SSH PCAPs (spanning 3,900 users) from a large research institute. While the performance specifics vary with training levels, we find that in all cases the model can catch over 95% of (injected) imposters within the first minutes of a connection, while incurring a manageable level of false positives per day.
References
[1]
Giuseppe Aceto, Domenico Ciuonzo, Antonio Montieri, and Antonio Pescapé. Mobile Encrypted Traffic Classification using Deep Learning. In 2018 Network Traffic Measurement and Analysis Conference (TMA). IEEE.
[2]
Alejandro Acien et al. TypeNet: Deep learning keystroke biometrics. IEEE Transactions on Biometrics, Behavior, and Identity Science, 2021.
[3]
Ebenezer Akinyemi Ajayi et al. Keystrokes Timing Analysis and Timing Attacks System on Secure Shell: Instance Based Learning (IBL) Model Approach Revisited. Advances in Multidisciplinary Research Journal, 2016.
[4]
Isra Al-Turaiki and Najwa Altwaijry. A convolutional neural network for improved anomaly-based network intrusion detection. Big Data, 2021.
[5]
Md Liakat Ali, John V Monaco, Charles C Tappert, and Meikang Qiu. Keystroke biometric systems for user authentication. Journal of Signal Processing Systems, 2017.
[6]
Sara A Althubiti, Eric Marcell Jones, and Kaushik Roy. LSTM for anomaly-based network intrusion detection. In 2018 28th International telecommunication networks and applications conference (ITNAC).
[7]
Giovanni Apruzzese, Fabio Pierazzi, Michele Colajanni, and Mirco Marchetti. Detection and threat prioritization of pivoting attacks in large networks. IEEE Transactions on Emerging Topics in Computing, 2020.
[8]
Stefan Axelsson. The base-rate fallacy and its implications for the difficulty of intrusion detection. In Proceedings of the 6th ACM Conference on Computer and Communications Security, 1999.
[9]
S. Bleha, C. Slivinsky, and B. Hussien. Computer-access security systems using keystroke dynamics. IEEE Transactions on Pattern Analysis and Machine Intelligence, 1990.
[10]
Jiahao Cao et al. Fingerprinting SDN applications via encrypted control traffic. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019).
[11]
Vivek Dhakal et al. Observations on typing from 136 million keystrokes. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems, 2018.
[12]
Salima Douhou and Jan R Magnus. The reliability of user authentication through keystroke dynamics. Statistica Neerlandica, 2009.
[13]
Clayton Epp, Michael Lippold, and Regan L Mandryk. Identifying emotional states using keystroke dynamics. In Proceedings of the sigchi conference on human factors in computing systems, 2011.
[14]
Sally Floyd and Vern Paxson. Difficulties in simulating the Internet. IEEE/ACM Transactions on Networking, 2001.
[15]
Thomas J Flucke. Identification of Users via SSH Timing Attack. Master's thesis, Calpoly, 2020.
[16]
Vahid Aghaei Foroushani, Fazlollah Adibnia, and Elham Hojati. Intrusion detection in encrypted accesses with SSH protocol to network public servers. In 2008 International Conference on Computer and Communication Engineering.
[17]
Sahil Garg and Shalini Batra. Fuzzified cuckoo based clustering technique for network anomaly detection. Computers & Electrical Engineering, 2018.
[18]
Romain Giot, Mohamad El-Abed, Baptiste Hemery, and Christophe Rosenberger. Unconstrained keystroke dynamics authentication with shared secret. Computers & security, 2011.
[19]
Nahuel González, Enrique P Calot, Jorge S Ierache, and Waldo Hasperué. The Reverse Problem of Keystroke Dynamics: Guessing Typed Text with Keystroke Timings Only. In 2021 International Conference on Electrical, Computer and Energy Technologies (ICECET).
[20]
Nahuel González et al. Towards liveness detection in keystroke dynamics: Revealing synthetic forgeries. Systems and Soft Computing, 2022.
[21]
Saptarshi Guha et al. A streaming statistical algorithm for detection of SSH keystroke packets in TCP connections. Technical report, Purdue Univ Lafayette, 2011.
[22]
Daniele Gunetti and Claudia Picardi. Keystroke analysis of free text. ACM Transactions on Information and System Security (TISSEC), 2005.
[23]
Rick Hofstede, Luuk Hendriks, Anna Sperotto, and Aiko Pras. SSH compromise detection using NetFlow/IPFIX. ACM SIGCOMM Computer Communication Review, 2014.
[24]
Jordan Holland, Paul Schmitt, Nick Feamster, and Prateek Mittal. nPrint: A Standard Data Representation for Network Traffic Analysis. arXiv preprint arXiv:2008.02695, 2020.
[25]
Md Delwar Hossain, Hideya Ochiai, Fall Doudou, and Youki Kadobayashi. SSH and FTP brute-force Attacks Detection in Computer Networks: LSTM and Machine Learning Approaches. In 2020 5th International Conference on Computer and Communication Systems (ICCCS).
[26]
Martin Husák, Giovanni Apruzzese, Shanchieh Jay Yang, and Gordon Werner. Towards an efficient detection of pivoting activity. In 2021 IFIP/IEEE International Symposium on Integrated Network Management.
[27]
Mobin Javed and Vern Paxson. Detecting stealthy, distributed SSH brute-forcing. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security.
[28]
Rick Joyce and Gopal Gupta. Identity authentication based on keystroke latencies. Communications of the ACM, 1990.
[29]
Kevin S Killourhy and Roy A Maxion. Comparing anomaly-detection algorithms for keystroke dynamics. In 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.
[30]
Robert Koch and Gabi Dreo Rodosek. User identification in encrypted network communications. In 2010 International Conference on Network and Service Management.
[31]
Bing Li et al. Two-Stream Convolution Augmented Transformer for Human Activity Recognition. AAAI Conference on Artificial Intelligence, 2021.
[32]
Chang Liu, Longtao He, Gang Xiong, Zigang Cao, and Zhen Li. Fs-net: A flow sequence network for encrypted traffic classification. In IEEE INFOCOM 2019-IEEE Conference On Computer Communications.
[33]
Jiaxin Liu et al. Deep anomaly detection in packet payload. Neurocomputing, 2022.
[34]
Ximing Liu, Yingjiu Li, and Robert H Deng. Typing-proof: Usable, secure and low-cost two-factor authentication based on keystroke timings. In Proceedings of the 34th Annual Computer Security Applications Conference, 2018.
[35]
Manuel Lopez-Martin et al. Network Traffic Classifier with Convolutional and Recurrent Neural Networks for Internet of Things. IEEE Access, 5, 2017.
[36]
Ilya Loshchilov and Frank Hutter. Decoupled weight decay regularization. arXiv preprint arXiv:1711.05101, 2017.
[37]
Xiaofeng Lu et al. Continuous authentication by free-text keystroke based on CNN and RNN. Computers & Security, 2020.
[38]
Matthew V Mahoney and Philip K Chan. An analysis of the 1999 DARPA/Lincoln Laboratory evaluation data for network anomaly detection. In International Workshop on Recent Advances in Intrusion Detection, pages 220-237. Springer, 2003.
[39]
Ali H Mirza and Selin Cosan. Computer network intrusion detection using sequential LSTM neural networks autoencoders. In 2018 26th signal processing and communications applications conference (SIU).
[40]
John V Monaco, Md Liakat Ali, and Charles C Tappert. Spoofing key-press latencies with a generative keystroke dynamics model. In 2015 IEEE 7th international conference on biometrics theory, applications and systems (BTAS).
[41]
John V Monaco, Ned Bakelman, Sung-Hyuk Cha, and Charles C Tappert. Recent advances in the development of a long-text-input keystroke biometric authentication system for arbitrary text input. In 2013 European Intelligence and Security Informatics Conference.
[42]
John V. Monaco et al. One-handed Keystroke Biometric Identification Competition. In 2015 International Conference on Biometrics (ICB).
[43]
John V. Monaco and Charles C. Tappert. The Partially Observable Hidden Markov Model and its Application to Keystroke Dynamics, 2016.
[44]
Fabian Monrose and Aviel D Rubin. Keystroke dynamics as a biometric for authentication. Future Generation computer systems, 2000.
[45]
Gerhard Münz, Sa Li, and Georg Carle. Traffic anomaly detection using k-means clustering. In GI/ITGWorkshop MMBnet, 2007.
[46]
Bjørn Ivar Nielsen. Continuous Authentication on an SSH Connection. Master's thesis, NTNU, 2022.
[47]
Adam Paszke et al. PyTorch: An Imperative Style, High-Performance Deep Learning Library. In Advances in Neural Information Processing Systems. 2019.
[48]
N. Pavaday and K.M.S. Soyjaudah. Enhancing performance of Bayes classifier for the hardened password mechanism. In AFRICON 2007.
[49]
Paulo Henrique Pisani and Ana Carolina Lorena. A systematic review on keystroke dynamics. Journal of the Brazilian Computer Society, 2013.
[50]
Shahbaz Rezaei and Xin Liu. Deep Learning for Encrypted Traffic Classification: An Overview. IEEE Communications Magazine, 57, 2019.
[51]
Dawn Xiaodong Song, David Wagner, and Xuqing Tian. Timing analysis of keystrokes and timing attacks on SSH. In 10th USENIX Security Symposium, 2001.
[52]
Pin Shen Teh, Andrew Beng Jin Teoh, and Shigang Yue. A survey of keystroke dynamics biometrics. The Scientific World Journal, 2013.
[53]
Ioannis Tsimperidis, Avi Arampatzis, and Alexandros Karakos. Keystroke dynamics features for gender recognition. Digital Investigation, 2018.
[54]
Ashish Vaswani et al. Attention is all you need. Advances in neural information processing systems, 2017.
[55]
Wei Wang et al. Malware Traffic Classification using Convolutional Neural Network for Representation Learning. In 2017 International Conference on Information Networking. IEEE.
[56]
Tatu Ylonen and Chris Lonvick. The secure shell (SSH) protocol architecture. Technical report, 2006.
Recommendations
A supervised method to discriminate between impostors and genuine in biometry
In this paper, we describe a supervised technique that allows to develop a more robust biometric system with respect to those based directly on the similarities of the biometric matchers or on the similarities normalised by the unconstrained cohort ...
Deep learning techniques for hand vein biometrics: A comprehensive review
AbstractBiometric authentication has garnered significant attention as a secure and efficient method of identity verification. Among the various modalities, hand vein biometrics, including finger vein, palm vein, and dorsal hand vein recognition, offer ...
Highlights- Hand vein biometrics provide high accuracy, low forgery risk, and non-intrusiveness.
- Review explores DL techniques for FV, PV, DHV, and multimodal vein recognition.
- Covers datasets, SOTA metrics, and best-performing vein ...
Analysis of Finger Vein Recognition using Deep Learning Techniques: Finger Vein Recognition
ICMLT '22: Proceedings of the 2022 7th International Conference on Machine Learning TechnologiesIn recent years, security has become increasingly important. Because of its resilience, consistent accuracy, and outstanding performance, the Finger Vein Authentication System has piqued our interest. Other kinds of identification, such as fingerprint ...
Comments
Information & Contributors
Information
Published In
Copyright © 2023 The USENIX Association.
Sponsors
- Meta
- Google Inc.
- NSF
- IBM
- Futurewei Technologies
Publisher
USENIX Association
United States
Publication History
Published: 09 August 2023
Qualifiers
- Research-article
- Research
- Refereed limited
Acceptance Rates
Overall Acceptance Rate 40 of 100 submissions, 40%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Jan 2025