Profiling Attacker Behavior Following SSH Compromises

Edinburgh, UK June 25-June 28

DOI Bookmark:

http://doi.ieeecomputersociety.org/10.1109/DSN.2007.76

37th Annual IEEE/IFIP International C ...

	This Article
	PURCHASE ARTICLE: $19 PDF HTML IEEE Xplore Subscribers
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Daniel Ramsbrock Articles by Robin Berthier Articles by Michel Cukier

	ASCII Text	x
	Daniel Ramsbrock, Robin Berthier, Michel Cukier, "Profiling Attacker Behavior Following SSH Compromises," Dependable Systems and Networks, International Conference on, pp. 119-124, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07), 2007.

	BibTex	x
	@article{ 10.1109/DSN.2007.76, author = {Daniel Ramsbrock and Robin Berthier and Michel Cukier}, title = {Profiling Attacker Behavior Following SSH Compromises}, journal ={Dependable Systems and Networks, International Conference on}, volume = {0}, year = {2007}, isbn = {0-7695-2855-4}, pages = {119-124}, doi = {http://doi.ieeecomputersociety.org/10.1109/DSN.2007.76}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Dependable Systems and Networks, International Conference on TI - Profiling Attacker Behavior Following SSH Compromises SN - 0-7695-2855-4 SP119 EP124 A1 - Daniel Ramsbrock, A1 - Robin Berthier, A1 - Michel Cukier, PY - 2007 KW - null VL - 0 JA - Dependable Systems and Networks, International Conference on ER -

Daniel Ramsbrock, University of Maryland, USA

Robin Berthier, University of Maryland, USA

Michel Cukier, University of Maryland, USA

This practical experience report presents the results of an experiment aimed at building a profile of attacker behavior following a remote compromise. For this experiment, we utilized four Linux honeypot computers running SSH with easily guessable passwords. During the course of our research, we also determined the most commonly attempted usernames and passwords, the average number of attempted logins per day, and the ratio of failed to successful attempts. To build a profile of attacker behavior, we looked for specific actions taken by the attacker and the order in which they occurred. These actions were: checking the configuration, changing the password, downloading a file, installing/running rogue code, and changing the system configuration.

Citation:

Daniel Ramsbrock, Robin Berthier, Michel Cukier, "Profiling Attacker Behavior Following SSH Compromises," dsn, pp.119-124, 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07), 2007

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.