Title: Modelling and visualising SSH brute force attack behaviours through a hybrid learning framework

Authors: Xiao Luo; Chengchao Yao; A. Nur Zincir-Heywood

Addresses: Department of Computer Information Technology, Indiana University-Purdue University Indianapolis (IUPUI), Indianapolis, IN, USA ' Faculty of Computer Science, Dalhousie University, Halifax, NS, Canada ' Faculty of Computer Science, Dalhousie University, Halifax, NS, Canada

Abstract: Much research has focused on increasing the network anomaly detection rate while reducing the false positive rate through exploring different learning algorithms. However, many of the learning algorithms work as a 'black box' and do not provide insight into the anomaly behaviours to support the decision-making process. This research explores a proposed hybrid learning framework to model and visualise the host-based normal and attack network behaviours. The framework consists of two major learning components: the self-organising map (SOM) is employed to recognise the network flow clusters and to visualise them on a two-dimensional space; and the Association Rule Mining (ARM) algorithm is deployed to analyse and interpret the traffic behaviours within clusters. The proposed learning framework is evaluated on six SSH traffic sets to measure how successful it is at extracting and interpreting the patterns representing normal and attack behaviours.

Keywords: data modelling; pattern visualisation; traffic analysis; network security; attack detection; learning framework.

DOI: 10.1504/IJICS.2021.117401

International Journal of Information and Computer Security, 2021 Vol.16 No.1/2, pp.170 - 191

Received: 16 Jul 2018
Accepted: 11 Dec 2018

Published online: 27 Aug 2021 *

Full-text access for editors Access for subscribers Purchase this article Comment on this article