Heavy-Tailed Distribution of the SSH Brute-Force Attack Duration in a Multi-user Environment

Abstract

Quite a number of cyber-attacks to be place against supercomputers that provide highperformancecomputing (HPC) services to public researcher. Particularly, although the secureshell protocol (SSH) brute-force attack is one of the traditional attack methods, it is still beingused. Because stealth attacks that feign regular access may occur, they are even harder to detect.In this paper, we introduce methods to detect SSH brute-force attacks by analyzing the server’sunsuccessful access logs and the firewall’s drop events in a multi-user environment. Then, we analyzethe durations of the SSH brute-force attacks that are detected by applying these methods. Theresults of an analysis of about 10 thousands attack source IP addresses show that the behaviorsof abnormal users using SSH brute-force attacks are based on human dynamic characteristics of atypical heavy-tailed distribution.