Different approaches for the detection of SSH anomalous connections S. GONZ ´ ALEZ * , Instituto Tecnol´ ogico de Castilla y Le´ on, C/ L´ opez Bravo 70, Pol. Ind. Villalonquejar, 09001, Burgos, Spain. ´ A. HERRERO ** , Department of Civil Engineering, University of Burgos, Avenida de Cantabria s/n, 09006 Burgos, Spain. J. SEDANO † , Instituto Tecnol´ ogico de Castilla y Le´ on, C/ L´ opez Bravo 70, Pol. Ind. Villalonquejar, 09001, Burgos, Spain. URKO ZURUTUZA ‡ , Electronics and Computing Department, Mondragon University, Goiru Kalea, 2, 20500 Arrasate-Mondragon, Spain. E. CORCHADO § , Departamento de Inform´ atica y Autom´ atica, Universidad de Salamanca, Plaza de la Merced, s/n, 37008 Salamanca, Spain. Abstract The Secure Shell Protocol (SSH) is a well-known standard protocol, mainly used for remotely accessing shell accounts on Unix-like operating systems to perform administrative tasks. As a result, the SSH service has been an appealing target for attackers, aiming to guess root passwords performing dictionary attacks or to directly exploit the service itself. To identify such situations, this article addresses the detection of SSH anomalous connections from an intrusion detection perspective. The main idea is to compare several strategies and approaches for a better detection of SSH-based attacks. To test the classification performance of different classifiers and combinations of them, SSH data coming from a real-world honeynet are gathered and analysed. For comparison purposes and to draw conclusions about data collection, both packet-based and flow data are analysed. A wide range of classifiers and ensembles are applied to these data, as well as different validation schemes for better analysis of the obtained results. The high-rate classification results lead to positive conclusions about the identification of malicious SSH connections. Keywords: Secure Shell Protocol, SSH, honeynet, intrusion detection, classifier, ensemble, cross-validation. 1 Introduction The Secure Shell Protocol (SSH) is a standard application-layer (under the TCP/IP stack) protocol for remote login and is also used for other secure network services over an insecure network. It consists * E-mail: silvia.gonzalez@itcl.es ** E-mail: ahcosio@ubu.es † E-mail: javier.sedano@itcl.es ‡ E-mail: uzurutuza@mondragon.edu § E-mail: escorchado@usal.es © The Author 2015. Published by Oxford University Press. All rights reserved. For Permissions, please email: journals.permissions@oup.com doi:10.1093/jigpal/jzv047 Logic Journal of IGPL Advance Access published October 20, 2015 at Universidad de Burgos on November 10, 2015 http://jigpal.oxfordjournals.org/ Downloaded from