—In recent years, the way of brute force attacks has become more tactical and tricky to avoid being detected by intrusion detection or prevention systems (IDS/IPS). In this paper, we show that we have detected three organized or systematic brute force attack instances from actual network monitoring logs by visualization focused on source IPs and detection time. One of the instances shows that specific terminals have been attacked used innumerable IPs for a long time. These IPs were like ephemeral because they had appeared almost only one time. We also propose a new system, DEMITASSE, for detecting such terminals in the earlier phase and mitigating the damage caused by brute force attacks used ephemeral IPs. We conduct feasibility studies with our logs and evaluate DEMITASSE can detect and mitigate that kind of attacks effectively.
—Log analysis, brute force attacks, network monitoring, network security.
The authors are with the Fujitsu Laboratories LTD., 4-1-1, Kamikodanaka, Nakahara-ku, Kawasaki, Kanagawa, 211-8588, Japan (e-mail: honda.satomi@ jp.fujitsu.com).
Cite:Satomi Honda, Yuki Unno, Koji Maruhashi, Masahiko Takenaka, and Satoru Torii, "Detection of Novel-Type Brute Force Attacks Used Ephemeral Springboard IPs as Camouflage," Journal of Advances in Computer Networks vol. 2, no. 4, pp. 279-286, 2014.