Linux SSH is a solution for remote access with the required security, but is often attacked using brute force, privilege escalation, and reverse shell attack processes by an adversary. The traditional intrusion detection systems are usually incapable of seeing into the kernel and respond slowly. An audit log-based kernel attack-hardening strategy, utilizing the Linux auditd mechanism to trace activity down to specific shell system calls. These logs are in the form of vectors, and a Discrete-Time Markov Chain is used to model session behaviour, which is then classified over a Long Short-Term Memory (LSTM) network. Response at the kernel level is provided through eBPF in real-time enforcement. Extended audit-based datasets were used to test the proposed system, and results indicated that the latency and detection accuracy were very low, 0.38 s and 97.84% and the false positive rate was also low at 1.12% with minimal CPU and memory overhead. The audit-based approach is a scalable, real-time intrusion prevention application of SSH that would harden the audit security posture of system software so that it succeeds against emerging patterns of attack.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Linux Kernel Hardening Against SSH Attacks: An Audit Log-Driven Approach

  • S. Premkumar,
  • Edwin Shalom Soji

摘要

Linux SSH is a solution for remote access with the required security, but is often attacked using brute force, privilege escalation, and reverse shell attack processes by an adversary. The traditional intrusion detection systems are usually incapable of seeing into the kernel and respond slowly. An audit log-based kernel attack-hardening strategy, utilizing the Linux auditd mechanism to trace activity down to specific shell system calls. These logs are in the form of vectors, and a Discrete-Time Markov Chain is used to model session behaviour, which is then classified over a Long Short-Term Memory (LSTM) network. Response at the kernel level is provided through eBPF in real-time enforcement. Extended audit-based datasets were used to test the proposed system, and results indicated that the latency and detection accuracy were very low, 0.38 s and 97.84% and the false positive rate was also low at 1.12% with minimal CPU and memory overhead. The audit-based approach is a scalable, real-time intrusion prevention application of SSH that would harden the audit security posture of system software so that it succeeds against emerging patterns of attack.