Linux Kernel Hardening Against SSH Attacks: An Audit Log-Driven Approach
摘要
Linux SSH is a solution for remote access with the required security, but is often attacked using brute force, privilege escalation, and reverse shell attack processes by an adversary. The traditional intrusion detection systems are usually incapable of seeing into the kernel and respond slowly. An audit log-based kernel attack-hardening strategy, utilizing the Linux auditd mechanism to trace activity down to specific shell system calls. These logs are in the form of vectors, and a Discrete-Time Markov Chain is used to model session behaviour, which is then classified over a Long Short-Term Memory (LSTM) network. Response at the kernel level is provided through eBPF in real-time enforcement. Extended audit-based datasets were used to test the proposed system, and results indicated that the latency and detection accuracy were very low, 0.38 s and 97.84% and the false positive rate was also low at 1.12% with minimal CPU and memory overhead. The audit-based approach is a scalable, real-time intrusion prevention application of SSH that would harden the audit security posture of system software so that it succeeds against emerging patterns of attack.