Clustering of SSH brute-force attack logs using k-clique percolation

Abstract

The brute-force attacks to SSH service still persist in the server environments. The existing methods have not applied graph theory to analyze authentication log that records this attack. Therefore, we model the log as a graph and propose k-clique percolation to cluster auth.log file to assist the system administrators to inspect this incident. The k-clique percolation has proven in clustering of biological networks and we will deploy it to this problem. We then provide the mechanism for edge removal to separate the generated clusters and make clear the clustering outputs. The experimental results show that this approach is appropriate to cluster raw logs of SSH brute-force attacks.