Abstract
SSH Attacks are of various types: SSH port scanning, SSH Brute-force attacks, Attacks using compromised SSH server. Attacks using a compromised server could be DoS attacks, Phishing attacks, E- mail spamming and so on. This paper questions whether the attacks from a compromised SSH server be segregated from other attacks using the network flows. In this work, we categorize SSH attacks into two types. The first category consists of all attack activities after a successful compromise of an SSH server. We name it as "severe" attacks. The second type includes all attacks leading to a successful compromise. It consists of SSH port scanning, SSH Brute-force attack, and compromised SSH server with no activities. The second category is named as "not-so-severe" attacks. We employ Machine Learning algorithms, namely, Naive Bayes learner, Logistic Regression, J48 decision tree, and Support Vector Machine to classify these attacks. Suitable features were selected based on domain knowledge, literature survey, and feature selection technique to evaluate the performance of machine learning algorithms using the metrics accuracy, sensitivity, precision, and F-score.