TOPASE: Detection and Prevention of Brute Force Attacks with Disciplined IPs from IDS Logs

Brute force attacks are used to obtain pairs of user names and passwords illegally by using all existing pairs to login to network services. These are a major security threat faced by network service administrators. In general, to prevent brute force attacks, administrators can set limitations on the number of login trials and shut down the traffic of brute force attacks with an intrusion prevention system (IPS) at the entry point to their services. In recent years, stealthy brute force attacks that can avoid the security rules and IPS and intrusion detection system (IDS) detection have appeared. Attackers tend to arrange a large amount of hosts and allocate them fewer login trials than the limitations administrators set. In this paper, we report a kind of distributed brute force attack event (brute force attacks with disciplined IPs, or DBF) against the Remote Desktop Protocol (RDP) by analyzing IDS logs integrated from multiple sites. In DBF, a particular number of attacks is repeated automatically from a host to a service over a period. For this reason, existing countermeasures have no effect on DBF. We investigate the structure of DBF and improve the existing countermeasure system. We also present TOPASE, which is replaced at each step of the existing countermeasure system and is suitable for DBF countermeasures. TOPASE analyzes the regularity of login trials between a source host and a destination host. Furthermore, TOPASE intercepts the network traffic from the source host of the brute force attack for a specific period. As a result of the evaluation with our IDS log, we estimate the performance of TOPASE and clarify the factors that maximize TOPASE’s effectiveness.