Detection of SSH host spoofing in control systems through network telemetry analysis

Modern networking architecture is designed with high scalability in mind. Different protocols can be encapsulated to support different systems. Machine identifiers (IP and MAC addresses) in network packets can be modified easily. This modification prevents servers from determining whether the connecting machines are allowed to communicate. Cryptographic functions have been used in protocols such as Secure Shell (SSH) to establish network node authenticity, but they can be circumvented by social engineering and brute force attacks. This research effort created a new classifier that processes network telemetry to determine authenticity of SSH clients in a control system's network. The developed classifier, within the control system's network, was able to differentiate with a 100% accuracy SSH connections from machines that were transmitting identical MAC and IP addresses, and had the same RSA key for authentication.