Modelling and visualising SSH brute force attack behaviours through a hybrid learning framework

Much research has focused on increasing the network anomaly detection rate while reducing the false positive rate through exploring different learning algorithms. However, many of the learning algorithms work as a 'black box' and do not provide insight into the anomaly behaviours to support the decision-making process. This research explores a proposed hybrid learning framework to model and visualise the host-based normal and attack network behaviours. The framework consists of two major learning components: the self-organising map (SOM) is employed to recognise the network flow clusters and to visualise them on a two-dimensional space; and the Association Rule Mining (ARM) algorithm is deployed to analyse and interpret the traffic behaviours within clusters. The proposed learning framework is evaluated on six SSH traffic sets to measure how successful it is at extracting and interpreting the patterns representing normal and attack behaviours.