Full Picture

Article analysis:

The article discusses a new approach to detecting stealthy, distributed SSH brute-forcing attacks. The authors develop and evaluate their detector on eight years of SSH login records collected at the Lawrence Berkeley National Laboratory. They measure and quantify the duration, intensity, and behavior of the detected attacks and find multiple large-scale coordinated attacks from botnets.

The article provides a comprehensive review of related work in three domains: coordinated attack detection, SSH brute-force attack detection, and studies of the prevalence of SSH brute-forcing activity. However, the article does not provide enough evidence to support its claims that its approach is superior to existing methods. The authors claim that all the attacks they detect would have been completely missed by a point-wise host-based detector. Still, they do not provide any evidence to support this claim.

The article also lacks discussion on potential biases or limitations in their approach. For example, it is unclear how their detector would perform against more sophisticated attackers who use techniques such as password spraying or credential stuffing instead of brute-forcing.

Furthermore, while the authors discuss the prevalence of SSH brute-force attacks in previous studies, they do not explore why these attacks are so prevalent or what can be done to prevent them. Additionally, there is no discussion on potential risks associated with detecting these attacks or how false positives could impact legitimate users' access.

Overall, while the article provides valuable insights into detecting stealthy SSH brute-forcing attacks, it lacks sufficient evidence to support its claims and does not address potential biases or limitations in its approach adequately.