Topic modeling of SSH logs using latent dirichlet allocation for the application in cyber security

Cyber intrusions are one of the main causes of fear across the internet and now, due to the substantial increase in network traffic, detection of each unauthorized access has become extremely difficult. Brute-force attacks are the most common form of malicious traffic. To prevent such attacks and detect them in real time many new techniques have been developed. The majority of these techniques monitor the sequential transfers between users/IPs and the network. However, though many networks are now monitoring their logs and can identify when brute-force attacks occur, they cannot provide more detailed information about the attack (such as where and how) without some form of direct visual inspection of the logs. In this paper, we explore a Latent Dirichlet Allocation as a form of topic modeling of IP addresses through SSH authentication logs with the final goal of automating classifications of users. Using textual topics or the “top words” associated with logs, we differentiate legitimate users and brute-attackers users according to their IP addresses and discuss the potential of topic modelling for identifying and further classification of cyber threats.