Internati
o
nal
Journal of Ele
c
trical
and Computer
Engineering
(IJE
CE)
V
o
l.
6, N
o
. 4
,
A
ugu
st
2016
, pp
. 16
81
~
1
684
I
S
SN
: 208
8-8
7
0
8
,
D
O
I
:
10.115
91
/ij
ece.v6
i
4.1
032
0
1
681
Jo
urn
a
l
h
o
me
pa
ge
: h
ttp
://iaesjo
u
r
na
l.com/
o
n
lin
e/ind
e
x.ph
p
/
IJECE
Analysis
of
Brut
e Force Atta
cks wi
th Ylmf-pc Signature
Anto
n Va
leryev
ich
Arzha
k
o
v
,
Dmitry
Serg
eev
ich Silnov
Departm
e
nt o
f
I
n
form
ation S
y
s
t
em
s
and T
echno
logies
,
Nation
a
l
Res
earch
Nucl
ea
r Univers
i
t
y
M
E
P
h
I (M
os
cow
Engine
ering Ph
ysics Institu
te),
M
o
scow, Russia
Article Info
A
B
STRAC
T
Article histo
r
y:
Received
Ja
n 18, 2016
Rev
i
sed
Mar
14
, 20
16
Accepted
Mar 29, 2016
Brute force tech
niques used in
man
y
fi
elds
of authen
tic
ation p
r
oces
s
.
F
t
p
s
e
rvers
,
web s
e
r
v
ers
and m
a
il s
e
rvers
ver
y
o
f
ten
got threa
t
en
ed b
y
a
tta
ckers
.
Old techn
i
que f
o
r mail service
brute forc
e still
working and it can be
eas
ily
dete
cted b
y
s
p
e
c
ia
l s
i
gnature
. M
a
in s
ources
of atta
cks
were dete
cted and
separated b
y
countries a
nd time of the day
.
Bursts of attacks detected
depending
on w
eekday
s
.
Keyword:
Brute fo
rce
Mail sp
am
Scanning
Ylm
f-pc
Copyright ©
201
6 Institut
e
o
f
Ad
vanced
Engin
eer
ing and S
c
i
e
nce.
All rights re
se
rve
d
.
Co
rresp
ond
i
ng
Autho
r
:
Dm
itry
Sergee
vich
Silno
v
,
Depa
rt
m
e
nt
of
In
fo
rm
at
i
on Sy
st
em
s and
Tec
h
n
o
l
o
gi
es,
Natio
n
a
l Research Nu
clear
Un
iv
ersity MEPh
I
(Moscow
En
g
i
n
eeri
n
g Ph
ysics In
stitu
te),
Kashi
r
skoe
sh.
31, Moscow, Russian Fe
derati
on.
Em
a
il: d
s
@siln
ov
.pro
1.
INTRODUCTION
In tod
a
y’s
world
,
in
form
at
io
n
secu
rity has b
e
co
m
e
a v
e
ry cru
c
ial issue lik
e nev
e
r
before.
With
una
uthorized a
ccess to ce
rtain se
rvices, an
attacker ca
n
ca
use si
gni
fi
ca
nt
fi
na
nci
a
l
dam
a
ge t
o
t
h
e
vi
ct
i
m
. Any
m
odern i
n
fo
rm
at
i
on res
o
urce
[1]
,
[2]
m
a
y
be sub
j
ect
t
o
at
t
a
c
k
. S
o
, t
h
e va
ri
o
u
s seem
i
ngl
y
m
i
nor at
t
acks s
h
o
u
l
d
not
be
overl
o
oked. Suc
h
attac
k
s i
n
cl
ude brute
force
attac
k
with Ylm
f-pc
sig
n
a
ture
[3
] again
s
t a m
a
il serv
er.
2.
AN
ALYZ
ING
THE P
R
OBL
E
M
W
i
t
h
tim
e,
m
a
n
y
m
a
il serv
er
o
w
n
e
rs are faced
with
a situ
at
io
n
wh
ere th
e
serv
er log file (an
ex
am
p
l
e
is sho
w
n
i
n
Fi
g
u
re
1
is
filled with
l
o
ts
o
f
reco
rd
s abo
u
t
att
e
m
p
ts to
co
nn
ect to
th
e serv
er fro
m
th
e u
s
er
yl
m
f
-
pc.
As ca
n
be see
n
i
n
t
h
e
Fi
g
u
re
1, t
h
e ser
v
e
r
bl
ock
s
co
n
n
ect
i
o
n f
r
o
m
ylm
f-pc, w
h
i
c
h
sen
d
s
wr
o
n
g
sm
t
p
ehlo/hel
o c
o
mmand [4].
Ylmf-p
c is the
na
me used
during aut
h
e
n
ticati
on on t
h
e serve
r
. Upon
receipt
of t
h
is
com
m
a
nd,
t
h
e
serve
r
c
h
ec
ks
whet
her
t
h
e
na
m
e
sent
m
a
tch
e
s with th
e IP
ad
dr
ess
from
whe
r
e t
h
e c
o
mmand
ca
m
e
, and
if
th
ey do
n’t m
a
tch
,
t
h
en it is m
o
st lik
ely t
h
at perso
n
is
an
u
n
scru
pu
l
o
u
s
u
s
er.
Th
e
serv
er
termin
ates o
r
d
o
e
sn’t term
in
ate su
ch
co
nnectio
n
d
e
p
e
nd
i
n
g on
t
h
e server settin
gs. The attack
is ai
med
at
obt
ai
ni
ng t
h
e aut
h
e
n
t
i
cat
i
o
n
passw
o
r
d
of
an e-m
a
i
l
se
rver via a brute
force a
ttack. If au
then
ticatio
n
is
success
f
ul, t
h
e attacker gai
n
s access to
the mail server acc
ount from
where sp
am
will be subseque
ntly sent. It
i
s
wi
del
y
bel
i
e
ved
t
h
at
ser
v
e
r
s, w
h
ose sec
u
r
i
t
y
was breac
h
e
d
usi
n
g y
l
m
f-pc
que
ri
es, a
r
e
on
e o
f
t
h
e l
a
r
g
est
Cu
twail/Pu
s
h
d
o
bo
tn
ets
[5
]. Howev
e
r, t
h
ere is no
reliab
l
e in
fo
rm
ati
o
n
t
h
at th
e attack
in
g
co
m
p
u
t
ers
or
com
p
rom
i
sed com
puters a
r
e
pa
rt of th
is bo
tnet [6
].
Evaluation Warning : The document was created with Spire.PDF for Python.
I
S
SN
:
2
088
-87
08
I
J
ECE
Vo
l. 6
,
N
o
. 4
,
Au
gu
st 2
016
:
16
81
–
1
684
1
682
Fi
gu
re
1.
A
n
e
x
am
pl
e of t
h
e l
o
g
-fi
l
e
As ca
n be
see
n
f
r
om
Fi
gu
re
2, t
h
ere i
s
n
o
cy
cl
i
c
pat
t
e
rn
of
q
u
eri
e
s
,
b
u
t
i
t
sh
oul
d b
e
n
o
t
e
d t
h
at
activ
ity p
eak
s
o
n
week
en
d
s
.
At th
e sam
e
ti
me, it sh
ou
ld
be rem
e
m
b
ered
th
at th
e tim
e o
f
th
e attack
er an
d no
t
of the
victim
s
h
ould
be take
n into
account.
These obse
rvations c
o
incide
w
ith the patterns de
rive
d in [7]. On
weekdays, when se
rvers
are
busy
sendi
ng
o
u
t
sp
am
em
a
i
ls, less
resources are allo
cated
to th
e bo
tnet fo
r its
hacki
ng at
t
e
m
p
t
s
on
new se
r
v
ers
.
B
u
t
du
ri
n
g
wee
k
en
ds w
h
en the s
p
am
e
ffective
n
ess fal
l
s, the serve
r
s depl
oy
t
h
e b
o
nnet
t
o
e
xpa
n
d
.
Fi
gu
re
2.
Act
i
v
i
t
y
query
fr
om
y
l
m
f-pc
There
are
vari
ous
I
P
a
d
dress
e
s f
r
om
whi
c
h
y
l
m
f-pc
brute
-
force
attack i
s
car
ried out.
There
f
ore
,
b
l
o
c
k
i
ng
connectio
n
s
b
y
IP ad
dress
will n
o
t
fetch
th
e
p
r
oper resu
lt. Sin
c
e IP addresses rarely ch
ang
e
co
un
try,
one
can
see
w
h
i
c
h c
o
unt
ri
es
have
t
h
e
hi
g
h
e
s
t
act
i
v
i
t
y
of
y
l
m
f-pc
que
ries. Collected statistics showe
d
t
h
at IP
addresses
from the Unite
d States, th
e Nethe
r
lands and Fra
n
ce account for ov
er
half
of t
h
e queries
.
The ful
l
pi
ct
ure
o
f
t
h
e
p
e
rcent
a
ge
di
st
ri
but
i
o
n
o
f
t
h
e
n
u
m
b
er o
f
que
ri
es f
r
om
di
ffe
re
nt
co
u
n
t
r
i
e
s i
s
sho
w
n i
n
Fi
gu
r
e
3.
The st
at
i
s
t
i
c
s was
gat
h
e
r
ed
ove
r
10
0
day
s
. A t
o
t
a
l
of
1
9
2
,
8
5
8
que
ri
es
fr
om
cl
i
e
nt
s
wi
t
h
y
l
m
f-pc
si
gnat
u
re
were
reco
rde
d
. T
h
e
t
op
5 co
unt
ri
es t
h
at
sent
the highest number
of
qu
eries
are presente
d in the
Tabl
e 1.
Evaluation Warning : The document was created with Spire.PDF for Python.
I
J
ECE
I
S
SN
:
208
8-8
7
0
8
An
al
ysi
s
of
B
r
ut
e F
o
rce At
t
a
cks w
i
t
h
Yl
mf
-
p
c
Si
g
nat
ure (
A
nt
o
n
V
a
l
e
rye
v
i
c
h Arz
h
akov)
1
683
Fi
gu
re 3.
Di
st
ri
but
i
o
n o
f
que
ri
es
by
c
o
unt
ry
Table
1.
Statistical results
of a
ttacker ip addresses
I
P
addr
ess (countr
y
of location)
Nu
m
b
er
of quer
i
es
(
p
er
centage of
the total nu
m
b
e
r
of queries)
37.
59.
87.
2
3
(
N
L
)
43,
895
(
22%)
62.
210.
1
88.
27(
FR)
15,
926
(
8
%)
198.
25
1.
79.
13
5(
US) 8,
155
(
4
%)
212.
22
5.
165.
7
0
(
E
S) 7,
237
(
3
%)
46.
29.
25
4.
244(
US
)
6,
413
(
3
%)
T
h
e
r
e
w
e
r
e
59
9
un
iqu
e
I
P
a
d
dr
e
s
s
e
s
f
r
om
w
h
ic
h
a
tta
ck
s
w
e
r
e
ma
d
e
.
T
h
er
e
w
a
s
an
av
e
r
ag
e
o
f
1
928
.5
8 qu
er
i
e
s, and
abo
u
t
8
0
qu
er
ies
p
e
r ho
ur
. Th
at is, an
av
er
ag
e
of
1.3 qu
er
ies
p
e
r
m
i
n
u
t
e.
Dayti
m
e
que
ri
es (
9
:
0
0 t
o
2
1
:
0
0) acc
ou
nt
fo
r 5
9
%, w
h
i
l
e
ni
ght
qu
eri
e
s (2
1:
0
0
t
o
0
9
:
0
0
)
t
a
ke u
p
t
h
e
rem
a
i
n
i
ng 4
1
%
. At
the sam
e
time, this distribution for
each country does
not
matc
h. Figure
4 s
h
ows t
h
e di
stribution
for t
h
e top
3
countries
by
num
b
er of
que
ri
es and a
v
era
g
e
d
statistics.
Fi
gu
re 4.
Di
st
ri
but
i
o
n o
f
que
ri
es
(
d
ay
/
n
i
g
ht
)
There a
r
e se
ve
ral approaches
whe
n
it com
e
s to prot
ecting ag
ain
s
t th
is ty
p
e
of attack
.
On
e op
tion
is
to
b
l
o
c
k
an
IP
ad
dr
ess af
ter
sev
e
r
a
l
u
n
s
u
ccessf
u
l
h
e
lo
/eh
l
o au
th
en
ticatio
n atte
m
p
ts. W
i
t
h
th
is ap
pr
o
a
ch
, you
m
u
st n
o
t
fo
rg
et th
at conn
ection
attem
p
ts o
r
igin
ate fro
m
m
u
l
tip
le, d
y
n
a
m
i
cally allo
cated
IP addre
sses,
and that
a bl
oc
ke
d a
d
d
r
ess m
a
y
,
aft
e
r som
e
t
i
m
e
, be
gi
ve
n t
o
an
i
n
n
o
cent
use
r
.
So
t
h
e o
p
t
i
m
u
m
ban
du
rat
i
o
n s
h
oul
d
be
ch
osen. An
o
t
her op
tion
is to in
terru
p
t
th
e
q
u
e
ry session
wh
ile in
th
e
helo
/eh
l
o
q
u
e
ry
field
of th
e y
l
m
f-p
c
Evaluation Warning : The document was created with Spire.PDF for Python.
I
S
SN
:
2
088
-87
08
I
J
ECE
Vo
l. 6
,
N
o
. 4
,
Au
gu
st 2
016
:
16
81
–
1
684
1
684
sig
n
a
t
u
re. Th
is op
tio
n is m
o
re preferab
le
b
e
cau
s
e t
h
e serv
er, in th
is case,
do
esn
’
t
p
r
ocess
the
que
r
y, but
rather
gives a res
ponse that the que
ry is incorrect, and
immediately ter
m
inates th
e connection, there
b
y not
inform
ing the attacker about
whether
t
h
e
d
a
t
a
(user
n
am
e
and
pass
wo
r
d
)
sent
by
hi
m
were c
o
r
r
ect
o
r
n
o
t
.
Bef
o
r
e
estab
lish
i
ng
a conn
ectio
n
,
you
m
a
y also
w
a
n
t
t
o
ch
eck
wh
et
h
e
r th
e IP add
r
ess is i
n
th
e list of infected
IP ad
dres
ses, f
o
r ex
am
pl
e, fai
l
2ban
.
A
not
he
r way
t
o
pr
ot
ect ag
ain
s
t th
is typ
e
o
f
attack
is to
reco
nfigure th
e
m
a
il
server
to anot
her p
o
rt –y
lm
f-pc
ex
ecu
tes attack
on
stan
d
a
rd
SMTP
po
r
t
. M
o
r
e
and
m
o
r
e
v
a
r
i
ou
s
w
a
ys of
pr
ot
ect
i
o
n
ha
v
e
bee
n
em
ergi
n
g
ove
r t
i
m
e, and t
h
ey
a
r
e m
o
v
i
ng
fr
om
one a
r
ea
of
use
t
o
a
n
ot
he
r [
8
]
.
3.
CO
NCL
USI
O
N
To sum
m
ari
z
e i
t
al
l
,
it
shoul
d be n
o
t
e
d t
h
a
t
despi
t
e
t
h
e seem
i
ng harm
l
e
ssness
of y
l
m
f-pc q
u
e
r
i
e
s,
loss of control
ove
r a
m
a
il s
e
rve
r
account, for exam
ple,
an educational syste
m
[9] or even a
n
y funct
i
oning
mail serv
er, can
lead
to
t
r
ag
i
c
co
nsequ
e
n
c
es: yo
u
r
serv
er
will b
eco
m
e
p
a
rt o
f
t
h
e bo
t
n
et d
u
e
to
send
i
n
g
of
v
a
ri
o
u
s
k
i
nd
s
o
f
sp
am
fro
m
it [1
0
]
and
later th
e IP add
r
ess will b
e
in
clud
ed
b
y
serv
ices in
th
e list o
f
sp
am
addresses
(DNSBL).
Th
e issu
e of
p
a
ssword
g
u
e
ssin
g
is m
a
ssiv
e
in
n
a
tu
re. Desp
ite th
e si
mp
licity o
f
th
is attack
an
d
m
e
t
hods
of
pr
o
t
ect
i
on agai
nst
i
t
,
y
l
m
f-pc br
ut
e-f
o
rce at
t
ack
appea
r
s t
o
be p
r
o
d
u
ci
n
g
res
u
l
t
s
, as t
h
i
s
at
t
ack has
been
use
d
fo
r
ove
r
fi
ve y
ear
s
n
o
w
.
T
h
i
s
i
m
pl
i
e
s t
h
at
i
t
s
us
e has
bee
n
s
u
c
cessf
ul
o
n
s
o
m
e
ser
v
ers
.
D
u
ri
ng
t
h
e
peri
od under review, the top IP addresses in term
s
of
num
b
e
r o
f
attack
atte
m
p
ts
are IP addresses from
the
Nethe
r
lands a
n
d the
United States. Both
c
ountries share
d
t
h
e fi
rst positio
n wit
h
44,000
yl
m
f-pc querie
s each
(23
%
of th
e to
t
a
l).
REFERE
NC
ES
[1]
D.
Devjaty
k
h,
et al.
, “
S
leep Apn
ea Det
ect
ion Ba
s
e
d
on Dy
n
a
mic Neural Network
s
,”
Communications in Computer
and Information
Scien
c
e
, vol. 46
6, pp
. 556-567
,
2014.
[2]
O.
G.
Berestneva,
et al
.,
“
M
ultidim
ensional
m
e
dic
a
l d
a
ta v
i
suali
zat
ion m
e
tho
d
s based on ge
neral
i
zed
graphi
c
im
ages
,”
World
Applied
Scien
ces
Journal
, vol/issue: 24(24)
, pp
. 1
8
-23, 2013
.
[3]
Sullivan B
.
, “Preventing
a Brut
e
Force or Di
ction
a
r
y
Att
ack:
How to Keep th
e Bru
t
es Away
from
your Loot
,” 2007
.
http://h71028. www7. hp.
com/ERC/cache/56835
8-0-0-0-
121. h
tml/ (accessed on
21 Februar
y
20
10).
[4]
Klensin J., “RFC 5321—Simple mail
transfer
pr
otocol (SMTP),” RFC 5321, 200
8.
[5]
Decker
A.,
et
al
., “Pushdo/cutwail botn
e
t,” 2009.
[6]
Zhuang L.,
et a
l
.
, “
C
hara
cte
r
iz
in
g Botne
t
s from
Em
ail Spam
R
e
c
o
rds,” L
E
E
T
,
pp
.
Т
.
8.
–
С
. 1-9,
2008.
[7]
D. S. Silnov, “An Analy
s
is of Modern Approach
es
to the Deliv
er
y
of Unwanted
Emails (Spam),”
Indian Journal
of
Scien
c
e and Technology
, vol/issue: 9(4)
, 2016
.
DOI: 10.17485/ijst/2016/v9i4
/
84
803.
[8]
Belashenkov
a N. N.,
et a
l
.
, “Protection Methods
of Assessment
Procedures Used in e-Learning
,”
1
3
th International
Conference on
Emerging eLearni
ng Technolog
ies
and App
lica
tion
s
,
pp. 27-32, 201
5.
BIOGRAP
HI
ES OF
AUTH
ORS
Undergraduate at
Department
of Information
S
y
stems and Te
chnologies, National Research
Nuclear Univers
i
t
y
MEPhI (Moscow Engineeri
ng
Phy
s
i
c
s Institute)
.
Doing research
es in the
field
of
inform
at
ion s
ecu
tir
y.
Assosia
t
e
d
Profe
ssor a
t
De
pa
rtme
nt of In
for
m
ation S
y
stems and
Techno
lo
gies, National
Research Nuc
l
e
a
r
Universit
y
ME
PhI (Moscow E
ngineer
ing Ph
y
s
i
c
s Institute
). Doi
ng research
es
in th
e fi
eld
of
inf
o
rm
ation secu
tir
y.
Evaluation Warning : The document was created with Spire.PDF for Python.