{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,1]],"date-time":"2026-06-01T23:17:21Z","timestamp":1780355841810,"version":"3.54.1"},"reference-count":60,"publisher":"MDPI AG","issue":"11","license":[{"start":{"date-parts":[[2021,11,17]],"date-time":"2021-11-17T00:00:00Z","timestamp":1637107200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Over the last two decades (2000\u20132020), the Internet has rapidly evolved, resulting in symmetrical and asymmetrical Internet consumption patterns and billions of users worldwide. With the immense rise of the Internet, attacks and malicious behaviors pose a huge threat to our computing environment. Brute-force attack is among the most prominent and commonly used attacks, achieved out using password-attack tools, a wordlist dictionary, and a usernames list\u2014obtained through a so-called an enumeration attack. In this paper, we investigate username enumeration attack detection on SSH protocol by using machine-learning classifiers. We apply four asymmetrical classifiers on our generated dataset collected from a closed-environment network to build machine-learning-based models for attack detection. The use of several machine-learners offers a wider investigation spectrum of the classifiers\u2019 ability in attack detection. Additionally, we investigate how beneficial it is to include or exclude network ports information as features-set in the process of learning. We evaluated and compared the performances of machine-learning models for both cases. The models used are k-nearest neighbor (K-NN), na\u00efve Bayes (NB), random forest (RF) and decision tree (DT) with and without ports information. Our results show that machine-learning approaches to detect SSH username enumeration attacks were quite successful, with KNN having an accuracy of 99.93%, NB 95.70%, RF 99.92%, and DT 99.88%. Furthermore, the results improve when using ports information.<\/jats:p>","DOI":"10.3390\/sym13112192","type":"journal-article","created":{"date-parts":[[2021,11,17]],"date-time":"2021-11-17T21:32:07Z","timestamp":1637184727000},"page":"2192","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":10,"title":["Detection of Username Enumeration Attack on SSH Protocol: Machine Learning Approach"],"prefix":"10.3390","volume":"13","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-2155-8981","authenticated-orcid":false,"given":"Abel Z.","family":"Agghey","sequence":"first","affiliation":[{"name":"School of Computation and Communication Science and Engineering, The Nelson Mandela African Institution of Science and Technology, Arusha 23311, Tanzania"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9737-8514","authenticated-orcid":false,"given":"Lunodzo J.","family":"Mwinuka","sequence":"additional","affiliation":[{"name":"Computing Science Studies, Mzumbe University, Morogoro 67311, Tanzania"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6618-9550","authenticated-orcid":false,"given":"Sanket M.","family":"Pandhare","sequence":"additional","affiliation":[{"name":"Center for Excellence in Information Technologies, Pune 411008, India"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7143-8953","authenticated-orcid":false,"given":"Mussa A.","family":"Dida","sequence":"additional","affiliation":[{"name":"School of Computation and Communication Science and Engineering, The Nelson Mandela African Institution of Science and Technology, Arusha 23311, Tanzania"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jema D.","family":"Ndibwile","sequence":"additional","affiliation":[{"name":"College of Engineering, Carnegie Mellon University Africa, Kigali BP 6150, Rwanda"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2021,11,17]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"127","DOI":"10.18178\/joams.5.2.127-132","article-title":"Current state on internet growth and usage in Saudi Arabia and its ability to support e-commerce development","volume":"5","author":"Alshehri","year":"2017","journal-title":"J. Adv. Manag. Sci."},{"key":"ref_2","first-page":"75","article-title":"The importance of internet and online social networks in the Spanish hotel sector","volume":"12","year":"2016","journal-title":"Appl. Comput. Sci."},{"key":"ref_3","unstructured":"(2021, May 21). World Internet Users Statistics and 2021 World Population Stats. Available online: https:\/\/www.internetworldstats.com\/stats.htm."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"307","DOI":"10.1016\/j.jnca.2013.08.001","article-title":"Network attacks: Taxonomy, tools and systems","volume":"40","author":"Hoque","year":"2014","journal-title":"J. Netw. Comput. Appl."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Jaw, E., and Wang, X. (2021). Feature Selection and Ensemble-Based Intrusion Detection System: An Efficient and Comprehensive Approach. Symmetry, 13.","DOI":"10.3390\/sym13101764"},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Najafabadi, M.M., Khoshgoftaar, T.M., Kemp, C., Seliya, N., and Zuech, R. (2014, January 10\u201312). Machine learning for detecting brute force attacks at the network level. Proceedings of the 2014 IEEE International Conference on Bioinformatics and Bioengineering, Boca Raton, FL, USA.","DOI":"10.1109\/BIBE.2014.73"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"973","DOI":"10.1016\/j.jcss.2014.02.005","article-title":"A survey of emerging threats in cybersecurity","volume":"80","author":"Nepal","year":"2014","journal-title":"J. Comput. Syst. Sci."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1016\/S1353-4858(20)30056-8","article-title":"Hybrid intrusion detection system using machine learning","volume":"2020","author":"Meryem","year":"2020","journal-title":"Netw. Secur."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"503","DOI":"10.1016\/j.procs.2015.04.126","article-title":"Network security and types of attacks in network","volume":"48","author":"Pawar","year":"2015","journal-title":"Procedia Comput. Sci."},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Sheikh, A.F. (2020). CompTIA Security+ Certification Study Guide, Apress.","DOI":"10.1007\/978-1-4842-6234-4"},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"57","DOI":"10.1016\/j.comnet.2018.03.013","article-title":"Security against passive attacks on network coding system\u2014A survey","volume":"138","author":"Liu","year":"2018","journal-title":"Comput. Netw."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Srivastava, M. (2021). An Introduction to Network Security Attacks. Inventive Systems and Control, Springer Nature.","DOI":"10.1007\/978-981-16-1395-1_37"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Nagamalai, D., Renault, E., and Dhanuskodi, M. (2011). Trends in Computer Science, Engineering and Information Technology: Proceedings of the First International Conference (CCSEIT) Tirunelveli, Tamil Nadu, India, 23\u201325 September 2011, Springer.","DOI":"10.1007\/978-3-642-24043-0"},{"key":"ref_14","doi-asserted-by":"crossref","unstructured":"Alata, E., Nicomette, V., Ka\u00e2niche, M., Dacier, M., and Herrb, M. (2006, January 18\u201320). Lessons learned from the deployment of a high-interaction honeypot. Proceedings of the Sixth European Dependable Computing Conference, Coimbra, Portugal.","DOI":"10.1109\/EDCC.2006.17"},{"key":"ref_15","unstructured":"Hewlett-Packard Development Company (2021, June 04). Top Cyber Security Risks Threat Report for (2010). Available online: http:\/\/dvlabs.tippingpoint.com\/toprisks2010."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Hossain, M.D., Ochiai, H., Doudou, F., and Kadobayashi, Y. (2020, January 22\u201324). SSH and FTP brute-force Attacks Detection in Computer Networks: LSTM and Machine Learning Approaches. Proceedings of the 5th International Conference on Computer and Communication Systems (ICCCS), Shanghai, China.","DOI":"10.1109\/ICCCS49078.2020.9118459"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Anandita, S., Rosmansyah, Y., Dabarsyah, B., and Choi, J.U. (2015, January 16\u201319). Implementation of dendritic cell algorithm as an anomaly detection method for port scanning attack. Proceedings of the 2nd International Conference on Information Technology Systems and Innovation (ICITSI), Bandung, Indonesia.","DOI":"10.1109\/ICITSI.2015.7437688"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Vykopal, J. (2011, January 22\u201324). A flow-level taxonomy and prevalence of brute force attacks. Proceedings of the International Conference on Advances in Computing and Communications (ACC), Kochi, India.","DOI":"10.1007\/978-3-642-22714-1_69"},{"key":"ref_19","first-page":"75","article-title":"Brute-force Attack \u2018Seeking but Distressing\u2019","volume":"2","author":"Dave","year":"2013","journal-title":"Int. J. Innov. Eng. Technol. Brute Force"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Li, P., and Qiu, X. (2012, January 21\u201323). NodeRank: An algorithm to assess state enumeration attack graphs. Proceedings of the 8th IEEE International Conference on Wireless Communications, Networking and Mobile Computing, Shanghai, China.","DOI":"10.1109\/WiCOM.2012.6478585"},{"key":"ref_21","unstructured":"(2021, June 28). Virtue Security. Username Enumeration, Available online: https:\/\/www.virtuesecurity.com\/kb\/username-enumeration\/."},{"key":"ref_22","unstructured":"(2021, April 22). Portswigger\u2014Web Security Academy. 2018. Vulnerabilities in Password-Based Login. Available online: https:\/\/portswigger.net\/web-security\/authentication\/password-based."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Kannisto, J., and Harju, J. (2017, January 21\u201323). The time will tell on you: Exploring information leaks in ssh public key authentication. Proceedings of the 11th International Conference on Network and System Security, Helsinki, Finland.","DOI":"10.1007\/978-3-319-64701-2_22"},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Elmrabit, N., Zhou, F., Li, F., and Zhou, H. (2020, January 15\u201317). Evaluation of machine learning algorithms for anomaly detection. Proceedings of the IEEE International Conference on Cyber Security and Protection of Digital Services (Cyber Security), Dublin, Ireland.","DOI":"10.1109\/CyberSecurity49315.2020.9138871"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Eltanbouly, S., Bashendy, M., AlNaimi, N., Chkirbene, Z., and Erbad, A. (2020, January 2\u20135). Machine learning techniques for network anomaly detection: A survey. Proceedings of the IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT), Doha, Qatar.","DOI":"10.1109\/ICIoT48696.2020.9089465"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"46","DOI":"10.11591\/eei.v8i1.1387","article-title":"Effective and efficient network anomaly detection system using machine learning algorithm","volume":"8","author":"Nawir","year":"2019","journal-title":"Bull. Electr. Eng. Inform."},{"key":"ref_27","first-page":"381","article-title":"Machine Learning Algorithms\u2014Review Self Flowing Generator View Project Machine Learning Algorithms","volume":"9","author":"Mahesh","year":"2020","journal-title":"Int. J. Sci. Res."},{"key":"ref_28","unstructured":"Apruzzese, G., Colajanni, M., Ferretti, L., Guido, A., and Marchetti, M. (June, January 29). On the effectiveness of machine and deep learning for cyber security. Proceedings of the 10th International Conference on Cyber Conflict (CyCon), Tallinn, Estonia."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"255","DOI":"10.1126\/science.aaa8415","article-title":"Machine learning: Trends, perspectives, and prospects","volume":"349","author":"Jordan","year":"2015","journal-title":"Science"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"1153","DOI":"10.1109\/COMST.2015.2494502","article-title":"A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection","volume":"18","author":"Buczak","year":"2016","journal-title":"IEEE Commun. Surv. Tutor."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"199","DOI":"10.3390\/jcp1010011","article-title":"Enhancing Machine Learning Prediction in Cybersecurity Using Dynamic Feature Selector","volume":"1","author":"Ahsan","year":"2021","journal-title":"J. Cybersecur. Priv."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"436","DOI":"10.1038\/nature14539","article-title":"Deep learning","volume":"521","author":"LeCun","year":"2015","journal-title":"Nature"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Ndibwile, J.D., Govardhan, A., Okada, K., and Kadobayashi, Y. (2015, January 1\u20135). Web server protection against application layer DDoS attacks using machine learning and traffic authentication. Proceedings of the IEEE 39th Annual Computer Software and Applications Conference, Taichung, Taiwan.","DOI":"10.1109\/COMPSAC.2015.240"},{"key":"ref_34","unstructured":"Nathan, A.J., and Scobell, A. (2021, July 12). 2020 Data Breach Investigations Report. Verizon, Available online: https:\/\/enterprise.verizon.com\/resources\/reports\/2020-data-breach-investigations-report.pdf%0Ahttp:\/\/bfy.tw\/HJvH."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Vykopal, J., Plesnik, T., and Minarik, P. (2009, January 7\u20139). Network-based dictionary attack detection. Proceedings of the International Conference on Future Networks, Bangkok, Thailand.","DOI":"10.1109\/ICFN.2009.36"},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Satoh, A., Nakamura, Y., and Ikenaga, T. (2012, January 16\u201320). SSH dictionary attack detection based on flow analysis. Proceedings of the IEEE\/IPSJ 12th International Symposium on Applications and the Internet, Izmir, Turkey.","DOI":"10.1109\/SAINT.2012.16"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Javed, M., and Paxson, V. (2013, January 4\u20138). Detecting stealthy, distributed SSH brute-forcing. Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, Berlin, Germany.","DOI":"10.1145\/2508859.2516719"},{"key":"ref_38","doi-asserted-by":"crossref","unstructured":"Kim, J., Kim, J., Thu, H.L.T., and Kim, H. (2016, January 15\u201317). Long short term memory recurrent neural network classifier for intrusion detection. Proceedings of the 2016 International Conference on Platform Technology and Service (PlatCon), Jeju, Korea.","DOI":"10.1109\/PlatCon.2016.7456805"},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"735","DOI":"10.1007\/s10922-017-9421-4","article-title":"Flow-based web application brute-force attack and compromise detection","volume":"25","author":"Hofstede","year":"2017","journal-title":"J. Netw. Syst. Manag."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Hynek, K., Bene\u0161, T., \u010cejka, T., and Kub\u00e1tov\u00e1, H. (2020, January 21\u201323). Refined Detection of SSH Brute-Force Attackers Using Machine Learning. Proceedings of the 35th IFIP International Conference on ICT Systems Security and Privacy Protection, Maribor, Slovenia.","DOI":"10.1007\/978-3-030-58201-2_4"},{"key":"ref_41","first-page":"4568368","article-title":"Investigating Brute Force Attack Patterns in IoT Network","volume":"2019","author":"Stiawan","year":"2019","journal-title":"J. Electr. Comput. Eng."},{"key":"ref_42","unstructured":"(2021, August 18). OpenSSH. Available online: https:\/\/www.openssh.com\/."},{"key":"ref_43","unstructured":"(2021, August 21). Exploit Database. OpenSSH 2.3 < 7.7\u2014Username Enumeration, Available online: https:\/\/www.exploit-db.com\/exploits\/45233."},{"key":"ref_44","unstructured":"(2021, August 21). Stratosphere Lab. Malware Capture Facility Project: Normal Captures\u2014Stratosphere IPS, Available online: https:\/\/www.stratosphereips.org\/datasets-normal."},{"key":"ref_45","unstructured":"Li, Y., Miao, R., Alizadeh, M., and Yu, M. (2019, January 26\u201328). {DETER}: Deterministic {TCP} Replay for Performance Diagnosis. Proceedings of the 16th {USENIX} Symposium on Networked Systems Design and Implementation ({NSDI} 19), Boston, MA, USA."},{"key":"ref_46","unstructured":"(2021, September 05). TCPDUMP\/LIBPCAP Public Repository. Available online: https:\/\/www.tcpdump.org\/."},{"key":"ref_47","unstructured":"(2021, September 05). Wireshark. Available online: https:\/\/www.wireshark.org\/."},{"key":"ref_48","unstructured":"Agghey, A. (2021). SSH Username Enumeration Attack Detection Dataset. Zenodo."},{"key":"ref_49","first-page":"140","article-title":"The pareto principle","volume":"7","author":"Dunford","year":"2014","journal-title":"Plymouth Stud. Sci."},{"key":"ref_50","doi-asserted-by":"crossref","first-page":"108","DOI":"10.1016\/j.infsof.2015.07.004","article-title":"An empirical analysis of data preprocessing for machine learning-based software cost estimation","volume":"67","author":"Huang","year":"2015","journal-title":"Inf. Softw. Technol."},{"key":"ref_51","doi-asserted-by":"crossref","first-page":"119","DOI":"10.1080\/08839514.2018.1447479","article-title":"Very fast C4. 5 decision tree algorithm","volume":"32","author":"Cherfi","year":"2018","journal-title":"Appl. Artif. Intell."},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Yang, F.J. (2019, January 5\u20137). An extended idea about decision trees. Proceedings of the International Conference on Computational Science and Computational Intelligence (CSCI), Las Vegas, NA, USA.","DOI":"10.1109\/CSCI49370.2019.00068"},{"key":"ref_53","doi-asserted-by":"crossref","first-page":"101851","DOI":"10.1016\/j.cose.2020.101851","article-title":"Building auto-encoder intrusion detection system based on random forest feature selection","volume":"95","author":"Li","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_54","doi-asserted-by":"crossref","unstructured":"Bhavani, T.T., Rao, M.K., and Reddy, A.M. (2019, January 29\u201330). Network intrusion detection system using random forest and decision tree machine learning techniques. Proceedings of the 1st International Conference on Sustainable Technologies for Computational Intelligence, Jaipur, India.","DOI":"10.1007\/978-981-15-0029-9_50"},{"key":"ref_55","doi-asserted-by":"crossref","unstructured":"Alqahtani, H., Sarker, I.H., Kalim, A., Hossain, S.M.M., Ikhlaq, S., and Hossain, S. (2020, January 26\u201327). Cyber intrusion detection using machine learning classification techniques. Proceedings of the International Conference on Computing Science, Communication and Security, Gujarat, India.","DOI":"10.1007\/978-981-15-6648-6_10"},{"key":"ref_56","unstructured":"John, G.H., and Langley, P. (2013). Estimating Continuous Distributions in Bayesian Classifiers. arXiv, Available online: https:\/\/arxiv.org\/abs\/1302.4964v1."},{"key":"ref_57","unstructured":"Han, J., Pei, J., and Kamber, M. (2011). Data Mining: Concepts and Techniques, Morgan Kaufmann Publishers."},{"key":"ref_58","doi-asserted-by":"crossref","unstructured":"Malhotra, S., Bali, V., and Paliwal, K.K. (2017, January 12\u201313). Genetic programming and K-nearest neighbour classifier based intrusion detection model. Proceedings of the 7th International Conference on Cloud Computing, Data Science & Engineering-Confluence, Noida, India.","DOI":"10.1109\/CONFLUENCE.2017.7943121"},{"key":"ref_59","unstructured":"Bhatia, N. (2010). Survey of Nearest Neighbor Techniques. arXiv, Available online: https:\/\/arxiv.org\/abs\/1007.0085v1."},{"key":"ref_60","doi-asserted-by":"crossref","first-page":"459","DOI":"10.6000\/1927-5129.2017.13.76","article-title":"Classification techniques in machine learning: Applications and issues","volume":"13","author":"Soofi","year":"2017","journal-title":"J. Basic Appl. Sci."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/13\/11\/2192\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T07:31:23Z","timestamp":1760167883000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/13\/11\/2192"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,11,17]]},"references-count":60,"journal-issue":{"issue":"11","published-online":{"date-parts":[[2021,11]]}},"alternative-id":["sym13112192"],"URL":"https:\/\/doi.org\/10.3390\/sym13112192","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021,11,17]]}}}