Skip to content

jaydenaung/ssh-login-anomaly-ml

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
img
img
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
ssh_anomaly.py
ssh_anomaly.py
 
 

Repository files navigation

SSH Login Anomaly Detector

Unsupervised - IsolationForest

Jayden Aung - MSc in Cyber Security

Detect suspicious and abnormal SSH logins from Linux auth.log / secure (or journald) using an unsupervised ML approach (IsolationForest).
This repo is designed to be copy‑run‑demo friendly.

status python ml

✨ What it does

  • Parses SSH auth events (Accepted/Failed password, publickey)
  • Builds explainable features (time-of-day, day-of-week, rarity of user@ip, frequency counts, success/fail)
  • Trains a baseline model on your “normal period”
  • Scores new logs and outputs ranked anomalies to findings.json

🧠 What this aims to do

  • Shows ML-driven security though process: clean data pipeline → explainable features → unsupervised detection → simple triage output
  • Demonstrates hands-on ML in a real security problem
  • Clear extensibility: GeoIP/ASN novelty, “impossible travel,” Slack alerts, SIEM export

🔧 Quickstart

1) Clone & set up

git clone https://github.com/jaydenaung/ssh-login-anomaly-ml.git
cd ssh-login-anomaly-ml

python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt

2) Sanity check

python ssh_anomaly.py peek --in sample_auth.log

3) Train a baseline model

Use a timeframe representative of normal behavior.

# Example (Ubuntu/Debian via journald)
sudo journalctl -u ssh -S "2025-08-15" -U "2025-08-20" > my_auth_train.log

python ssh_anomaly.py train --in my_auth_train.log --model models/ssh_isoforest.pkl

4) Detect anomalies on new logs

# Example: next day’s logs
sudo journalctl -u ssh -S "2025-08-20" -U "2025-08-21" > my_auth_detect.log

python ssh_anomaly.py detect --in my_auth_detect.log --model models/ssh_isoforest.pkl --out findings.json --q 0.97
cat findings.json


Tip: Adjust --q (quantile threshold) for sensitivity. Lower (e.g., 0.95) 👉 more alerts. Higher (e.g., 0.99) 👉 fewer, more extreme anomalies.

Repo Structure

ssh-login-anomaly-ml/
├─ ssh_anomaly.py        # CLI: train / detect / peek
├─ requirements.txt      # pandas, scikit-learn, joblib
├─ sample_auth.log       # optional demo data
├─ README.md
└─ .gitignore

CLI Usage

# Parse preview (debug)
python ssh_anomaly.py peek --in <logfile>

# Train baseline model
python ssh_anomaly.py train --in <logfile> --model models/ssh_isoforest.pkl

# Detect anomalies
python ssh_anomaly.py detect --in <logfile> --model models/ssh_isoforest.pkl --out findings.json --q 0.97

Example Run

Here’s an example run of the SSH Login Anomaly Detector:

Demo screenshot

About

SSH Login Anomaly Detector

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages