Wednesday, May 20, 2015

Data Driven Security, Part: the Second

In Part 1, Last time we loaded up 2 years worth of SSH attacks (37,000 entries) into R for analysis. A quick summary command gave us some interesting highlights:

But we can make some pretty pictures for upper management because they like graphs and it's easier to show differences.

First up, let's look at our the column on the far right, top countries banging on our door.  A quick query

Builds us an object with the top ten countries in it. Now after we make sure the gplot library is loaded library(ggplot2) and then we graph it:

  And we get:
If wanted to go a little deeper, we can look at our top IP addresses... maybe make the graph easier to read. Click to embiggen.

The other interesting thing in the original summary was the totals of which different service ("target") was attacked.  We can pop out a graph on those in pretty much the same way

Hmm... the Dev SSH server has been attacked more than twice as much as the DR server.  What is going on here?

We'll find out in part 3

No comments: