Ghazal Abdollahi (University of Utah), Hamid Asadi (University of Utah), Robert Ricci (University of Utah)

Persistent, high-volume SSH brute-force activity frequently overwhelms security operations, yet current defenses often treat network telemetry as a terminal artifact for post-hoc diagnosis rather than a source for upstream investigation. These approaches focus on absolute volume suppression and binary alerts, often failing to provide population-aware rankings that are necessary to prioritize high-risk, relative outliers. This work addresses these gaps by introducing Nested Outlier Detection (NOD), a two-stage framework that transforms raw network telemetry into structured behavioral strata. By progressively filtering routine noise, NOD isolates ”outliers of outliers”; statistically extreme behaviors. NOD provides interpretability by mapping these outliers to three intuitive dimensions; volume, reach, and credential diversity; enabling population-level reasoning. This tiered approach reveals distinct attacker phenotypes characterized by high volume, broad target reach, and a variety of credentials. Evaluation on large-scale datasets demonstrates that NOD compresses millions of logs into compact, interpretable structures, shifting the defensive focus from per-source classification to the graded, population-level reasoning required for scalable triage and longitudinal threat analysis.

View More Papers

WiFinger: Fingerprinting Noisy IoT Event Traffic Using Packet-level Sequence...

Ronghua Li (The Hong Kong Polytechnic University), Shinan Liu (The University of Hong Kong), Haibo Hu (The Hong Kong Polytechnic University, PolyU Research Centre for Privacy and Security Technologies in Future Smart Systems), Qingqing Ye (The Hong Kong Polytechnic University), Nick Feamster (University of Chicago)

Read More

Towards Bridging the Telemetry Gap for Security Applications in...

Haohuang Wen (The Ohio State University and SE-RAN.ai), Vinod Yegneswaran (SRI and SE-RAN.ai), Phillip Porras (SRI and SE-RAN.ai), Ashish Gehani (SRI and SE-RAN.ai), Prakhar Sharma (SRI and SE-RAN.ai), Zhiqiang Lin (The Ohio State University and SE-RAN.ai)

Read More

Incident Response Planning Using a Lightweight Large Language Model...

Kim Hammar (Department of Electrical and Electronic Engineering, University of Melbourne, Australia), Tansu Alpcan (Department of Electrical and Electronic Engineering, University of Melbourne, Australia), Emil C. Lupu (Department of Computing, Imperial College London, United Kingdom)

Read More