SSH Compromise Detection using NetFlow/IPFIX
- 10 October 2014
- journal article
- Published by Association for Computing Machinery (ACM) in ACM SIGCOMM Computer Communication Review
- Vol. 44 (5), 20-26
- https://doi.org/10.1145/2677046.2677050
Abstract
Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algorithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algorithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, workstations and honeypots, featuring an accuracy close to 100%.Keywords
This publication has 6 references indexed in Scilit:
- Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIXIEEE Communications Surveys & Tutorials, 2014
- Flow Aggregation for the IP Flow Information Export (IPFIX) ProtocolPublished by RFC Editor ,2013
- Detecting stealthy, distributed SSH brute-forcingPublished by Association for Computing Machinery (ACM) ,2013
- SSHCure: A Flow-Based SSH Intrusion Detection SystemLecture Notes in Computer Science, 2012
- Network-Based Dictionary Attack DetectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- Hidden Markov Model Modeling of SSH Brute-Force AttacksLecture Notes in Computer Science, 2009