SSH Compromise Detection using NetFlow/IPFIX

10 October 2014

journal article
Published by Association for Computing Machinery (ACM) in ACM SIGCOMM Computer Communication Review

Vol. 44 (5), 20-26
https://doi.org/10.1145/2677046.2677050

Abstract

Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algorithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algorithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, workstations and honeypots, featuring an accuracy close to 100%.

Keywords

This publication has 6 references indexed in Scilit:

Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX
IEEE Communications Surveys & Tutorials, 2014
Flow Aggregation for the IP Flow Information Export (IPFIX) Protocol
Published by RFC Editor ,2013
Detecting stealthy, distributed SSH brute-forcing
Published by Association for Computing Machinery (ACM) ,2013
SSHCure: A Flow-Based SSH Intrusion Detection System
Lecture Notes in Computer Science, 2012
Network-Based Dictionary Attack Detection
Published by Institute of Electrical and Electronics Engineers (IEEE) ,2009
Hidden Markov Model Modeling of SSH Brute-Force Attacks
Lecture Notes in Computer Science, 2009

Cited by 44 articles