SSH Compromise Detection using NetFlow/IPFIX

R.J. Hofstede; Luuk Hendriks; Anna Sperotto; Aiko Pras

doi:10.1145/2677046.2677050

SSH Compromise Detection using NetFlow/IPFIX

R.J. Hofstede, Luuk Hendriks, Anna Sperotto, Aiko Pras

Research output: Contribution to journal › Article › Academic › peer-review

43 Citations (Scopus)

44 Downloads (Pure)

Abstract

Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algo- rithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algo- rithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, worksta- tions and honeypots, featuring an accuracy close to 100%.

Original language	Undefined
Pages (from-to)	20-26
Number of pages	7
Journal	Computer communication review
Volume	44
Issue number	5
DOIs	https://doi.org/10.1145/2677046.2677050
Publication status	Published - Oct 2014

Keywords

EWI-25133
IR-93153
METIS-309594

Access to Document

10.1145/2677046.2677050

acm_ccr

Cite this

@article{1c7f80fbf8e04b5b90deccf1b8aba6fb,

title = "SSH Compromise Detection using NetFlow/IPFIX",

abstract = "Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algo- rithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algo- rithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, worksta- tions and honeypots, featuring an accuracy close to 100%.",

keywords = "EWI-25133, IR-93153, METIS-309594",

author = "R.J. Hofstede and Luuk Hendriks and Anna Sperotto and Aiko Pras",

note = "eemcs-eprint-25133 ",

year = "2014",

month = oct,

doi = "10.1145/2677046.2677050",

language = "Undefined",

volume = "44",

pages = "20--26",

journal = "Computer communication review",

issn = "0146-4833",

publisher = "Association for Computing Machinery (ACM)",

number = "5",

}

TY - JOUR

T1 - SSH Compromise Detection using NetFlow/IPFIX

AU - Hofstede, R.J.

AU - Hendriks, Luuk

AU - Sperotto, Anna

AU - Pras, Aiko

N1 - eemcs-eprint-25133

PY - 2014/10

Y1 - 2014/10

N2 - Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algo- rithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algo- rithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, worksta- tions and honeypots, featuring an accuracy close to 100%.

AB - Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algo- rithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algo- rithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, worksta- tions and honeypots, featuring an accuracy close to 100%.

KW - EWI-25133

KW - IR-93153

KW - METIS-309594

U2 - 10.1145/2677046.2677050

DO - 10.1145/2677046.2677050

M3 - Article

VL - 44

SP - 20

EP - 26

JO - Computer communication review

JF - Computer communication review

SN - 0146-4833

IS - 5

ER -