SSH Compromise Detection using NetFlow/IPFIX

R.J. Hofstede, Luuk Hendriks, Anna Sperotto, Aiko Pras

    Research output: Contribution to journalArticleAcademicpeer-review

    50 Citations (Scopus)
    66 Downloads (Pure)


    Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algo- rithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algo- rithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, worksta- tions and honeypots, featuring an accuracy close to 100%.
    Original languageUndefined
    Pages (from-to)20-26
    Number of pages7
    JournalComputer communication review
    Issue number5
    Publication statusPublished - Oct 2014


    • EWI-25133
    • IR-93153
    • METIS-309594

    Cite this