Abstract
Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algo- rithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algo- rithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, worksta- tions and honeypots, featuring an accuracy close to 100%.
Original language | Undefined |
---|---|
Pages (from-to) | 20-26 |
Number of pages | 7 |
Journal | Computer communication review |
Volume | 44 |
Issue number | 5 |
DOIs | |
Publication status | Published - Oct 2014 |
Keywords
- EWI-25133
- IR-93153
- METIS-309594