SSHCure: A Flow-Based SSH Intrusion Detection System

Laurens Hellemons; Luuk Hendriks; R.J. Hofstede; Anna Sperotto; R. Sadre; Aiko Pras

doi:10.1007/978-3-642-30633-4_11

SSHCure: A Flow-Based SSH Intrusion Detection System

Laurens Hellemons, Luuk Hendriks, R.J. Hofstede, Anna Sperotto, R. Sadre, Aiko Pras

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

54 Citations (Scopus)

132 Downloads (Pure)

Abstract

SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.

Original language	English
Title of host publication	Proceedings of the 6th International Conference on Autonomous Infrastructure, Management, and Security (AIMS 2012)
Place of Publication	Berlin
Publisher	Springer
Pages	86-97
Number of pages	12
ISBN (Print)	978-3-642-30632-7
DOIs	https://doi.org/10.1007/978-3-642-30633-4_11
Publication status	Published - Jun 2012
Event	6th International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2012 - Luxembourg, Luxembourg Duration: 4 Jun 2012 → 8 Jun 2012

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer Verlag
Volume	7279
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	6th International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2012
Period	4/06/12 → 8/06/12
Other	4-8 June 2012

Keywords

METIS-287906
EWI-21999
EC Grant Agreement nr.: FP7/257513
IR-80710

Access to Document

10.1007/978-3-642-30633-4_11

Cite this

Hellemons, L., Hendriks, L., Hofstede, R. J., Sperotto, A., Sadre, R., & Pras, A. (2012). SSHCure: A Flow-Based SSH Intrusion Detection System. In Proceedings of the 6th International Conference on Autonomous Infrastructure, Management, and Security (AIMS 2012) (pp. 86-97). (Lecture Notes in Computer Science; Vol. 7279). Springer. https://doi.org/10.1007/978-3-642-30633-4_11

@inproceedings{677ab834d5ce403e8a1adf72d2babe02,

title = "SSHCure: A Flow-Based SSH Intrusion Detection System",

abstract = "SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.",

keywords = "METIS-287906, EWI-21999, EC Grant Agreement nr.: FP7/257513, IR-80710",

author = "Laurens Hellemons and Luuk Hendriks and R.J. Hofstede and Anna Sperotto and R. Sadre and Aiko Pras",

note = "10.1007/978-3-642-30633-4_11 ; 6th International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2012 ; Conference date: 04-06-2012 Through 08-06-2012",

year = "2012",

month = jun,

doi = "10.1007/978-3-642-30633-4_11",

language = "English",

isbn = "978-3-642-30632-7",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "86--97",

booktitle = "Proceedings of the 6th International Conference on Autonomous Infrastructure, Management, and Security (AIMS 2012)",

}

Hellemons, L, Hendriks, L, Hofstede, RJ, Sperotto, A, Sadre, R & Pras, A 2012, SSHCure: A Flow-Based SSH Intrusion Detection System. in Proceedings of the 6th International Conference on Autonomous Infrastructure, Management, and Security (AIMS 2012). Lecture Notes in Computer Science, vol. 7279, Springer, Berlin, pp. 86-97, 6th International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2012, 4/06/12. https://doi.org/10.1007/978-3-642-30633-4_11

SSHCure: A Flow-Based SSH Intrusion Detection System. / Hellemons, Laurens; Hendriks, Luuk; Hofstede, R.J. et al.

Proceedings of the 6th International Conference on Autonomous Infrastructure, Management, and Security (AIMS 2012). Berlin : Springer, 2012. p. 86-97 (Lecture Notes in Computer Science; Vol. 7279).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - SSHCure: A Flow-Based SSH Intrusion Detection System

AU - Hellemons, Laurens

AU - Hendriks, Luuk

AU - Hofstede, R.J.

AU - Sperotto, Anna

AU - Sadre, R.

AU - Pras, Aiko

N1 - 10.1007/978-3-642-30633-4_11

PY - 2012/6

Y1 - 2012/6

N2 - SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.

AB - SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.

KW - METIS-287906

KW - EWI-21999

KW - EC Grant Agreement nr.: FP7/257513

KW - IR-80710

U2 - 10.1007/978-3-642-30633-4_11

DO - 10.1007/978-3-642-30633-4_11

M3 - Conference contribution

SN - 978-3-642-30632-7

T3 - Lecture Notes in Computer Science

SP - 86

EP - 97

BT - Proceedings of the 6th International Conference on Autonomous Infrastructure, Management, and Security (AIMS 2012)

PB - Springer

CY - Berlin

T2 - 6th International Conference on Autonomous Infrastructure, Management, and Security, AIMS 2012

Y2 - 4 June 2012 through 8 June 2012

ER -

SSHCure: A Flow-Based SSH Intrusion Detection System

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this