Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection

R.J. Hofstede; Luuk Hendriks

Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection

R.J. Hofstede, Luuk Hendriks

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

167 Downloads (Pure)

Abstract

Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.

Original language	English
Title of host publication	Proceedings of the International Conference on Networked Systems, NetSys 2015
Place of Publication	Cottbus, Germany
Publisher	Brandenburg University of Technology Cottbus-Senftenberg
Pages	-
Number of pages	2
ISBN (Print)	not assigned
Publication status	Published - Mar 2015
Event	2015 International Conference and Workshops on Networked Systems, NetSys 2015 - Brandenburgische Technische Universität Cottbus-Senftenberg, Cottbus, Germany Duration: 9 Mar 2015 → 12 Mar 2015

Publication series

Name
Publisher	Brandenburg University of Technology Cottbus-Senftenberg

Conference

Conference	2015 International Conference and Workshops on Networked Systems, NetSys 2015
Abbreviated title	NetSys
Country/Territory	Germany
City	Cottbus
Period	9/03/15 → 12/03/15

Keywords

EWI-26134
METIS-312666
IR-97700

Access to Document

https://www.netsys2015.com/wp-content/uploads/NetSys2015_Demo_Hofstede.pdf

Cite this

@inproceedings{c00872792b4a4e5eb7f1c81b7a504b0e,

title = "Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection",

abstract = "Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.",

keywords = "EWI-26134, METIS-312666, IR-97700",

author = "R.J. Hofstede and Luuk Hendriks",

note = "eemcs-eprint-26134 ; 2015 International Conference and Workshops on Networked Systems, NetSys 2015, NetSys ; Conference date: 09-03-2015 Through 12-03-2015",

year = "2015",

month = mar,

language = "English",

isbn = "not assigned",

publisher = "Brandenburg University of Technology Cottbus-Senftenberg",

pages = "--",

booktitle = "Proceedings of the International Conference on Networked Systems, NetSys 2015",

}

Hofstede, RJ & Hendriks, L 2015, Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection. in Proceedings of the International Conference on Networked Systems, NetSys 2015. Brandenburg University of Technology Cottbus-Senftenberg, Cottbus, Germany, pp. -, 2015 International Conference and Workshops on Networked Systems, NetSys 2015, Cottbus, Germany, 9/03/15. <https://www.netsys2015.com/wp-content/uploads/NetSys2015_Demo_Hofstede.pdf>

Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection. / Hofstede, R.J.; Hendriks, Luuk.
Proceedings of the International Conference on Networked Systems, NetSys 2015. Cottbus, Germany: Brandenburg University of Technology Cottbus-Senftenberg, 2015. p. -.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection

AU - Hofstede, R.J.

AU - Hendriks, Luuk

N1 - eemcs-eprint-26134

PY - 2015/3

Y1 - 2015/3

N2 - Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.

AB - Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.

KW - EWI-26134

KW - METIS-312666

KW - IR-97700

M3 - Conference contribution

SN - not assigned

SP - -

BT - Proceedings of the International Conference on Networked Systems, NetSys 2015

PB - Brandenburg University of Technology Cottbus-Senftenberg

CY - Cottbus, Germany

T2 - 2015 International Conference and Workshops on Networked Systems, NetSys 2015

Y2 - 9 March 2015 through 12 March 2015

ER -

Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this