Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection

R.J. Hofstede, Luuk Hendriks

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    54 Downloads (Pure)

    Abstract

    Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.
    Original languageEnglish
    Title of host publicationProceedings of the International Conference on Networked Systems, NetSys 2015
    Place of PublicationCottbus, Germany
    PublisherBrandenburg University of Technology Cottbus-Senftenberg
    Pages-
    Number of pages2
    ISBN (Print)not assigned
    Publication statusPublished - Mar 2015
    Event2015 International Conference and Workshops on Networked Systems, NetSys 2015 - Brandenburgische Technische Universität Cottbus-Senftenberg, Cottbus, Germany
    Duration: 9 Mar 201512 Mar 2015

    Publication series

    Name
    PublisherBrandenburg University of Technology Cottbus-Senftenberg

    Conference

    Conference2015 International Conference and Workshops on Networked Systems, NetSys 2015
    Abbreviated titleNetSys
    CountryGermany
    CityCottbus
    Period9/03/1512/03/15

    Fingerprint

    Intrusion detection
    Security of data
    User interfaces
    Demonstrations
    Internet

    Keywords

    • EWI-26134
    • METIS-312666
    • IR-97700

    Cite this

    Hofstede, R. J., & Hendriks, L. (2015). Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection. In Proceedings of the International Conference on Networked Systems, NetSys 2015 (pp. -). Cottbus, Germany: Brandenburg University of Technology Cottbus-Senftenberg.
    Hofstede, R.J. ; Hendriks, Luuk. / Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection. Proceedings of the International Conference on Networked Systems, NetSys 2015. Cottbus, Germany : Brandenburg University of Technology Cottbus-Senftenberg, 2015. pp. -
    @inproceedings{c00872792b4a4e5eb7f1c81b7a504b0e,
    title = "Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection",
    abstract = "Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.",
    keywords = "EWI-26134, METIS-312666, IR-97700",
    author = "R.J. Hofstede and Luuk Hendriks",
    note = "eemcs-eprint-26134",
    year = "2015",
    month = "3",
    language = "English",
    isbn = "not assigned",
    publisher = "Brandenburg University of Technology Cottbus-Senftenberg",
    pages = "--",
    booktitle = "Proceedings of the International Conference on Networked Systems, NetSys 2015",

    }

    Hofstede, RJ & Hendriks, L 2015, Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection. in Proceedings of the International Conference on Networked Systems, NetSys 2015. Brandenburg University of Technology Cottbus-Senftenberg, Cottbus, Germany, pp. -, 2015 International Conference and Workshops on Networked Systems, NetSys 2015, Cottbus, Germany, 9/03/15.

    Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection. / Hofstede, R.J.; Hendriks, Luuk.

    Proceedings of the International Conference on Networked Systems, NetSys 2015. Cottbus, Germany : Brandenburg University of Technology Cottbus-Senftenberg, 2015. p. -.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection

    AU - Hofstede, R.J.

    AU - Hendriks, Luuk

    N1 - eemcs-eprint-26134

    PY - 2015/3

    Y1 - 2015/3

    N2 - Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.

    AB - Network-based intrusion detection systems have always been designed to report on the presence of attacks. Due to the sheer and ever-increasing number of attacks on the Internet, Computer Security Incident Response Teams (CSIRTs) are overwhelmed with attack reports. For that reason, there is a need for the detection of compromises rather than compromise attempts, since those incidents are the ones that have to be taken care of. In previous works, we have demonstrated and validated our state-of-the-art compromise detection algorithm that works on exported flow data, i.e, data exported using NetFlow or IPFIX. The detection algorithm has been implemented as part of our open-source intrusion detection system SSHCure. In this demonstration, we showcase the latest release of SSHCure, which includes many new features, such as an overhauled user interface design based on user surveys, integration with incident reporting tools, blacklist integration and IPv6 support. Attendees will be able to explore SSHCure in a semi-live fashion by means of practical examples of situations that CSIRT members encounter in their daily activities.

    KW - EWI-26134

    KW - METIS-312666

    KW - IR-97700

    M3 - Conference contribution

    SN - not assigned

    SP - -

    BT - Proceedings of the International Conference on Networked Systems, NetSys 2015

    PB - Brandenburg University of Technology Cottbus-Senftenberg

    CY - Cottbus, Germany

    ER -

    Hofstede RJ, Hendriks L. Unveiling SSHCure 3.0: Flow-based SSH Compromise Detection. In Proceedings of the International Conference on Networked Systems, NetSys 2015. Cottbus, Germany: Brandenburg University of Technology Cottbus-Senftenberg. 2015. p. -