SSHCure: A Flow-Based SSH Intrusion Detection System

  • Laurens Hellemons
  • Luuk Hendriks
  • Rick Hofstede
  • Anna Sperotto
  • Ramin Sadre
  • Aiko Pras
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7279)

Abstract

SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today’s high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.

References

  1. 1.
    International Telecommunication Union (ITU): ICT Facts and Statistics (2011), http://www.itu.int/ITU-D/ict/facts/2011/material/ICTFactsFigures2011.pdf (accessed on March 29, 2012)
  2. 2.
    Snort (2010), http://www.snort.org/ (accessed on March 29, 2012)
  3. 3.
    Koch, R., Rodosek, G.D.: Security System for Encrypted Environments (S2E2). In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 505–507. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational) (October 2004)Google Scholar
  5. 5.
    Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470 (Informational) (March 2009)Google Scholar
  6. 6.
    Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX). RFC 3917 (Informational) (October 2004)Google Scholar
  7. 7.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP Flow-Based Intrusion Detection. IEEE Communications Surveys Tutorials 12(3), 343–356 (2010)CrossRefGoogle Scholar
  8. 8.
    Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden Markov Model Modeling of SSH Brute-Force Attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Sperotto, A.: Flow-Based Intrusion Detection. PhD thesis, University of Twente (October 2010)Google Scholar
  10. 10.
    Kim, M.S., Kong, H.J., Hong, S.C., Chung, S.H., Hong, J.: A Flow-based Method for Abnormal Network Traffic Detection. In: Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS 2004), pp. 599–612 (April 2004)Google Scholar
  11. 11.
    Vykopal, J., Plesnik, T., Minarik, P.: Network-Based Dictionary Attack Detection. In: Proceedings of the 2009 International Conference on Future Networks, pp. 23–27 (2009)Google Scholar
  12. 12.
    Münz, G., Carle, G.: Real-time Analysis of Flow Data for Network Attack Detection. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management (IM 2007), pp. 100–108 (2007)Google Scholar
  13. 13.
    NfSen (2011), http://nfsen.sourceforge.net/ (accessed on March 29, 2012)
  14. 14.
    SURFmap (2012), http://surfmap.sourceforge.net/ (accessed on March 29, 2012)
  15. 15.
    Hofstede, R., Fioreze, T.: SURFmap: A Network Monitoring Tool Based on the Google Maps API. In: Application Session Proceedings of the 11th IFIP/IEEE International Symposium on Integrated Network Management (IM 2009), pp. 676–690 (2009)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Laurens Hellemons
    • 1
  • Luuk Hendriks
    • 1
  • Rick Hofstede
    • 1
  • Anna Sperotto
    • 1
  • Ramin Sadre
    • 1
  • Aiko Pras
    • 1
  1. 1.Centre for Telematics and Information Technology (CTIT) Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS), Design and Analysis of Communication Systems (DACS)University of TwenteEnschedeThe Netherlands

Personalised recommendations