SSHCure: A Flow-Based SSH Intrusion Detection System

  • Laurens Hellemons
  • Luuk Hendriks
  • Rick Hofstede
  • Anna Sperotto
  • Ramin Sadre
  • Aiko Pras
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7279)


SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today’s high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.


Intrusion Detection Intrusion Detection System Attack Phase Dictionary Attack Scanning Phase 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    International Telecommunication Union (ITU): ICT Facts and Statistics (2011), (accessed on March 29, 2012)
  2. 2.
    Snort (2010), (accessed on March 29, 2012)
  3. 3.
    Koch, R., Rodosek, G.D.: Security System for Encrypted Environments (S2E2). In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 505–507. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational) (October 2004)Google Scholar
  5. 5.
    Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470 (Informational) (March 2009)Google Scholar
  6. 6.
    Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX). RFC 3917 (Informational) (October 2004)Google Scholar
  7. 7.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP Flow-Based Intrusion Detection. IEEE Communications Surveys Tutorials 12(3), 343–356 (2010)CrossRefGoogle Scholar
  8. 8.
    Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden Markov Model Modeling of SSH Brute-Force Attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  9. 9.
    Sperotto, A.: Flow-Based Intrusion Detection. PhD thesis, University of Twente (October 2010)Google Scholar
  10. 10.
    Kim, M.S., Kong, H.J., Hong, S.C., Chung, S.H., Hong, J.: A Flow-based Method for Abnormal Network Traffic Detection. In: Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS 2004), pp. 599–612 (April 2004)Google Scholar
  11. 11.
    Vykopal, J., Plesnik, T., Minarik, P.: Network-Based Dictionary Attack Detection. In: Proceedings of the 2009 International Conference on Future Networks, pp. 23–27 (2009)Google Scholar
  12. 12.
    Münz, G., Carle, G.: Real-time Analysis of Flow Data for Network Attack Detection. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management (IM 2007), pp. 100–108 (2007)Google Scholar
  13. 13.
    NfSen (2011), (accessed on March 29, 2012)
  14. 14.
    SURFmap (2012), (accessed on March 29, 2012)
  15. 15.
    Hofstede, R., Fioreze, T.: SURFmap: A Network Monitoring Tool Based on the Google Maps API. In: Application Session Proceedings of the 11th IFIP/IEEE International Symposium on Integrated Network Management (IM 2009), pp. 676–690 (2009)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Laurens Hellemons
    • 1
  • Luuk Hendriks
    • 1
  • Rick Hofstede
    • 1
  • Anna Sperotto
    • 1
  • Ramin Sadre
    • 1
  • Aiko Pras
    • 1
  1. 1.Centre for Telematics and Information Technology (CTIT) Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS), Design and Analysis of Communication Systems (DACS)University of TwenteEnschedeThe Netherlands

Personalised recommendations