Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

IFIP International Conference on Autonomous Infrastructure, Management and Security

AIMS 2012: Dependable Networks and Services pp 86–97Cite as

  1. Home
  2. Dependable Networks and Services
  3. Conference paper
SSHCure: A Flow-Based SSH Intrusion Detection System

SSHCure: A Flow-Based SSH Intrusion Detection System

  • Laurens Hellemons20,
  • Luuk Hendriks20,
  • Rick Hofstede20,
  • Anna Sperotto20,
  • Ramin Sadre20 &
  • …
  • Aiko Pras20 
  • Conference paper
  • 1936 Accesses

  • 37 Citations

  • 1 Altmetric

Part of the Lecture Notes in Computer Science book series (LNCCN,volume 7279)

Abstract

SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today’s high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.

Keywords

  • Intrusion Detection
  • Intrusion Detection System
  • Attack Phase
  • Dictionary Attack
  • Scanning Phase

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Download conference paper PDF

References

  1. International Telecommunication Union (ITU): ICT Facts and Statistics (2011), http://www.itu.int/ITU-D/ict/facts/2011/material/ICTFactsFigures2011.pdf (accessed on March 29, 2012)

  2. Snort (2010), http://www.snort.org/ (accessed on March 29, 2012)

  3. Koch, R., Rodosek, G.D.: Security System for Encrypted Environments (S2E2). In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 505–507. Springer, Heidelberg (2010)

    CrossRef  Google Scholar 

  4. Claise, B.: Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational) (October 2004)

    Google Scholar 

  5. Sadasivan, G., Brownlee, N., Claise, B., Quittek, J.: Architecture for IP Flow Information Export. RFC 5470 (Informational) (March 2009)

    Google Scholar 

  6. Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP Flow Information Export (IPFIX). RFC 3917 (Informational) (October 2004)

    Google Scholar 

  7. Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP Flow-Based Intrusion Detection. IEEE Communications Surveys Tutorials 12(3), 343–356 (2010)

    CrossRef  Google Scholar 

  8. Sperotto, A., Sadre, R., de Boer, P.-T., Pras, A.: Hidden Markov Model Modeling of SSH Brute-Force Attacks. In: Bartolini, C., Gaspary, L.P. (eds.) DSOM 2009. LNCS, vol. 5841, pp. 164–176. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  9. Sperotto, A.: Flow-Based Intrusion Detection. PhD thesis, University of Twente (October 2010)

    Google Scholar 

  10. Kim, M.S., Kong, H.J., Hong, S.C., Chung, S.H., Hong, J.: A Flow-based Method for Abnormal Network Traffic Detection. In: Proceedings of IEEE/IFIP Network Operations and Management Symposium (NOMS 2004), pp. 599–612 (April 2004)

    Google Scholar 

  11. Vykopal, J., Plesnik, T., Minarik, P.: Network-Based Dictionary Attack Detection. In: Proceedings of the 2009 International Conference on Future Networks, pp. 23–27 (2009)

    Google Scholar 

  12. Münz, G., Carle, G.: Real-time Analysis of Flow Data for Network Attack Detection. In: Proceedings of the 10th IFIP/IEEE International Symposium on Integrated Network Management (IM 2007), pp. 100–108 (2007)

    Google Scholar 

  13. NfSen (2011), http://nfsen.sourceforge.net/ (accessed on March 29, 2012)

  14. SURFmap (2012), http://surfmap.sourceforge.net/ (accessed on March 29, 2012)

  15. Hofstede, R., Fioreze, T.: SURFmap: A Network Monitoring Tool Based on the Google Maps API. In: Application Session Proceedings of the 11th IFIP/IEEE International Symposium on Integrated Network Management (IM 2009), pp. 676–690 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Telematics and Information Technology (CTIT) Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS), Design and Analysis of Communication Systems (DACS), University of Twente, Enschede, The Netherlands

    Laurens Hellemons, Luuk Hendriks, Rick Hofstede, Anna Sperotto, Ramin Sadre & Aiko Pras

Authors
  1. Laurens Hellemons
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Luuk Hendriks
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rick Hofstede
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anna Sperotto
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ramin Sadre
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Aiko Pras
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Faculty of Electrical Engineering, Mathematics, and Computer Science, University of Twente, P.O. Box 217, 7500 AE, Enschede, The Netherlands

    Ramin Sadre

  2. Institute of Computer Science, Masaryk University, Botanická 68a, 602 00, Brno, Czech Republic

    Jiří Novotný & Pavel Čeleda & 

  3. Institut für Informatik (IFI), Universität Zürich, Binzmühlestraße 14, 8050, Zürich, Switzerland

    Martin Waldburger

  4. Institut für Informatik (IFI), Universität Zürich, Binzmühlestrasse 14, 8050, Zürich, Switzerland

    Burkhard Stiller

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 IFIP International Federation for Information Processing

About this paper

Cite this paper

Hellemons, L., Hendriks, L., Hofstede, R., Sperotto, A., Sadre, R., Pras, A. (2012). SSHCure: A Flow-Based SSH Intrusion Detection System. In: Sadre, R., Novotný, J., Čeleda, P., Waldburger, M., Stiller, B. (eds) Dependable Networks and Services. AIMS 2012. Lecture Notes in Computer Science, vol 7279. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30633-4_11

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-30633-4_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-30632-7

  • Online ISBN: 978-3-642-30633-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature