SSHCure: A Flow-Based SSH Intrusion Detection System

SSH attacks are a main area of concern for network managers, due to the danger associated with a successful compromise. Detecting these attacks, and possibly compromised victims, is therefore a crucial activity. Most existing network intrusion detection systems designed for this purpose rely on the inspection of individual packets and, hence, do not scale to today's high-speed networks. To overcome this issue, this paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks. It employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. A prototype implementation of the algorithm, including a graphical user interface, is implemented as a plugin for the popular NfSen monitoring tool. Finally, the detection performance of the system is validated with empirical traffic data.

[1]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[2]  Georg Carle,et al.  Real-time Analysis of Flow Data for Network Attack Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[3]  Anna Sperotto,et al.  Flow-based intrusion detection , 2011, 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops.

[4]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[5]  Ifip,et al.  Integrated Management of Systems, Services, Processes and People in IT , 2009, Lecture Notes in Computer Science.

[6]  Gabi Dreo Rodosek,et al.  Security System for Encrypted Environments (S2E2) , 2010, RAID.

[7]  Jürgen Quittek,et al.  Architecture for IP Flow Information Export , 2009, RFC.

[8]  Jan Vykopal,et al.  Network-Based Dictionary Attack Detection , 2009, 2009 International Conference on Future Networks.

[9]  Jürgen Quittek,et al.  Requirements for IP Flow Information Export (IPFIX) , 2004, RFC.

[10]  Aiko Pras,et al.  Hidden Markov Model Modeling of SSH Brute-Force Attacks , 2009, DSOM.

[11]  Tiago Fioreze,et al.  SURFmap: A network monitoring tool based on the Google Maps API , 2009, 2009 IFIP/IEEE International Symposium on Integrated Network Management.

[12]  홍원기,et al.  A Flow-based Method for Abnormal Network Traffic Detection , 2004 .