SSH Compromise Detection using NetFlow/IPFIX

By: 
R. Hofstede, L. Hendriks, A. Sperotto, A. Pras
Appears in: 
CCR October 2014

Flow-based approaches for SSH intrusion detection have been developed to overcome the scalability issues of host-based alternatives. Although the detection of many SSH attacks in a flow-based fashion is fairly straightforward, no insight is typically provided in whether an attack was successful. We address this shortcoming by presenting a detection algorithm for the flow-based detection of compromises, i.e., hosts that have been compromised during an attack. Our algorithm has been implemented as part of our open-source IDS SSHCure and validated using almost 100 servers, workstations and honeypots, featuring an accuracy close to 100%.

Public Review By: 
Hitesh Ballani

Public Review for SSH Compromise Detection using NetFlow/IPFIX R. Hofstede, L. Hendriks, A. Sperotto, & A. Pras SSH brute force attack is a very common type of cyber-attack that has been studied extensively. In past work, a few of the authors of this paper proposed an interesting approach to detect successful compromises (not just attacks). This would be trivial using an end-host agent but the authors wanted to achieve detection using NetFlow records which improves deployability and scalability. This paper presents an improved technique for detecting SSH compromises from NetFlow records. The authors examine popular SSH client configurations and several publically available brute force attack tools to derive a set of behaviors that characterize such attacks. They propose a compromise detection technique that uses these behavioural signatures. The technique has been integrated into SSHCure, an open-source attack detection tool. The authors verified their approach using two months of flow data; the tool attained high accuracy while being performant. The reviewers enjoyed the paper---the idea is simple but can have practical impact. As with a lot of security research, this paper does not provide a silver bullet. Simple variants of the brute force attack can avoid the proposed and other detection techniques. Instead, the paper raises the bar for undetected SSH attacks and will hopefully spur improvements in detection techniques. The fact that the authors have released their datasets (flow and host logs) is great as it will help evaluate improved detection techniques and even allow others to reproduce the paper's results.