SSHCure: SSH Intrusion Detection using NetfFlow and IPFIX

We present our SSH Intrusion Detection System named SSHCure: it is the first IDS capable of distinguishing successful attacks from unsuccessful attacks, thus detecting actual compromises. As powerful as SSH is to administrators, as attractive it is to anyone with malicious intents. Measurements showing more than 700 attacks on NRENs per day emphasize this. This number is also the source of the main problem in existing detection systems: while 699 of these attacks are typically unsuccessful and therefore not interesting to network administrators or CSIRT members, a single successful one is. And its consequences possibly include severe damage to the target hosts themselves, others hosts in the network, or even the network itself: an NREN should be informed as quickly as possible when this happens, so adequate actions can be undertaken.



  • Luuk Hendriks, Rick Hofstede, Anna Sperotto, Aiko Pras

Part of session

Lightning Talks

Related documents