ssh compromise detection using netflow ipfix
play

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk - PowerPoint PPT Presentation

Jul 09, 2023 •328 likes •916 views

SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks 51 percent of respondents admitted that their organizations have already been impacted by an SSH key-related compromise in the last 24 months. Ponemon 2014 SSH

  1. SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks

  2. “51 percent of respondents admitted that their organizations have already been impacted by an SSH key-related compromise in the last 24 months.” –Ponemon 2014 SSH Security Vulnerability Report 2

  3. SSH Compromise Detection using NetFlow/IPFIX Rick Hofstede, Luuk Hendriks

  4. SSH attacks 70000 FROM ATTACKER TO ATTACKER 60000 50000 40000 IP 30000 20000 10000 0 0 500 1000 1500 2000 2500 3000 Time (s) (a) 4

  5. SSH attacks 70000 FROM ATTACKER TO ATTACKER 60000 Start 50000 40000 IP Scan Brute-force Compromise 30000 20000 End 10000 0 0 500 1000 1500 2000 2500 3000 Time (s) (a) 4

  6. SSH attacks • SSH intrusion detection on end hosts is hardly scalable • Network-based approaches exist, but only inform security operators about the presence of attacks 5

  7. We perform compromise detection.

  8. We perform compromise detection. All flow-based.

  9. SSH attacks 70000 FROM ATTACKER TO ATTACKER 60000 50000 40000 IP 30000 20000 10000 0 0 500 1000 1500 2000 2500 3000 Time (s) (a) 7

  10. SSH attacks 16 14 12 10 ppf 8 6 4 2 0 0 500 1000 1500 2000 2500 3000 Time (s) (b) 8

  11. A bit of history… 9

  12. A bit of history… • SSHCure 1.0 (June ’12): • Purely deviation-based compromise detection • SSHCure 2.0 (May ’13): • Notifications, database maintenance, performance profiling, … 9

  13. A bit of history… 16 14 • SSHCure 1.0 (June ’12): 12 • Purely deviation-based compromise detection 10 ppf 8 • SSHCure 2.0 (May ’13): 6 4 • Notifications, database maintenance, 2 performance profiling, … 0 0 500 1000 1500 2000 2500 3000 Time (s) (b) 9

  14. A bit of history… • SSHCure 1.0 (June ’12): • Purely deviation-based compromise detection • SSHCure 2.0 (May ’13): • Notifications, database maintenance, performance profiling, … 9

  15. Recent/upcoming releases 10

  16. Recent/upcoming releases • SSHCure 2.4 (July ’14): • New compromise detection algorithm (CCR paper release), based on ‘action upon compromise’ • SSHCure 3.0 (January ’14): • New frontend, ingress vs. egress attacks 10

  17. Recent/upcoming releases • SSHCure 2.4 (July ’14): Target 1 Target n • New compromise detection algorithm (CCR Time Flow data chunk paper release), based on ‘action upon (a) Maintain connection, continue dictionary (1) compromise’ Target 1 Target n Time • SSHCure 3.0 (January ’14): Flow data chunk (d) Maintain connection, abort dictionary (1) • New frontend, ingress vs. egress attacks SSH Compromise Detection using NetFlow/IPFIX . In: ACM SIGCOMM Computer Communication Review, October 2014 10

  18. Recent/upcoming releases • SSHCure 2.4 (July ’14): Target 1 Target 1 Target n Target n • New compromise detection algorithm (CCR Time Time Flow data chunk Flow data chunk paper release), based on ‘action upon (a) Maintain connection, continue (c) Instant logout, continue dictionary dictionary (1) compromise’ Target 1 Target 1 Target n Target n Time Time • SSHCure 3.0 (January ’14): Flow data chunk Flow data chunk (d) Maintain connection, abort (f) Instant logout, abort dictionary dictionary (1) • New frontend, ingress vs. egress attacks SSH Compromise Detection using NetFlow/IPFIX . In: ACM SIGCOMM Computer Communication Review, October 2014 10

  19. Recent/upcoming releases • SSHCure 2.4 (July ’14): Target 1 Target 1 Target 1 Target n Target n Target n • New compromise detection algorithm (CCR Time Time Time Flow data chunk Flow data chunk Flow data chunk paper release), based on ‘action upon (a) Maintain connection, continue (b) Maintain connection, continue (c) Instant logout, continue dictionary dictionary (1) dictionary (2) compromise’ Target 1 Target 1 Target 1 Target n Target n Target n Time Time Time • SSHCure 3.0 (January ’14): Flow data chunk Flow data chunk Flow data chunk (d) Maintain connection, abort (e) Maintain connection, abort (f) Instant logout, abort dictionary dictionary (1) dictionary (2) • New frontend, ingress vs. egress attacks SSH Compromise Detection using NetFlow/IPFIX . In: ACM SIGCOMM Computer Communication Review, October 2014 10

  20. Recent/upcoming releases • SSHCure 2.4 (July ’14): • New compromise detection algorithm (CCR paper release), based on ‘action upon compromise’ • SSHCure 3.0 (January ’14): • New frontend, ingress vs. egress attacks 10

  21. 11

  22. 
 
 SSHCure 
 Validation approach • Ground truth: sshd logs from 93 honeypots, servers and workstations, divided over two datasets: • Dataset 1 — easy targets • Dataset 2 — more difficult targets 
 Honeypots Servers Workstations Attacks Dataset 1 13 0 0 636 Dataset 2 0 76 4 10353 12

  23. SSHCure 
 Validation results • Evaluation metrics: • TP / FP — correct / false identification of incident • TN / FN — correct / false identification of non-incident • Detection accuracy close to 100% TPR TNR FPR FNR Acc Dataset 1 0,692 0,921 0,079 0,308 0,839 Dataset 2 — 0,997 0,003 — 0,997 13

  24. SSHCure 
 Deployment • SSHCure is open-source and actively developed • Download counter SourceForge (Dec. ’14): 3k • Recently moved to GitHub (summer ’14) • Tested in several nation-wide backbone networks • Many successful deployments already: • Web hosting • National Research and Education companies Networks (NRENs) • Campus networks • Governmental CSIRTs/CERTs 14

  25. Lessons learned 15

  26. Lessons learned 16

  27. Lessons learned • Ease-of-use is key 16

  28. Lessons learned • Ease-of-use is key • Many potential SSHCure users (e.g., CSIRTs) are less- skilled than we are 16

  29. Lessons learned • Ease-of-use is key • Many potential SSHCure users (e.g., CSIRTs) are less- skilled than we are • Installation scripts are important 16

  30. Lessons learned • Ease-of-use is key • Many potential SSHCure users (e.g., CSIRTs) are less- skilled than we are • Installation scripts are important • Use of NfSen: 16

  31. Lessons learned • Ease-of-use is key • Many potential SSHCure users (e.g., CSIRTs) are less- skilled than we are • Installation scripts are important • Use of NfSen: • Widely used in (European) NREN community 16

  32. Lessons learned • Ease-of-use is key • Many potential SSHCure users (e.g., CSIRTs) are less- skilled than we are • Installation scripts are important • Use of NfSen: • Widely used in (European) NREN community • Experience with SURFmap [1] [1] http://surfmap.sf.net/ 16

  33. Lessons learned 17

  34. Lessons learned • Ingress vs. egress attacks 17

  35. Lessons learned • Ingress vs. egress attacks • Initial focus mainly on ingress attacks 17

  36. Lessons learned • Ingress vs. egress attacks • Initial focus mainly on ingress attacks • CSIRTs are becoming more responsible towards the Internet: Keep it clean! 17

  37. Lessons learned 18

  38. Lessons learned • Integration into workflow is important 18

  39. Lessons learned • Integration into workflow is important • Yet another tool is hard to integrate into CSIRT workflow 18

  40. Lessons learned • Integration into workflow is important • Yet another tool is hard to integrate into CSIRT workflow • Integration with existing systems is necessary: IODEF, X-ARF, QuarantaineNet, … 18

  41. Lessons learned 19

  42. Lessons learned • Advertizing is important 19

  43. Lessons learned • Advertizing is important • People don’t spot your cool project by themselves 19

  44. Lessons learned • Advertizing is important • People don’t spot your cool project by themselves • Visit meetings & conferences (FloCon, 
 TERENA TNC, RIPE, etc.) 19

  45. Lessons learned • Advertizing is important • People don’t spot your cool project by themselves • Visit meetings & conferences (FloCon, TERENA TNC, RIPE, etc.) • GitHub vs. SourceForge 19

  46. Lessons learned 20

  47. Lessons learned • 1:1 sampling is hardly used by non-academia 20

  48. Lessons learned • 1:1 sampling is hardly used by non-academia • Problem for our algorithms 20

  49. Lessons learned • 1:1 sampling is hardly used by non-academia • Problem for our algorithms • Admins are ‘afraid’ of increasing sampling rates 20

  50. Lessons learned 21

  51. Lessons learned • Input data quality is hard to predict 21

  52. Lessons learned • Input data quality is hard to predict • Algorithms should be as resilient to various data sources as possible 21

  53. Lessons learned • Input data quality is hard to predict • Algorithms should be as resilient to various data sources as possible • Examples: 21

  54. Lessons learned • Input data quality is hard to predict • Algorithms should be as resilient to various data sources as possible • Examples: • Availability of TCP flags 21

  55. Lessons learned • Input data quality is hard to predict • Algorithms should be as resilient to various data sources as possible • Examples: • Availability of TCP flags • Assumptions on flow cache entry expiration 21

  56. Thanks! 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska,

Using of time characteristic in Netflow data for improvement of protocol detection P. Piska, J. Novotn, {piskac|novotny}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network Management July 30, 2010, Maastricht, The Netherlands

479 views • 26 slides
Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T.

Malware Detection From The Network Perspective Using NetFlow Data P. eleda, J. Vykopal, T. Plesnk, M. Truneka, V. Krmek {celeda|vykopal|plesnik|trunecka|vojtec}@ics.muni.cz 3rd NMRG Workshop on NetFlow/IPFIX Usage in Network

1.19k views • 36 slides
From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA -

From NetFlow to IPFIX the evolution of IP flow information export Brian Trammell - CERT/NetSA - Pittsburgh, PA, US Elisa Boschi - Hitachi Europe - Zurich, CH NANOG 41 - Albuquerque, NM, US - October 15, 2007 What is IPFIX? Emerging IETF

316 views • 17 slides
Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring

A Performance Benchmark for NetFlow Data Analysis on Distributed Stream Processing Systems NOMS 2016 Wednesday 27 th April, 2016 Milan ermk Daniel Tovark, Martin Latovika, Pavel eleda NetFlow/IPFIX Monitoring and Analysis

606 views • 23 slides
On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate

On the challenges of network traffic classification with NetFlow/IPFIX Pere Barlet-Ros Associate Professor at UPC BarcelonaTech (pbarlet@ac.upc.edu) Joint work with: Valentn Carela-Espaol, Tomasz Bujlow and Josep Sol-Pareta This project

544 views • 26 slides
Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore,

Building a better NetFlow (to appear in SIGCOMM 2004) Cristian Estan, Ken Keys, David Moore, George Varghese University of California, San Diego IETF60 Aug 4, 2004 IPFIX WG UCSD CSE Disclaimers "NetFlow" used

510 views • 26 slides
A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van

A Labeled Data Set For Flow-based Intrusion Detection Anna Sperotto, Ramin Sadre, Frank van Vliet, Aiko Pras Design and Analysis of Communication Systems University of Twente, The Netherlands NMRG Workshop on Netflow/IPFIX Usage in Network

592 views • 21 slides
NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis

NetFlow Analysis Jonzy Data Security Analysis, Sr. Information Security Office NetFlow Analysis Intrusion Detection, Protection, and Usage Reporting NetFlow is a cornucopia of information that allows for: Intrusion Detection, Bandwidth usage,

665 views • 17 slides
IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05

IPFIX Mediation: Framework IPFIX IETF-77 March 23, 2010 draft-ietf-ipfix-mediators-framework-05 Atsushi Kobayashi, Benoit Claise, Gerhard Munz, Keisuke Ishibashi 1 History Submitted -04 version on October 2009. Received comments from

332 views • 8 slides
Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly

Security Hands-on @ Pavilion Stream + NetFlow for Security & Insider Threat Detection Kelly Feagans | Sales Engineering September 2017 | Washington, DC Objective OBJECTIVE Learn how to use NetFlow with the Splunk Stream Forwarder for

444 views • 20 slides
An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01

An IPFIX-Based File Format draft-trammell-ipfix-file-01 http://www.ietf.org/internet-drafts/draft-trammell-ipfix-file-01.txt Brian Trammell, Elisa Boschi, Lutz Mark, Tanja Zseby Tuesday, July 11, 2006 IETF 66 - Montral, Qubec, Canada The

318 views • 6 slides
IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004

IPFIX Protocol Specifications IPFIX IETF-61 November 11th, 2004 <draft-ietf-ipfix-protocol-06.txt> Benoit Claise <bclaise@cisco.com> Stewart Bryant <stbryant@cisco.com> Mark Fullmer <maf@eng.oar.net> Ganesh

265 views • 13 slides
IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX)

IP Flow Information eXport IP Flow Information eXport (IPFIX) (IPFIX) elisa.boschi@hitachi-eu.com {boschi, zseby, mark, hirsch}@fokus.fraunhofer.de Outline Outline IPFIX Terminology Applicability Initial Goals

212 views • 19 slides
Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering

Peer-to-Peer Botnet Detection Using NetFlow Connor Dillon System and Network Engineering University of Amsterdam Master thesis presentation, July 3 rd 2014 Supervisor: Pepijn Janssen RedSocks Botnets Large group of infected computers,

610 views • 23 slides
Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon

Detecting Botnets with NetFlow V. Krmek, T. Plesnk {vojtec|plesnik}@ics.muni.cz FloCon 2011, January 12, Salt Lake City, Utah Presentation Outline NetFlow Monitoring at MU Chuck Norris Botnet in a Nutshell Botnet Detection Methods

906 views • 63 slides
Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00

Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00

Bidirectional Flow Export using IPFIX draft-ietf-ipfix-biflow-00 http://www.ietf.org/internet-drafts/draft-ietf-ipfix-biflow-00.txt Brian Trammell <bht@cert.org> Elisa Boschi <elisa.boschi@hitachi-eu.com> Thursday, November 9, 2006

140 views • 12 slides
Tor, a quick overview Linus Nordberg <linus@torproject.org> The Tor Project

Tor, a quick overview Linus Nordberg <linus@torproject.org> The Tor Project

Tor, a quick overview Linus Nordberg <linus@torproject.org> The Tor Project https://torproject.org/ 1 What is Tor Online anonymity: 1. software, 2. network, 3. protocol Open source, freely available Community of researchers,

540 views • 37 slides
Enhancing and connecting repositories in Africa NREN- library collaboration Omo Oaiya (WACREN),

Enhancing and connecting repositories in Africa NREN- library collaboration Omo Oaiya (WACREN),

Enhancing and connecting repositories in Africa NREN- library collaboration Omo Oaiya (WACREN), Iryna Kuchma (EIFL), Kathleen Shearer (COAR) What is LIBSENSE? Building capacity and services for Open Science in Africa Africa is a large and

198 views • 17 slides
NRENs as Enablers of eResearch 8 October 2013 Leon Staphorst Manager: SANReN What are NRENs?

NRENs as Enablers of eResearch 8 October 2013 Leon Staphorst Manager: SANReN What are NRENs?

NRENs as Enablers of eResearch 8 October 2013 Leon Staphorst Manager: SANReN What are NRENs? NRENs are specialised network infrastructure and service providers that exclusively supports a countrys research and education communities

214 views • 20 slides
IaaS Framework Agreements Pan-European Cloud Services ready for adoption Dr. Jakob Tendel GANT

IaaS Framework Agreements Pan-European Cloud Services ready for adoption Dr. Jakob Tendel GANT

IaaS Framework Agreements Pan-European Cloud Services ready for adoption Dr. Jakob Tendel GANT Cloud Service Delivery Team German Research Network DFN Belnet Networking Conference, Brussels 18 th Oct. 2018 Networks Services People

293 views • 25 slides
RedCLARA Building the ciberinfrastructure for research and education in Latin America About

RedCLARA Building the ciberinfrastructure for research and education in Latin America About

RedCLARA Building the ciberinfrastructure for research and education in Latin America About RedCLARA Creation: 2003 in Valle del Bravo. 13 Latin American NRENs Mision: Strengthen development of science, education, culture and

399 views • 20 slides
CIBSE REPUBLIC OF IRELAND Why join CIBSE CIBSE Societies CIBSE Journal + App & Electronic

CIBSE REPUBLIC OF IRELAND Why join CIBSE CIBSE Societies CIBSE Journal + App & Electronic

CIBSE REPUBLIC OF IRELAND Why join CIBSE CIBSE Societies CIBSE Journal + App & Electronic Newsletter Networking Opportunities Special Interest Groups 2 CIBSE IRELAND CPDs all around Ireland Social events: Golf Luttrellstown

1.18k views • 101 slides
Eddie Aronovich TAU, IUCC Oct 2008 (based on D.Horn presentation from Apr 2008) LinkSceem

Eddie Aronovich TAU, IUCC Oct 2008 (based on D.Horn presentation from Apr 2008) LinkSceem

Eddie Aronovich TAU, IUCC Oct 2008 (based on D.Horn presentation from Apr 2008) LinkSceem ISRAGRID Eddie Aronovich (http://www.cs.tau.ac.il/research/eddie.aronovich) Short intro to Grid and Clouds NGI (EGI) Zisapel Committee

386 views • 22 slides
Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet

Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet

Petascale Science Prototype Services Facility (PSPSF) Joe Mambretti, Director, (j-mambretti@northwestern.edu) International Center for Advanced Internet Research (www.icair.org) Northwestern University Director, Metropolitan Research and

438 views • 33 slides

More recommend