Loading [MathJax]/extensions/MathMenu.js
Enabling SSH Protocol Visibility in Flow Monitoring | IEEE Conference Publication | IEEE Xplore

Enabling SSH Protocol Visibility in Flow Monitoring


Abstract:

The network flow monitoring has evolved to collect information beyond the network and transport layers, most importantly the application layer information. This informati...Show More

Abstract:

The network flow monitoring has evolved to collect information beyond the network and transport layers, most importantly the application layer information. This information is used to improve network security and performance by enabling more precise performance analysis and intrusion detection. In this paper, we contribute to this effort by extending flow monitoring with information from the SSH protocol. Firstly, we analyze the SSH protocol to determine which information can be obtained from the connection establishment phase. Based on the analysis, we create an extension to our flow monitoring infrastructure that allows obtaining the selected information. Lastly, we analyze the SSH connections observed in the university campus network and discuss the benefits of performing the detailed SSH protocol analysis. We argue that with a precise recognition of login attempt results it is possible to improve the detection of successful brute-force password attacks. Moreover, we publish an anonymized version of our dataset including the SSH specific information.
Date of Conference: 08-12 April 2019
Date Added to IEEE Xplore: 20 May 2019
ISBN Information:
Print on Demand(PoD) ISSN: 1573-0077
Conference Location: Arlington, VA, USA

I. Introduction

The network flow monitoring [1] is being enhanced to observe and export application layer information. HTTP protocol related fields are even defined as standard IPFIX entities [2]. Although the increasing usage of encryption hinders this approach, it is possible to gain information even from the encrypted traffic [3], [4]. This paper focuses on the analysis of the Secure Shell (SSH) protocol [5], which is used for critical tasks such as server management and data transfer. To the best of our knowledge, this is the first work that studies the SSH protocol in the context of network flow monitoring.

Contact IEEE to Subscribe

References

References is not available for this document.