Enabling SSH Protocol Visibility in Flow Monitoring

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216224%3A14610%2F19%3A00109436" target="_blank" >RIV/00216224:14610/19:00109436 - isvavai.cz</a>

Výsledek na webu

<a href="http://dl.ifip.org/db/conf/im/im2019exp/189410.pdf" target="_blank" >http://dl.ifip.org/db/conf/im/im2019exp/189410.pdf</a>

DOI - Digital Object Identifier

—

Jazyk výsledku

angličtina

Název v původním jazyce

Enabling SSH Protocol Visibility in Flow Monitoring

Popis výsledku v původním jazyce

The network flow monitoring has evolved to collect information beyond the network and transport layers, most importantly the application layer information. This information is used to improve network security and performance by enabling more precise performance analysis and intrusion detection. In this paper, we contribute to this effort by extending flow monitoring with information from the SSH protocol. Firstly, we analyze the SSH protocol to determine which information can be obtained from the connection establishment phase. Based on the analysis, we create an extension to our flow monitoring infrastructure that allows obtaining the selected information. Lastly, we analyze the SSH connections observed in the university campus network and discuss the benefits of performing the detailed SSH protocol analysis. We argue that with a precise recognition of login attempt results it is possible to improve the detection of successful brute-force password attacks. Moreover, we publish an anonymized version of our dataset including the SSH specific information.

Název v anglickém jazyce

Enabling SSH Protocol Visibility in Flow Monitoring

Popis výsledku anglicky

The network flow monitoring has evolved to collect information beyond the network and transport layers, most importantly the application layer information. This information is used to improve network security and performance by enabling more precise performance analysis and intrusion detection. In this paper, we contribute to this effort by extending flow monitoring with information from the SSH protocol. Firstly, we analyze the SSH protocol to determine which information can be obtained from the connection establishment phase. Based on the analysis, we create an extension to our flow monitoring infrastructure that allows obtaining the selected information. Lastly, we analyze the SSH connections observed in the university campus network and discuss the benefits of performing the detailed SSH protocol analysis. We argue that with a precise recognition of login attempt results it is possible to improve the detection of successful brute-force password attacks. Moreover, we publish an anonymized version of our dataset including the SSH specific information.

Druh

D - Stať ve sborníku

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

<a href="/cs/project/EF16_019%2F0000822" target="_blank" >EF16_019/0000822: Centrum excelence pro kyberkriminalitu, kyberbezpečnost a ochranu kritických informačních infrastruktur</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2019

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název statě ve sborníku

2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)

ISBN

9781728106182

ISSN

1573-0077

e-ISSN

—

Počet stran výsledku

6

Strana od-do

569-574

Název nakladatele

IEEE

Místo vydání

Washington DC, USA

Místo konání akce

Washington DC, USA

Datum konání akce

1. 1. 2019

Typ akce podle státní příslušnosti

WRD - Celosvětová akce

Kód UT WoS článku

000469937200100