SSH datasets

From SimpleWiki
Jump to navigationJump to search

This page provides access to the materials accompanying the following publication:

SSH Compromise Detection using NetFlow/IPFIX
Rick Hofstede, Luuk Hendriks, Anna Sperotto, Aiko Pras. In: ACM SIGCOMM Computer Communication Review, Vol. 44, No. 5, 2014, ISSN 0146-4833, pp. 20-26.

  author        = {Hofstede, Rick and Hendriks, Luuk and Sperotto, Anna and Pras, Aiko},
  title         = {SSH Compromise Detection using NetFlow/IPFIX},
  journal       = {ACM SIGCOMM Computer Communication Review},
  volume        = {44},
  number        = {5},
  pages         = {20--26},
  year          = {2014},

More information regarding this publication can be found here. Any usage of materials provided on this page - be it the datasets, scripts, paper itself, or any content derived thereof - should reference this publication.


Two datasets have been used in the paper presented above, both consisting of one month of flow data and log files. They have been collected on the campus network of the University of Twente, The Netherlands.

Dataset Type File name File Size md5
1 Flow data dataset1_flow_data.tgz 1.1 GB 7a52c41bb8d742a01ca9e8374a49bb3b
Log files dataset1_log_files.tgz 12 MB ab5f0a593aa69c45efb025fc34ec00fc
2 Flow data dataset2_flow_data.tgz 1.3 GB a125ba2253839ec3f12428e235730ed3
Log files dataset2_log_files.tgz 101 MB 548e1c9ff4ccb423a0f5bb199898ed44

Some results derived from these datasets, as well as an extensive description of the types of hosts of which the data comprises these datasets, can be found in here.

Flow data

The flow data has been exported by two types of flow exporters:

  1. router-b, router-c: Cisco Catalyst 6500 with SUP720 supervisor module (PFC3, MSFC3, EARL7)
  2. router-s, router-t: Cisco Catalyst 6500 with SUP2T supervisor module (PFC4, MSFC5, EARL8)

The data has been collected using nfcapd. Neither packet sampling nor flow sampling have been applied. The following post-processing operations have however been performed:

  1. Filtering: Only SSH data has been selected, i.e., the following nfdump filter has been used: port 22 and proto tcp.
  2. Anonymization: nfanon has been used for anonymizing the flow data in a prefix-preserving manner. More precisely, nfanon relies on the CryptoPAn (Cryptography-based Prefix-preserving Anonymization) module.

In case you'd like to learn more about flow monitoring in general or any aspect required for doing sound flow measurements, we refer to this tutorial.

Log files

The log files have been gathered from various Linux operating systems. The following post-processing operations have however been performed:

  1. Merging: On some machines, the authentication logs were distributed over <hostname>.messages and <hostname>.warn. We have merged those log files, sorted them again (if necessary), and removed any introduced duplicates.
  2. Renaming: The file names have been changed from <hostname>.<extension> into <anonymized_IP_address>.<extension>. As such, the log files can easily be correlated with the flow data.
  3. Anonymization: We have replaced any usernames by "XXXXX" and hostnames by the anonymized IP address of the considered host.


  • Note that there are activities over SSH from several (anonymized) IP address ranges that can principally be found in the log files only (so not in the flow data). These are internal IP address ranges for which the traffic is not considered for flow export.
  • Several hosts of which the authentication logs have been included in the dataset store host names in log files instead of IP addresses. In the anonymization process, we have resolved these hostnames and anonymized the resulting IP addresses. As such, it may be possible that the IP address of such hosts has changed between the moment of generating the datasets and anonymizing them.
  • The log files have been exported by several daemons, consisting mostly of Kippo and OpenSSH (Debian) in Dataset 1, and another mixture of daemons in Dataset 2. Whether log files have been exported by Kippo or another daemon, can be concluded from the file names of the log files.


The following scripts have been used for processing the datasets:

  • Anonymizes log files and flow data (in nfdump binary format) using CryptoPAn. It uses the same key for anonymizing both the log files and the flow data, to allow for matching the log files with the flow data. More precisely, it performs the following actions:
    • Copy the full directory structure of log files and flow data, after anonymizing directory names consisting of host names. Directory names consisting of hostnames are resolved and replaced by the anonymized IP address corresponding to the resolved host name.
    • All hostnames in the log files are resolved and replaced by the anonymized IP address corresponding to the resolved host name.
    • Usernames of hosts running Kippo in Dataset 1 are retained, to allow for future analysis on the usage of login credentials on honeypots, for example. Usernames of logs exported by other daemons in Dataset 1 and usernames in Dataset 2 are replaced by 'XXXXX'.
    • All IP address in the log files are replaced by their anonymized counterparts.


In case of any questions or comments, please contact the authors of the paper mentioned above at r.j.hofstede [at]