This page provides access to the materials accompanying the following publication:
SSH Compromise Detection using NetFlow/IPFIX
Rick Hofstede, Luuk Hendriks, Anna Sperotto, Aiko Pras. In: ACM Computer Communication Review, 2014.
More information regarding this publication can be found here. Any usage of materials provided on this page should reference this publication.
|Flow data||x GB||333|
|Log files||x GB||333|
Some results derived from these data can be found in here.
The flow data has been exported by a Cisco Catalyst 6500 with SUP2T supervisor module (PFC4, MSFC 5), and collected using nfcapd. Neither packet sampling nor flow sampling have been applied. The following post-processing operations have however been performed:
- Filtering: Only SSH data has been selected, i.e., the following nfdump filter has been used: port 22 and proto tcp.
- Anonymization: nfanon has been used for anonymizing the flow data in a prefix-preserving manner. More precisely, nfanon relies on the CryptoPAn (Cryptography-based Prefix-preserving Anonymization) module.
The log files have been gathered from various Linux operating systems. We have performed the following post-processing steps: