SSH datasets

From SimpleWiki
Revision as of 06:18, 19 September 2014 by Hofstede (talk | contribs) (→‎Scripts)
Jump to navigationJump to search

This page provides access to the materials accompanying the following publication:

SSH Compromise Detection using NetFlow/IPFIX
Rick Hofstede, Luuk Hendriks, Anna Sperotto, Aiko Pras. In: ACM Computer Communication Review, Vol. 44, No. 5, 2014 (to appear).

More information regarding this publication can be found here. Any usage of materials provided on this page - be it the datasets, scripts, paper itself, or any content derived thereof - should reference this publication.


Two datasets have been used in the paper presented above, both consisting of one month of flow data and log files.

Dataset Type File name File Size md5
1 Flow data dataset1_flow_data.tgz 1.1 GB 7a52c41bb8d742a01ca9e8374a49bb3b
Log files dataset1_log_files.tgz 12 MB ab5f0a593aa69c45efb025fc34ec00fc
2 Flow data dataset2_flow_data.tgz 1.3 GB a125ba2253839ec3f12428e235730ed3
Log files dataset2_log_files.tgz 101 MB 548e1c9ff4ccb423a0f5bb199898ed44

Some results derived from these data can be found in here.

Flow data

The flow data has been exported by a Cisco Catalyst 6500 with SUP2T supervisor module (PFC4, MSFC5), and collected using nfcapd. Neither packet sampling nor flow sampling have been applied. The following post-processing operations have however been performed:

  1. Filtering: Only SSH data has been selected, i.e., the following nfdump filter has been used: port 22 and proto tcp.
  2. Anonymization: nfanon has been used for anonymizing the flow data in a prefix-preserving manner. More precisely, nfanon relies on the CryptoPAn (Cryptography-based Prefix-preserving Anonymization) module.

Log files

The log files have been gathered from various Linux operating systems. The following post-processing operations have however been performed:

  1. Merging: On some machines, the authentication logs were distributed over <hostname>.messages and <hostname>.warn. We have merged those log files, sorted them again (if necessary), and removed any introduced duplicates.
  2. Renaming: The file names have been changed from <hostname>.<extension> into <anonymized_IP_address>.<extension>. As such, the log files can easily be correlated with the flow data.
  3. Anonymization: We have replaced any usernames by "XXXXX" and hostnames by the anonymized IP address of the considered host.


  • Note that there are activities over SSH from several (anonymized) IP address ranges that can principally be found in the log files only (so not in the flow data). These are internal IP address ranges for which the traffic is not considered for flow export.
  • Several hosts of which the authentication logs have been included in the dataset store host names in log files instead of IP addresses. In the anonymization process, we have resolved these hostnames and anonymized the resulting IP addresses. As such, it may be possible that the IP address of such hosts has changed between the moment of generating the datasets and anonymizing them.


The following scripts have been used for processing the datasets:

  • Anonymizes log files and flow data (in nfdump binary format) using CryptoPAn. It uses the same key for anonymizing both the log files and the flow data, to allow for matching the log files with the flow data. More precisely, it performs the following actions:
    • Copy the full directory structure of log files and flow data, after anonymizing directory names consisting of host names. Directory names consisting of hostnames are resolved and replaced by the anonymized IP address corresponding to the resolved host name.
    • All hostnames in the log files are resolved and replaced by the anonymized IP address corresponding to the resolved host name.
    • Usernames of hosts running Kippo in Dataset 1 are retained, to allow for future analysis on the usage of login credentials on honeypots, for example. Usernames of logs exported by other daemons in Dataset 1 and usernames in Dataset 2 are replaced by 'XXXXX'. Whether log files have been exported by Kippo or another daemon, can be concluded from the file names of the log files.
    • All IP address in the log files are replaced by their anonymized counterparts.