This page provides access to the materials accompanying the following publication:
SSH Compromise Detection using NetFlow/IPFIX
Rick Hofstede, Luuk Hendriks, Anna Sperotto, Aiko Pras. In: ACM Computer Communication Review, Vol. 44, No. 5, 2014 (to appear).
More information regarding this publication can be found here. Any usage of materials provided on this page - be it the datasets, scripts, paper itself, or any content derived thereof - should reference this publication.
Two datasets have been used in the paper presented above, both consisting of one month of flow data and log files.
|Dataset||Type||File name||File Size||md5|
|1||Flow data||dataset1_flow_data.tgz||1.1 GB||7a52c41bb8d742a01ca9e8374a49bb3b|
|Log files||dataset1_log_files.tgz||12 MB||ab5f0a593aa69c45efb025fc34ec00fc|
|2||Flow data||dataset2_flow_data.tgz||1.3 GB||a125ba2253839ec3f12428e235730ed3|
|Log files||dataset2_log_files.tgz||101 MB||548e1c9ff4ccb423a0f5bb199898ed44|
Some results derived from these datasets, as well as an extensive description of the types of hosts of which the data comprises these datasets, can be found in here.
The flow data has been exported by a Cisco Catalyst 6500 with SUP2T supervisor module (PFC4, MSFC5), and collected using nfcapd. Neither packet sampling nor flow sampling have been applied. The following post-processing operations have however been performed:
- Filtering: Only SSH data has been selected, i.e., the following nfdump filter has been used: port 22 and proto tcp.
- Anonymization: nfanon has been used for anonymizing the flow data in a prefix-preserving manner. More precisely, nfanon relies on the CryptoPAn (Cryptography-based Prefix-preserving Anonymization) module.
The log files have been gathered from various Linux operating systems. The following post-processing operations have however been performed:
- Merging: On some machines, the authentication logs were distributed over <hostname>.messages and <hostname>.warn. We have merged those log files, sorted them again (if necessary), and removed any introduced duplicates.
- Renaming: The file names have been changed from <hostname>.<extension> into <anonymized_IP_address>.<extension>. As such, the log files can easily be correlated with the flow data.
- Anonymization: We have replaced any usernames by "XXXXX" and hostnames by the anonymized IP address of the considered host.
- Note that there are activities over SSH from several (anonymized) IP address ranges that can principally be found in the log files only (so not in the flow data). These are internal IP address ranges for which the traffic is not considered for flow export.
- Several hosts of which the authentication logs have been included in the dataset store host names in log files instead of IP addresses. In the anonymization process, we have resolved these hostnames and anonymized the resulting IP addresses. As such, it may be possible that the IP address of such hosts has changed between the moment of generating the datasets and anonymizing them.
- The log files have been exported by several daemons, consisting mostly of Kippo and OpenSSH (Debian) in Dataset 1, and another mixture of daemons in Dataset 2. Whether log files have been exported by Kippo or another daemon, can be concluded from the file names of the log files.
The following scripts have been used for processing the datasets:
- anonymizer.pl: Anonymizes log files and flow data (in nfdump binary format) using CryptoPAn. It uses the same key for anonymizing both the log files and the flow data, to allow for matching the log files with the flow data. More precisely, it performs the following actions:
- Copy the full directory structure of log files and flow data, after anonymizing directory names consisting of host names. Directory names consisting of hostnames are resolved and replaced by the anonymized IP address corresponding to the resolved host name.
- All hostnames in the log files are resolved and replaced by the anonymized IP address corresponding to the resolved host name.
- Usernames of hosts running Kippo in Dataset 1 are retained, to allow for future analysis on the usage of login credentials on honeypots, for example. Usernames of logs exported by other daemons in Dataset 1 and usernames in Dataset 2 are replaced by 'XXXXX'.
- All IP address in the log files are replaced by their anonymized counterparts.