Flow-based compromise detection

  title={Flow-based compromise detection},
  author={Rick Hofstede},
  • Rick Hofstede
  • Published 1 September 2011
  • Engineering, Computer Science
Brute-force attacks are omnipresent and manyfold on the Internet, and aim at compromising user accounts by issuing large numbers of authentication attempts on applications and daemons. Widespread targets of such attacks are Secure SHell (SSH) and Web applications, for example. The impact of brute-force attacks and compromises resulting thereof is often severe: Once compromised, attackers gain access to remote machines, allowing those machines to be misused for all sorts of criminal activities… Expand
Flow-Based Compromise Detection: Lessons Learned
The differences between flow data analysis in theory and practice are investigated—that is, in lab environments and production networks. Expand


Flow-based detection of RDP brute-force attacks
A network-based detection of brute-force attacks on authentication of Microsoft Windows RDP using the network flow data collected in the Masaryk University network and host-based data from logs of a server with opened Remote Desktop Connection is described. Expand
Detecting stealthy, distributed SSH brute-forcing
A general approach for detecting distributed malicious activity in which individual attack sources each operate in a stealthy, low-profile manner is proposed, and it is shown that the process of legitimate users failing to authenticate using a beta-binomial distribution enables a detector that trades off an expected level of false positives versus time-to-detection. Expand
Towards real-time intrusion detection for NetFlow and IPFIX
This paper presents a functional extension for both NetFlow and IPFIX flow exporters, to allow for timely intrusion detection and mitigation of large flooding attacks and mitigates attacks in near real-time by instructing firewalls to filter malicious traffic. Expand
Anomaly Detection and Mitigation at Internet Scale: A Survey
A survey aims at gaining insight in industry processes, structures and capabilities of IT companies and the computer networks they run, and finds that flow-based detection mechanisms are valuable, because those mechanisms could easily adapt to existing infrastructures. Expand
SSHCure: A Flow-Based SSH Intrusion Detection System
This paper proposes SSHCure, a flow-based intrusion detection system for SSH attacks that employs an efficient algorithm for the real-time detection of ongoing attacks and allows identification of compromised attack targets. Expand
Protocol-Independent Detection of Dictionary Attacks
This paper introduces a model of malicious traffic based on practical experience that can be used to create simple and effective detection methods and develops a successful proof-of-concept method for protocol-independent detection of dictionary attacks. Expand
An Overview of IP Flow-Based Intrusion Detection
The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks. Expand
Detecting SYN flooding attacks
  • Haining Wang, Danlu Zhang, K. Shin
  • Computer Science
  • Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies
  • 2002
A simple and robust mechanism that not only sets alarms upon detection of ongoing SYN flooding attacks, but also reveals the location of the flooding sources without resorting to expensive IP traceback. Expand
Large-Scale Analysis of Malware Downloaders
This paper analyze and characterize 23 Windows-based malware downloaders, and shows a high diversity in downloaders' communication architectures, carrier protocols and encryption schemes, and presents two generic techniques enabling defenders to actively acquire malware samples. Expand
Flow-based intrusion detection
  • A. Sperotto
  • Computer Science, Mathematics
  • 12th IFIP/IEEE International Symposium on Integrated Network Management (IM 2011) and Workshops
  • 2011
This work believes that the detection problem is a key component in the field of intrusion detection, and realizes that additional research is needed, in particular focusing on validation and automatic tuning of Intrusion Detection Systems (IDSs). Expand