Instrumenting SSH for Intrusion Detection
Time 11/02/10 04:30PM-05:30PM
Session Abstract
In response to a significant reduction in our ability to monitor activity on our systems for security issues, NERSC, LBNL's SuperComputer Division, undertook a project
to access and analyze Secure Shell (SSH) related data. This includes
authentication data such as user names and key fingerprints,
interactive session data such as keystrokes and responses, and
information about non- interactive sessions such as commands executed
and files transferred. Due to the nature of the SSH protocol, this
data is typically inaccessible with traditional network monitoring
techniques. However, with a modification to the SSH daemon, this data
can be passed directly to intrusion detection systems for analysis.
This instrumented version of SSH is now running on all NERSC
production systems. This talk will describe the changes we made to the
SSH daemon, how we analyze the data with Bro, and show some of the
more interesting results from this project.
Speakers
Speaker Craig Lant Lawrence Berkeley National Laboratory
Secondary tracks System and Network Security for Advanced Networks