Fall 2010 Internet2 Member Meeting

Use Internet2 SiteID

Already have an Internet2 SiteID?
Sign in here.

Internet2 SiteID

Instrumenting SSH for Intrusion Detection

Time 11/02/10 04:30PM-05:30PM

Session Abstract

In response to a significant reduction in our ability to monitor activity on our systems for security issues, NERSC, LBNL's SuperComputer Division, undertook a project
to access and analyze Secure Shell (SSH) related data. This includes
authentication data such as user names and key fingerprints,
interactive session data such as keystrokes and responses, and
information about non- interactive sessions such as commands executed
and files transferred. Due to the nature of the SSH protocol, this
data is typically inaccessible with traditional network monitoring
techniques. However, with a modification to the SSH daemon, this data
can be passed directly to intrusion detection systems for analysis.
This instrumented version of SSH is now running on all NERSC
production systems. This talk will describe the changes we made to the
SSH daemon, how we analyze the data with Bro, and show some of the
more interesting results from this project.


Speaker Craig Lant Lawrence Berkeley National Laboratory

Secondary tracks System and Network Security for Advanced Networks

gold Sponsors