• DocumentCode
    2761702
  • Title

    Evaluating Files to Audit for Detecting Intrusions in FileSystem Data

  • Author

    Molina, Jesus ; Cukier, Michel

  • Author_Institution
    Fujitsu Labs. of America, College Park, MD, USA
  • fYear
    2009
  • fDate
    9-11 July 2009
  • Firstpage
    163
  • Lastpage
    170
  • Abstract
    Monitoring filesystem data is a common method used to detect intrusions. Once a computer is compromised, an attacker may alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). The accuracy of detecting an intrusion depends on the data audited: if an intrusion does not manifest in the data, the intrusion will not be detected. Moreover, not all files, which contain filesystem activity, are suitable to detect intrusions, as some may fail to provide useful information. In this paper, we describe an empirical study that focused on filesystem attack activity after a SSH compromise. Three types of attacker action are considered: reconnaissance, password modification, and malware download. For each type of action, we evaluated the files to audit using metrics derived from the field of information theory and estimated with the empirical SSH compromise data.
  • Keywords
    Bayes methods; authorisation; entropy; file organisation; invasive software; meta data; optimisation; probability; Bayesian metric; data auditing; empirical SSH compromise data; entropy-based metric; file evaluation; filesystem attack activity; filesystem data monitoring; honeypot; information theory; intrusion detection system; malware download; meta data; optimization problem; password modification; probability; reconnaissance action; unauthorized user; Application software; Computer applications; Computer networks; Educational institutions; Event detection; Information theory; Intrusion detection; Reconnaissance; Software tools; USA Councils; Intrusion detection systems; SSH compromise; attacker behavior; empirical analysis; filesystem data; honeypots;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Network Computing and Applications, 2009. NCA 2009. Eighth IEEE International Symposium on
  • Conference_Location
    Cambridge, MA
  • Print_ISBN
    978-0-7695-3698-9
  • Electronic_ISBN
    978-0-7695-3698-9
  • Type

    conf

  • DOI
    10.1109/NCA.2009.38
  • Filename
    5190368
    • Link To Document
    https://search.isc.ac/dl/search/defaultta.aspx?DTC=49&DC=2761702