An empirical study of filesystem activity following a SSH compromise

Author

Molina, Jesus ; Gordon, Joe ; Chorin, Xavier ; Cukier, Michel

Author_Institution

Univ. of Maryland, College Park

fYear

2007

fDate

10-13 Dec. 2007

Firstpage

1

Lastpage

5

Abstract

Monitoring filesystem data is a common method used to detect attacks. Once a computer is compromised, attackers will likely alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we describe an empirical study that focused on SSH compromised attacks. First statistical data on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights) is reported. Then, we refine the analysis to identify and understand patterns in the attack activity.

Keywords

meta data; security of data; SSH compromised attacks; attack activity; filesystem activity; filesystem data monitoring; intrusion detection systems evaluation; metadata; Computer architecture; Computerized monitoring; Educational institutions; Intrusion detection; Linux; Mechanical engineering; Permission; Radio access networks; Remote monitoring; Testing; SSH compromises; filesystem data; host intrusion detection systems; intrusion detection systems evaluation;

fLanguage

English

Publisher

ieee

Conference_Titel

Information, Communications & Signal Processing, 2007 6th International Conference on

Conference_Location

Singapore

Print_ISBN

978-1-4244-0982-2

Electronic_ISBN

978-1-4244-0983-9

Type

conf

DOI

10.1109/ICICS.2007.4449675

Filename

4449675