An empirical study of filesystem activity following a SSH compromise

TitleAn empirical study of filesystem activity following a SSH compromise
Publication TypeConference Papers
Year of Publication2007
AuthorsMolina J, Gordon J, Chorin X, Cukier M
Date Published2007/12//
Keywordsattack activity, filesystem activity, filesystem data monitoring, intrusion detection systems evaluation, meta data, metadata, security of data, SSH compromised attacks
Abstract

Monitoring filesystem data is a common method used to detect attacks. Once a computer is compromised, attackers will likely alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we describe an empirical study that focused on SSH compromised attacks. First statistical data on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights) is reported. Then, we refine the analysis to identify and understand patterns in the attack activity.

DOI10.1109/ICICS.2007.4449675