The design and implementation of tripwire: a file system integrity checker
CCS '94 Proceedings of the 2nd ACM Conference on Computer and communications security
Using Independent Auditors as Intrusion Detection Systems
ICICS '02 Proceedings of the 4th International Conference on Information and Communications Security
A Defense-Centric Taxonomy Based on Attack Manifestations
DSN '04 Proceedings of the 2004 International Conference on Dependable Systems and Networks
Honeypot Forensics, Part II: Analyzing the Compromised Host
IEEE Security and Privacy
Extracting Attack Manifestations to Determine Log Data Requirements for Intrusion Detection
ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
FS: An In-Kernel Integrity Checker and Intrusion Detection File System
LISA '04 Proceedings of the 18th USENIX conference on System administration
An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack
DSN '05 Proceedings of the 2005 International Conference on Dependable Systems and Networks
Lessons learned from the deployment of a high-interaction honeypot
EDCC '06 Proceedings of the Sixth European Dependable Computing Conference
Host Integrity Monitoring Using Osiris and Samhain
Host Integrity Monitoring Using Osiris and Samhain
Avfs: an on-access anti-virus file system
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Copilot - a coprocessor-based kernel runtime integrity monitor
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Profiling Attacker Behavior Following SSH Compromises
DSN '07 Proceedings of the 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
Anomaly detection in computer security and an application to file system accesses
ISMIS'05 Proceedings of the 15th international conference on Foundations of Intelligent Systems
METAL – a tool for extracting attack manifestations
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Hi-index | 0.00 |
A common method used to detect intrusions is monitoring filesystem data. Once a computer is compromised, an attacker may alter files, add new files or delete existing ones. Attackers may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we will describe an empirical study that focused on computer attack activity after a SSH compromise. Statistical data will be provided on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights). We extend this analysis to include the sequence of files and activities targeted. We focused on the most frequent sequences of consecutive files and activities, then explored in greater detail the longer sequences using state machines. Finally, we developed a simple state machine representing three major observed attack activities (i.e., reconnaissance, malware download and password change) with the number of transitions and time for each transition. The analysis of individual and sequences of files and activities will help to better understand attack activity patterns resulting in more efficient intrusion detection.