Abstract
A common method used to detect intrusions is monitoring filesystem data. Once a computer is compromised, an attacker may alter files, add new files or delete existing ones. Attackers may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we will describe an empirical study that focused on computer attack activity after a SSH compromise. Statistical data will be provided on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights). We extend this analysis to include the sequence of files and activities targeted. We focused on the most frequent sequences of consecutive files and activities, then explored in greater detail the longer sequences using state machines. Finally, we developed a simple state machine representing three major observed attack activities (i.e., reconnaissance, malware download and password change) with the number of transitions and time for each transition. The analysis of individual and sequences of files and activities will help to better understand attack activity patterns resulting in more efficient intrusion detection.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Warrender, C., Forrest, S., Pearlmutter, B.: Detecting Intrusions using System Calls: Alternative Data Models. In: 1999 IEEE Symposium on Security and Privacy, pp. 133–145. IEEE Computer Society Press, Los Alamitos (1999)
Petroni, N.L., Fraser, T., Molina, J., Arbaugh, W.A.: Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In: 13th Conference on USENIX Security Symposium (2004)
Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: 13th USENIX Conference on Systems Administration, pp. 229–238 (1999)
Kim, G.H., Spafford, E.H.: The Design and Implementation of Tripwire: A File System Integrity Checker. In: 2nd ACM Conference on Computer and Communications Security, pp. 18–29. ACM Press, New York (1994)
AIDE: Advanced Intrusion Detection Environment. http://www.cs.tut.fi/~rammer/aide.html
Miretskiy, Y., Das, A., Wright, C.P., Zadok, E.: Avfs: An On-Access Anti-Virus File System. In: 13th USENIX Security Symposium, pp. 73–88 (2004)
LIDS: Linux Intrusion detection system. http://www.lids.org
Wotring, B., Potter, B., Ranum, M.: Host Integrity Monitoring Using Osiris and Samhain. Syngress Publishing Inc. (2005)
Patil, S., Kashyap, A., Sivathanu, G., Zadok, E.: Fs: An In-Kernel Integrity Checker and Intrusion Detection File System. In: 18th USENIX Conference on System Administration, pp. 67–78 (2004)
Litty, L.: Hypervisor-based Intrusion Detection. Master’s thesis, University of Toronto (2005)
Molina, J., Arbaugh, W.A.: Using Independent Auditors as Intrusion Detection Systems. In: 4th International Conference on Information and Communications Security, pp. 291–302 (2002)
Panjwani, S., Tan, S., Jarrin, K.M., Cukier, M.: An Experimental Evaluation to Determine if Port Scans are Precursors to an Attack. In: DSN 2005. International Conference on Dependable Systems and Networks, pp. 602–611 (2005)
Ramsbrock, D., Berthier, R., Cukier, M.: Profiling Attacker Behavior Following ssh Compromises. In: DSN 2007. International Conference on Dependable Systems and Networks, pp. 119–124 (2007)
Molina, J., Gordon, J., Chorin, X., Cukier, M.: An Empirical Study of Filesystem Activity Following a SSH Compromise. In: ICICS 2007. 6th International Conference on Information, Communications and Signal Processing (to appear, 2007)
Brumley, D.: Invisible Intruders: Rootkits in Practice. In: login: Magazine, Intrusion Detection Special Issue (1999)
Alata, E., Nicomette, V., Kaaniche, M., Dacier, M., Herrb, M.: Lessons Learned from the Deployment of a High-interaction Honeypot. In: EDCC 2006. 6th European Dependable Computing Conference, pp. 39–46 (2006)
Raynal, F., Berthier, Y., Biondi, P., Kaminsky, D.: Honeypot Forensics, Part II: Analyzing the Compromised Host. IEEE Security & Privacy 2(5), 77–80 (2004)
Killourhy, K., Maxion, R., Tan, K.: A Defense-centric Taxonomy Based on Attack Manifestations. In: DSN 2004. International Conference on Dependable Systems and Networks, pp. 102–111 (2004)
Barse, E.L., Jonsson, E.: Extracting Attack Manifestations to Determine Log Data Requirements for Intrusion Detection. In: Yew, P.-C., Xue, J. (eds.) ACSAC 2004. LNCS, vol. 3189, pp. 158–167. Springer, Heidelberg (2004)
Larson, U., Lundin-Barse, E., Jonsson, E.: METAL: A Tool for Extracting Attack Manifestations. In: 2nd International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 85–102 (2005)
Stolfo, S.J., Hershkop, S., Bui, L.H., Ferster, R., Wang, K.: Anomaly Detection in Computer Security and an Application to File System Accesses. In: Foundations of Intelligent Systems, pp. 14–28 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Molina, J., Chorin, X., Cukier, M. (2007). Filesystem Activity Following a SSH Compromise: An Empirical Study of File Sequences. In: Nam, KH., Rhee, G. (eds) Information Security and Cryptology - ICISC 2007. ICISC 2007. Lecture Notes in Computer Science, vol 4817. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-76788-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-540-76788-6_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-76787-9
Online ISBN: 978-3-540-76788-6
eBook Packages: Computer ScienceComputer Science (R0)