%0 Conference Paper %D 2007 %T An empirical study of filesystem activity following a SSH compromise %A Molina,J. %A Gordon,J. %A Chorin,X. %A Michel Cukier %K attack activity %K filesystem activity %K filesystem data monitoring %K intrusion detection systems evaluation %K meta data %K metadata %K security of data %K SSH compromised attacks %X Monitoring filesystem data is a common method used to detect attacks. Once a computer is compromised, attackers will likely alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we describe an empirical study that focused on SSH compromised attacks. First statistical data on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights) is reported. Then, we refine the analysis to identify and understand patterns in the attack activity. %P 1 - 5 %8 2007/12// %G eng %R 10.1109/ICICS.2007.4449675