Evaluating Files to Audit for Detecting Intrusions in FileSystem Data

TitleEvaluating Files to Audit for Detecting Intrusions in FileSystem Data
Publication TypeConference Papers
Year of Publication2009
AuthorsMolina J, Cukier M
Date Published2009/07//
Keywordsauthorisation, Bayes methods, Bayesian metric, data auditing, empirical SSH compromise data, Entropy, entropy-based metric, file evaluation, file organisation, filesystem attack activity, filesystem data monitoring, honeypot, information theory, intrusion detection system, invasive software, malware download, meta data, optimisation, optimization problem, password modification, probability, reconnaissance action, unauthorized user

Monitoring filesystem data is a common method used to detect intrusions. Once a computer is compromised, an attacker may alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). The accuracy of detecting an intrusion depends on the data audited: if an intrusion does not manifest in the data, the intrusion will not be detected. Moreover, not all files, which contain filesystem activity, are suitable to detect intrusions, as some may fail to provide useful information. In this paper, we describe an empirical study that focused on filesystem attack activity after a SSH compromise. Three types of attacker action are considered: reconnaissance, password modification, and malware download. For each type of action, we evaluated the files to audit using metrics derived from the field of information theory and estimated with the empirical SSH compromise data.