Filesystem activity following a SSH compromise: an empirical study of file sequences

A common method used to detect intrusions is monitoring filesystem data. Once a computer is compromised, an attacker may alter files, add new files or delete existing ones. Attackers may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). In this paper, we will describe an empirical study that focused on computer attack activity after a SSH compromise. Statistical data will be provided on the number of files targeted and the associated activity (e.g., read, write, delete, ownership and rights). We extend this analysis to include the sequence of files and activities targeted. We focused on the most frequent sequences of consecutive files and activities, then explored in greater detail the longer sequences using state machines. Finally, we developed a simple state machine representing three major observed attack activities (i.e., reconnaissance, malware download and password change) with the number of transitions and time for each transition. The analysis of individual and sequences of files and activities will help to better understand attack activity patterns resulting in more efficient intrusion detection.