Evaluating Files to Audit for Detecting Intrusions in FileSystem Data

Monitoring filesystem data is a common method used to detect intrusions. Once a computer is compromised, an attacker may alter files, add new files or delete existing files. The changes that attackers make may target any part of the filesystem, including metadata along with files (e.g., permissions, ownerships and inodes). The accuracy of detecting an intrusion depends on the data audited: if an intrusion does not manifest in the data, the intrusion will not be detected. Moreover, not all files, which contain filesystem activity, are suitable to detect intrusions, as some may fail to provide useful information. In this paper, we describe an empirical study that focused on filesystem attack activity after a SSH compromise. Three types of attacker action are considered: reconnaissance, password modification, and malware download. For each type of action, we evaluated the files to audit using metrics derived from the field of information theory and estimated with the empirical SSH compromise data.