Automatic Detection of Fake File Systems

Loading...
Thumbnail Image
Authors
Rowe, Neil C.
Subjects
Advisors
Date of Issue
2005-05
Date
May 2005
Publisher
Monterey, California. Naval Postgraduate School
Language
Abstract
We develop methods for assessing the typicality of the file system of a computer. This is helpful in analyzing, for instance, captured terrorist machines to decide if their information is genuine and for testing whether a honeypot is convincing. We have implemented a program that computes 28 metrics on a file system including features such as the average number of files per directory, the average number of programs per directory, the length of an average filename, the size of the average file, and the average time the file was last modified. We also can infer analogous directories with different names or paths on two file systems. We show that comparing the metrics can reveal a reasonably convincing "fake" file system created using random selections from Web page names at our institution together with some other random choices. We conclude with some discussion of possible improvements incorporating more context.
Type
Conference Paper
Description
Proceedings of the Intelligence Analysis Conference, McLean, Virginia, USA, May 2005
Series/Report No
Department
Computer Science (CS)
Organization
Cebrowski Institute for Innovation and Information Superiority
Identifiers
NPS Report Number
Sponsors
supported by the National Science Foundation under the Cyber Trust Program
Funder
Format
Citation
Proceedings of the Intelligence Analysis Conference, McLean, Virginia, USA, May 2005
Distribution Statement
Approved for public release; distribution is unlimited.
Rights