Detecting Stealthy Backdoors with Association Rule Mining - NETWORKING 2012
Conference Papers Year : 2012

Detecting Stealthy Backdoors with Association Rule Mining

Abstract

In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based approaches are not appropriate, whilst more advanced statistics-based testing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect sequences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that searching for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some experimental results on its performance and underlying functioning.
Fichier principal
Vignette du fichier
978-3-642-30054-7_13_Chapter.pdf (269.07 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01531956 , version 1 (02-06-2017)

Licence

Identifiers

Cite

Stefan Hommes, Radu State, Thomas Engel. Detecting Stealthy Backdoors with Association Rule Mining. 11th International Networking Conference (NETWORKING), May 2012, Prague, Czech Republic. pp.161-171, ⟨10.1007/978-3-642-30054-7_13⟩. ⟨hal-01531956⟩
91 View
344 Download

Altmetric

Share

More