Skip to Main content Skip to Navigation
Conference papers

Detecting Stealthy Backdoors with Association Rule Mining

Abstract : In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based approaches are not appropriate, whilst more advanced statistics-based testing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect sequences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that searching for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some experimental results on its performance and underlying functioning.
Complete list of metadatas

Cited literature [14 references]  Display  Hide  Download

https://hal.inria.fr/hal-01531956
Contributor : Hal Ifip <>
Submitted on : Friday, June 2, 2017 - 11:23:14 AM
Last modification on : Friday, June 2, 2017 - 11:25:02 AM
Long-term archiving on: : Wednesday, December 13, 2017 - 10:02:42 AM

File

978-3-642-30054-7_13_Chapter.p...
Files produced by the author(s)

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Stefan Hommes, Radu State, Thomas Engel. Detecting Stealthy Backdoors with Association Rule Mining. 11th International Networking Conference (NETWORKING), May 2012, Prague, Czech Republic. pp.161-171, ⟨10.1007/978-3-642-30054-7_13⟩. ⟨hal-01531956⟩

Share

Metrics

Record views

258

Files downloads

494