Skip to Main content Skip to Navigation
Conference papers

Detecting Stealthy Backdoors with Association Rule Mining

Abstract : In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based approaches are not appropriate, whilst more advanced statistics-based testing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect sequences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that searching for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some experimental results on its performance and underlying functioning.
Complete list of metadata

Cited literature [14 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Friday, June 2, 2017 - 11:23:14 AM
Last modification on : Friday, June 2, 2017 - 11:25:02 AM
Long-term archiving on: : Wednesday, December 13, 2017 - 10:02:42 AM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Stefan Hommes, Radu State, Thomas Engel. Detecting Stealthy Backdoors with Association Rule Mining. 11th International Networking Conference (NETWORKING), May 2012, Prague, Czech Republic. pp.161-171, ⟨10.1007/978-3-642-30054-7_13⟩. ⟨hal-01531956⟩



Record views


Files downloads