Detecting Stealthy Backdoors with Association Rule Mining

Abstract : In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based approaches are not appropriate, whilst more advanced statistics-based testing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect sequences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that searching for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some experimental results on its performance and underlying functioning.
Type de document :
Communication dans un congrès
Robert Bestak; Lukas Kencl; Li Erran Li; Joerg Widmer; Hao Yin. 11th International Networking Conference (NETWORKING), May 2012, Prague, Czech Republic. Springer, Lecture Notes in Computer Science, LNCS-7290 (Part II), pp.161-171, 2012, NETWORKING 2012. 〈10.1007/978-3-642-30054-7_13〉
Liste complète des métadonnées

Littérature citée [17 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01531956
Contributeur : Hal Ifip <>
Soumis le : vendredi 2 juin 2017 - 11:23:14
Dernière modification le : vendredi 2 juin 2017 - 11:25:02
Document(s) archivé(s) le : mercredi 13 décembre 2017 - 10:02:42

Fichier

978-3-642-30054-7_13_Chapter.p...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Stefan Hommes, Radu State, Thomas Engel. Detecting Stealthy Backdoors with Association Rule Mining. Robert Bestak; Lukas Kencl; Li Erran Li; Joerg Widmer; Hao Yin. 11th International Networking Conference (NETWORKING), May 2012, Prague, Czech Republic. Springer, Lecture Notes in Computer Science, LNCS-7290 (Part II), pp.161-171, 2012, NETWORKING 2012. 〈10.1007/978-3-642-30054-7_13〉. 〈hal-01531956〉

Partager

Métriques

Consultations de la notice

21

Téléchargements de fichiers

40