Reference : Detecting Stealthy Backdoors with Association Rule Mining
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/7679
Detecting Stealthy Backdoors with Association Rule Mining
English
Hommes, Stefan mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
State, Radu mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Engel, Thomas mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
2012
IFIP Networking 2012
Springer
161-171
Yes
978-3-642-30044-8
Networking
2012
Prague
Czech Republic
[en] backdoor ; association rule mining ; cd00r
[en] In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based ap- proaches are not appropriate, whilst more advanced statistics-based test- ing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect se- quences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that search- ing for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some ex- perimental results on its performance and underlying functioning.
http://hdl.handle.net/10993/7679
7290
Lecture Notes in Computer Science
Lect Notes Comput Sci
1611-3349
0302-9743

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Limited access
72900161.pdfPublisher postprint173.84 kBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.