Detecting Stealthy Backdoors with Association Rule Mining

Hommes, Stefan; State, Radu; Engel, Thomas

Reference : Detecting Stealthy Backdoors with Association Rule Mining


	Document type :	Scientific congresses, symposiums and conference proceedings : Paper published in a book
	Discipline(s) :	Engineering, computing & technology : Computer science
	To cite this reference:	http://hdl.handle.net/10993/7679

Title :	Detecting Stealthy Backdoors with Association Rule Mining
Language :	English
Author, co-author :	Hommes, Stefan [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	State, Radu [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
	Engel, Thomas [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
Publication date :	2012
Main document title :	IFIP Networking 2012
Publisher :	Springer
Pages :	161-171
Peer reviewed :	Yes
ISBN :	978-3-642-30044-8
Event name :	Networking
Event date :	2012
Event place (city) :	Prague
Event country :	Czech Republic
Keywords :	[en] backdoor ; association rule mining ; cd00r
Abstract :	[en] In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based ap- proaches are not appropriate, whilst more advanced statistics-based test- ing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect se- quences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that search- ing for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some ex- perimental results on its performance and underlying functioning.
Permalink :	http://hdl.handle.net/10993/7679
Commentary :	7290 Lecture Notes in Computer Science Lect Notes Comput Sci 1611-3349 0302-9743

File(s) associated to this reference

Fulltext file(s):

	File	Commentary	Version	Size	Access
Limited access	72900161.pdf		Publisher postprint	173.84 kB	Request a copy

All documents in ORBi^lu are protected by a user license.

University of Luxembourg Library | Feedback | Legal notices