Reference : Detecting Stealthy Backdoors with Association Rule Mining
Scientific congresses, symposiums and conference proceedings : Paper published in a book
Engineering, computing & technology : Computer science
Detecting Stealthy Backdoors with Association Rule Mining
Hommes, Stefan mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
State, Radu mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Engel, Thomas mailto [University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC) >]
IFIP Networking 2012
Czech Republic
[en] backdoor ; association rule mining ; cd00r
[en] In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based ap- proaches are not appropriate, whilst more advanced statistics-based test- ing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect se- quences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that search- ing for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some ex- perimental results on its performance and underlying functioning.
Lecture Notes in Computer Science
Lect Notes Comput Sci

File(s) associated to this reference

Fulltext file(s):

Limited access
72900161.pdfPublisher postprint173.84 kBRequest a copy

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.