Reference : Detecting Stealthy Backdoors with Association Rule Mining |
Scientific congresses, symposiums and conference proceedings : Paper published in a book | |||
Engineering, computing & technology : Computer science | |||
http://hdl.handle.net/10993/7679 | |||
Detecting Stealthy Backdoors with Association Rule Mining | |
English | |
Hommes, Stefan ![]() | |
State, Radu ![]() | |
Engel, Thomas ![]() | |
2012 | |
IFIP Networking 2012 | |
Springer | |
161-171 | |
Yes | |
978-3-642-30044-8 | |
Networking | |
2012 | |
Prague | |
Czech Republic | |
[en] backdoor ; association rule mining ; cd00r | |
[en] In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based ap- proaches are not appropriate, whilst more advanced statistics-based test- ing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect se- quences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that search- ing for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some ex- perimental results on its performance and underlying functioning. | |
http://hdl.handle.net/10993/7679 | |
7290
Lecture Notes in Computer Science Lect Notes Comput Sci 1611-3349 0302-9743 |
File(s) associated to this reference | ||||||||||||||
Fulltext file(s):
| ||||||||||||||
All documents in ORBilu are protected by a user license.