Abstract :
[en] In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based ap- proaches are not appropriate, whilst more advanced statistics-based test- ing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect se- quences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that search- ing for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some ex- perimental results on its performance and underlying functioning.
Scopus citations®
without self-citations
2