[en] In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based ap- proaches are not appropriate, whilst more advanced statistics-based test- ing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect se- quences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that search- ing for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some ex- perimental results on its performance and underlying functioning.
Disciplines :
Computer science
Identifiers :
UNILU:UL-CONFERENCE-2012-144
Author, co-author :
Hommes, Stefan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
State, Radu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)
Engel, Thomas ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)
Language :
English
Title :
Detecting Stealthy Backdoors with Association Rule Mining
Agrawal, R., Imieliński, T., Swami, A.: Mining association rules between sets of items in large databases. In: Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, pp. 207-216. ACM (1993)
Hahsler, M.: A model-based frequency constraint for mining associations from transaction data. Data Min. Knowl. Discov. 13, 137-166 (2006)
Hay, G.: Extending the packet coded backdoor server to netcat relays on relatively high-bandwidth home networks. Tech. rep., SANS (2001)
Jonathan, Y.: Use port knocking to bypass firewall rules and keep security intact (2005), http://www.techrepublic.com/article/use-port-knocking- to-bypassfirewall-rules-and-keep-security-intact/5798871
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)
Koh, Y.S., Rountree, N.: Finding Sporadic Rules Using Apriori-Inverse. In: Ho, T.- B., Cheung, D., Liu, H. (eds.) PAKDD 2005. LNCS (LNAI), vol. 3518, pp. 97-106. Springer, Heidelberg (2005)
Koh, Y.S., Rountree, N.: Rare Association Rule Mining and Knowledge Discovery: Technologies for Infrequent and Critical Event Detection. Information Science Reference - Imprint of: IGI Publishing, Hershey (2009)
Liu, B., Hsu, W., Ma, Y.: Mining association rules with multiple minimum supports. In: Knowledge Discovery and Data Mining, pp. 337-341 (1999)
Mahoney, M., Mahoney, M.V., Chan, P.K.: Learning rules for anomaly detection of hostile network traffic. In: Proc. of International Conference on Data Mining (ICDM), pp. 601-604 (2003)
Marchetti, M., Colajanni, M., Manganiello, F.: Identification of correlated network intrusion alerts. In: Proc. of the 3rd IEEE International Workshop on Cyberspace Safety and Security (CSS 2011) (2011)
Miklosovic, S.: Pa018 - term project - port knocking enhancements (2011), http://www.portknocking.org/view/resources