Detecting Stealthy Backdoors with Association Rule Mining

Hommes, Stefan; State, Radu; Engel, Thomas

Request a copy

Paper published in a book (Scientific congresses, symposiums and conference proceedings)

Detecting Stealthy Backdoors with Association Rule Mining

Hommes, Stefan; State, Radu; Engel, Thomas

2012 • In IFIP Networking 2012

Peer reviewed

Permalink
https://hdl.handle.net/10993/7679

Files (1)Send to Details Statistics Bibliography Similar publications

Files

Full Text

72900161.pdf

Publisher postprint (178.01 kB)

Request a copy

All documents in ORBilu are protected by a user license.

Send to

RIS BibTex APA Chicago Permalink X Linkedin

Details

Keywords :

backdoor; association rule mining; cd00r

Abstract :

[en] In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based ap- proaches are not appropriate, whilst more advanced statistics-based test- ing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect se- quences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that search- ing for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some ex- perimental results on its performance and underlying functioning.

Disciplines :

Computer science

Identifiers :

UNILU:UL-CONFERENCE-2012-144

Author, co-author :

Hommes, Stefan ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

State, Radu ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

Engel, Thomas ; University of Luxembourg > Faculty of Science, Technology and Communication (FSTC) > Computer Science and Communications Research Unit (CSC)

Language :

English

Title :

Detecting Stealthy Backdoors with Association Rule Mining

Publication date :

2012

Event name :

Networking

Event place :

Prague, Czechia

Event date :

2012

Main work title :

IFIP Networking 2012

Publisher :

Springer

ISBN/EAN :

978-3-642-30044-8

Pages :

161-171

Peer reviewed :

Peer reviewed

Commentary :

7290 Lecture Notes in Computer Science Lect Notes Comput Sci 1611-3349 0302-9743

Available on ORBilu :

since 06 October 2013

Statistics

Number of views

126 (6 by Unilu)

Number of downloads

2 (0 by Unilu)

More statistics

Scopus citations^®

Scopus citations^®
without self-citations

Bibliography

Agrawal, R., Imieliński, T., Swami, A.: Mining association rules between sets of items in large databases. In: Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, pp. 207-216. ACM (1993)
FunOverIP: cd00r knocking backdoor, improved (2011), http://funoverip. net/2011/03/cd00r-knocking-backdoor-improved/
Hahsler, M.: A model-based frequency constraint for mining associations from transaction data. Data Min. Knowl. Discov. 13, 137-166 (2006)
Hay, G.: Extending the packet coded backdoor server to netcat relays on relatively high-bandwidth home networks. Tech. rep., SANS (2001)
Jonathan, Y.: Use port knocking to bypass firewall rules and keep security intact (2005), http://www.techrepublic.com/article/use-port-knocking- to-bypassfirewall-rules-and-keep-security-intact/5798871
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)
Koh, Y.S., Rountree, N.: Finding Sporadic Rules Using Apriori-Inverse. In: Ho, T.- B., Cheung, D., Liu, H. (eds.) PAKDD 2005. LNCS (LNAI), vol. 3518, pp. 97-106. Springer, Heidelberg (2005)
Koh, Y.S., Rountree, N.: Rare Association Rule Mining and Knowledge Discovery: Technologies for Infrequent and Critical Event Detection. Information Science Reference - Imprint of: IGI Publishing, Hershey (2009)
Liu, B., Hsu, W., Ma, Y.: Mining association rules with multiple minimum supports. In: Knowledge Discovery and Data Mining, pp. 337-341 (1999)
Mahoney, M., Mahoney, M.V., Chan, P.K.: Learning rules for anomaly detection of hostile network traffic. In: Proc. of International Conference on Data Mining (ICDM), pp. 601-604 (2003)
Marchetti, M., Colajanni, M., Manganiello, F.: Identification of correlated network intrusion alerts. In: Proc. of the 3rd IEEE International Workshop on Cyberspace Safety and Security (CSS 2011) (2011)
Miklosovic, S.: Pa018 - term project - port knocking enhancements (2011), http://www.portknocking.org/view/resources
Nyberg, C.M.: Sadoor, http://packetstormsecurity.org/UNIX/penetration/ rootkits/index7.html
Phenoelit: cd00r.c - packet coded backdoor (2000), http://www.phenoelit- us.org/stuff/cd00r.c
Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59-81. Springer, Heidelberg (2004) (Pubitemid 39741888)
Valdes, A., Skinner, K.: Adaptive, Model-Based Monitoring for Cyber Attack Detection. In: Debar, H., M'e, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80-92. Springer, Heidelberg (2000)
Wu, X., Zhang, C., Zhang, S.: Efficient mining of both positive and negative association rules. ACM Trans. Inf. Syst. 22, 381-405 (2004)