%0 Conference Proceedings
%T Detecting Stealthy Backdoors with Association Rule Mining
%+ Security, Reliability and Trust Interdisciplibary Research Centre (S'nT)
%A Hommes, Stefan
%A State, Radu
%A Engel, Thomas
%Z Part 4: Security
%< avec comité de lecture
%( Lecture Notes in Computer Science
%B 11th International Networking Conference (NETWORKING)
%C Prague, Czech Republic
%Y Robert Bestak
%Y Lukas Kencl
%Y Li Erran Li
%Y Joerg Widmer
%Y Hao Yin
%I Springer
%3 NETWORKING 2012
%V LNCS-7290
%N Part II
%P 161-171
%8 2012-05-21
%D 2012
%R 10.1007/978-3-642-30054-7_13
%K backdoor
%K association rule mining
%K cd00r
%Z Computer Science [cs]
%Z Computer Science [cs]/Networking and Internet Architecture [cs.NI]Conference papers
%X In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based approaches are not appropriate, whilst more advanced statistics-based testing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect sequences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that searching for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some experimental results on its performance and underlying functioning.
%G English
%Z TC 6
%2 https://inria.hal.science/hal-01531956/document
%2 https://inria.hal.science/hal-01531956/file/978-3-642-30054-7_13_Chapter.pdf
%L hal-01531956
%U https://inria.hal.science/hal-01531956
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-TC
%~ IFIP-TC6
%~ IFIP-LNCS-7290
%~ IFIP-NETWORKING