Detecting Stealthy Backdoors with Association Rule Mining

被引:0
作者
Hommes, Stefan [1 ]
State, Radu [1 ]
Engel, Thomas [1 ]
机构
[1] Univ Luxembourg, SnT 6,Rue R Coudenhove Kalergi, L-1359 Luxembourg, Luxembourg
来源
NETWORKING 2012, PT II | 2012年 / 7290卷
关键词
backdoor; association rule mining; cd00r;
D O I
暂无
中图分类号
TP3 [计算技术、计算机技术];
学科分类号
0812 ;
摘要
In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based approaches are not appropriate, whilst more advanced statistics-based testing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect sequences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that searching for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some experimental results on its performance and underlying functioning.
引用
收藏
页码:161 / 171
页数:11
相关论文
共 16 条
[1]  
Agrawal R., 1993, SIGMOD Record, V22, P207, DOI 10.1145/170036.170072
[2]  
[Anonymous], P IEEE S SEC PRIV
[3]   A model-based frequency constraint for mining associations from transaction data [J].
Hahsler, Michael .
DATA MINING AND KNOWLEDGE DISCOVERY, 2006, 13 (02) :137-166
[4]  
Hay G., 2001, EXTENDING PACKET COD
[5]  
Jonathan Y., 2005, USE PORT KNOCKING BY
[6]  
Koh YS, 2005, LECT NOTES ARTIF INT, V3518, P97
[7]  
Koh YS., 2009, RARE ASS RULE MINING
[8]  
Liu W., 1999, P 5 ACM SIGKDD INT C, P337, DOI [DOI 10.1145/312129.312274, 10.1145/312129.312274]
[9]  
Mahoney MV, 2003, THIRD IEEE INTERNATIONAL CONFERENCE ON DATA MINING, PROCEEDINGS, P601
[10]  
Marchetti M., 2011, P 3 IEEE INT WORKSH
12