Skip to main content

Advertisement

SpringerLink
Log in
Menu
Find a journal Publish with us
Search
Cart
Book cover

International Conference on Research in Networking

NETWORKING 2012: NETWORKING 2012 pp 161–171Cite as

  1. Home
  2. NETWORKING 2012
  3. Conference paper
Detecting Stealthy Backdoors with Association Rule Mining

Detecting Stealthy Backdoors with Association Rule Mining

  • Stefan Hommes20,
  • Radu State20 &
  • Thomas Engel20 
  • Conference paper
  • 1032 Accesses

Part of the Lecture Notes in Computer Science book series (LNCCN,volume 7290)

Abstract

In this paper we describe a practical approach for detecting a class of backdoor communication channel that relies on port knocking in order to activate a backdoor on a remote compromised system. Detecting such activation sequences is extremely challenging because of varying port sequences and easily modifiable port values. Simple signature-based approaches are not appropriate, whilst more advanced statistics-based testing will not work because of missing and incomplete data. We leverage techniques derived from the data mining community designed to detect sequences of rare events. Simply stated, a sequence of rare events is the joint occurrence of several events, each of which is rare. We show that searching for port knocking sequences can be reduced to a problem of finding rare associations. We have implemented a prototype and show some experimental results on its performance and underlying functioning.

Keywords

  • backdoor
  • association rule mining
  • cd00r

Download conference paper PDF

References

  1. Agrawal, R., Imieliński, T., Swami, A.: Mining association rules between sets of items in large databases. In: Proceedings of the 1993 ACM SIGMOD International Conference on Management of Data, pp. 207–216. ACM (1993)

    Google Scholar 

  2. FunOverIP: cd00r knocking backdoor, improved (2011), http://funoverip.net/2011/03/cd00r-knocking-backdoor-improved/

  3. Hahsler, M.: A model-based frequency constraint for mining associations from transaction data. Data Min. Knowl. Discov. 13, 137–166 (2006)

    CrossRef  MathSciNet  Google Scholar 

  4. Hay, G.: Extending the packet coded backdoor server to netcat relays on relatively high-bandwidth home networks. Tech. rep., SANS (2001)

    Google Scholar 

  5. Jonathan, Y.: Use port knocking to bypass firewall rules and keep security intact (2005), http://www.techrepublic.com/article/use-port-knocking-to-bypass-firewall-rules-and-keep-security-intact/5798871

  6. Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the IEEE Symposium on Security and Privacy (2004)

    Google Scholar 

  7. Koh, Y.S., Rountree, N.: Finding Sporadic Rules Using Apriori-Inverse. In: Ho, T.-B., Cheung, D., Liu, H. (eds.) PAKDD 2005. LNCS (LNAI), vol. 3518, pp. 97–106. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  8. Koh, Y.S., Rountree, N.: Rare Association Rule Mining and Knowledge Discovery: Technologies for Infrequent and Critical Event Detection. Information Science Reference - Imprint of: IGI Publishing, Hershey (2009)

    CrossRef  Google Scholar 

  9. Liu, B., Hsu, W., Ma, Y.: Mining association rules with multiple minimum supports. In: Knowledge Discovery and Data Mining, pp. 337–341 (1999)

    Google Scholar 

  10. Mahoney, M., Mahoney, M.V., Chan, P.K.: Learning rules for anomaly detection of hostile network traffic. In: Proc. of International Conference on Data Mining (ICDM), pp. 601–604 (2003)

    Google Scholar 

  11. Marchetti, M., Colajanni, M., Manganiello, F.: Identification of correlated network intrusion alerts. In: Proc. of the 3rd IEEE International Workshop on Cyberspace Safety and Security (CSS 2011) (2011)

    Google Scholar 

  12. Miklosovic, S.: Pa018 - term project - port knocking enhancements (2011), http://www.portknocking.org/view/resources

  13. Nyberg, C.M.: Sadoor, http://packetstormsecurity.org/UNIX/penetration/rootkits/index7.html

  14. Phenoelit: cd00r.c - packet coded backdoor (2000), http://www.phenoelit-us.org/stuff/cd00r.c

  15. Schechter, S.E., Jung, J., Berger, A.W.: Fast Detection of Scanning Worm Infections. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 59–81. Springer, Heidelberg (2004)

    CrossRef  Google Scholar 

  16. Valdes, A., Skinner, K.: Adaptive, Model-Based Monitoring for Cyber Attack Detection. In: Debar, H., Mé, L., Wu, S.F. (eds.) RAID 2000. LNCS, vol. 1907, pp. 80–92. Springer, Heidelberg (2000)

    CrossRef  Google Scholar 

  17. Wu, X., Zhang, C., Zhang, S.: Efficient mining of both positive and negative association rules. ACM Trans. Inf. Syst. 22, 381–405 (2004)

    CrossRef  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. SnT, University of Luxembourg, 6, rue R. Coudenhove-Kalergi, L-1359, Luxembourg

    Stefan Hommes, Radu State & Thomas Engel

Authors
  1. Stefan Hommes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Radu State
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thomas Engel
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Telecommunications Engineering, Czech Technical University in Prague, Technicka 2, 166 27, Prague 6, Czech Republic

    Robert Bestak & Lukas Kencl & 

  2. Bell Labs, Alcatel-Lucent, 600 Mountain Avenue, 07974-0636, Murray Hill, NJ, USA

    Li Erran Li

  3. Instituto IMDEA Networks, Avenida del Mar Mediterraneo 22, 28918, Leganes (Madrid), Spain

    Joerg Widmer

  4. Tsinghua-ChinaCache Joint Laboratory, Tsinghua University, FIT 3-429, Haidian District, 100016, Beijing, China

    Hao Yin

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 IFIP International Federation for Information Processing

About this paper

Cite this paper

Hommes, S., State, R., Engel, T. (2012). Detecting Stealthy Backdoors with Association Rule Mining. In: Bestak, R., Kencl, L., Li, L.E., Widmer, J., Yin, H. (eds) NETWORKING 2012. NETWORKING 2012. Lecture Notes in Computer Science, vol 7290. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30054-7_13

Download citation

  • .RIS
  • .ENW
  • .BIB
  • DOI: https://doi.org/10.1007/978-3-642-30054-7_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-30053-0

  • Online ISBN: 978-3-642-30054-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Share this paper

Anyone you share the following link with will be able to read this content:

Sorry, a shareable link is not currently available for this article.

Provided by the Springer Nature SharedIt content-sharing initiative

Search

Navigation

  • Find a journal
  • Publish with us

Discover content

  • Journals A-Z
  • Books A-Z

Publish with us

  • Publish your research
  • Open access publishing

Products and services

  • Our products
  • Librarians
  • Societies
  • Partners and advertisers

Our imprints

  • Springer
  • Nature Portfolio
  • BMC
  • Palgrave Macmillan
  • Apress
  • Your US state privacy rights
  • Accessibility statement
  • Terms and conditions
  • Privacy policy
  • Help and support

167.114.118.210

Not affiliated

Springer Nature

© 2023 Springer Nature