Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
An analysis of Internet chat systems
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Defeating Internet Attacks Using Risk Awareness and Active Honeypots
IWIA '04 Proceedings of the Second IEEE International Information Assurance Workshop (IWIA'04)
Accurate, scalable in-network identification of p2p traffic using application signatures
Proceedings of the 13th international conference on World Wide Web
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Web tap: detecting covert web traffic
Proceedings of the 11th ACM conference on Computer and communications security
The OSU Flow-tools Package and CISCO NetFlow Logs
LISA '00 Proceedings of the 14th USENIX conference on System administration
Secure coprocessor-based intrusion detection
EW 10 Proceedings of the 10th workshop on ACM SIGOPS European workshop
Mitigating denial of service attacks: a tutorial
Journal of Computer Security
Using visual motifs to classify encrypted traffic
Proceedings of the 3rd international workshop on Visualization for computer security
On Inferring Application Protocol Behaviors in Encrypted Network Traffic
The Journal of Machine Learning Research
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Timing analysis of keystrokes and timing attacks on SSH
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A chipset level network backdoor: bypassing host-based firewall & IDS
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Classifying SSH encrypted traffic with minimum packet header features using genetic programming
Proceedings of the 11th Annual Conference Companion on Genetic and Evolutionary Computation Conference: Late Breaking Papers
Traffic Behaviour Characterization Using NetMate
RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Statistical texture analysis methods for network traffic classification
AsiaCSN '07 Proceedings of the Fourth IASTED Asian Conference on Communication Systems and Networks
Machine learning based encrypted traffic classification: identifying SSH and skype
CISDA'09 Proceedings of the Second IEEE international conference on Computational intelligence for security and defense applications
Classification of packet contents for malware detection
Journal in Computer Virology
Enhancing network intrusion detection with integrated sampling and filtering
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
An information-theoretical approach to high-speed flow nature identification
IEEE/ACM Transactions on Networking (TON)
Hi-index | 0.00 |
Backdoors are often installed by attackers who have compromised a system to ease their subsequent return to the system. We consider the problem of identifying a large class of backdoors, namely those providing interactive access on non-standard ports, by passively monitoring a site's Internet access link. We develop a general algorithm for detecting interactive traffic based on packet size and timing characteristics, and a set of protocol-specific algorithms that look for signatures distinctive to particular protocols. We evaluate the algorithms on large Internet access traces and find that they perform quite well. In addition, some of the algorithms are amenable to prefiltering using a stateless packet filter, which yields a major performance increase at little or no loss of accuracy. However, the success of the algorithms is tempered by the discovery that large sites have many users who routinely access what are in fact benign backdoors, such as servers running on non-standard ports not to hide, but for mundane administrative reasons. Hence, backdoor detection also requires a significant policy component for separating allowable backdoor access from surreptitious access.