usenix conference policies
Detecting Backdoors
Backdoors are often installed by attackers who have compromised a system to ease their subsequent return to the system. We consider the problem of identifying a large class of backdoors, namely those providing interactive access on non-standard ports, by passively monitoring a site's Internet access link. We develop a general algorithm for detecting interactive traffic based on packet size and timing characteristics, and a set of protocol-specific alortithms that look for signatures distinctive to particular protocols. We evaluate the algorithms on large Internet access traces and find that they perform quite well. In addition, some of the algorithms are amenable to prefiltering using a stateless packet filter, which yields a major performance increase at little or no loss of accuracy. However, the success of the algorithms is tempered by the discovery that large sites have many users who routinely access what are in fact benign backdoors, such as servers running on non-standard ports not to hide, but for mundane administrative reasons. Hence, backdoor detection also requires a significant policy component for separating allowable backdoor access from surreptitious access.
author = {Yin Zhang and Vern Paxson},
title = {Detecting Backdoors},
booktitle = {9th USENIX Security Symposium (USENIX Security 00)},
year = {2000},
address = {Denver, CO},
url = {https://www.usenix.org/conference/9th-usenix-security-symposium/detecting-backdoors},
publisher = {USENIX Association},
month = aug
}
connect with us