Automatic backdoor analysis with a network intrusion detection system and an integrated service checker

Author

Juslin, Jukka ; Virtanen, Teermpekka

Author_Institution

Helsinki Univ. of Technol., Espoo, Finland

fYear

2003

fDate

18-20 June 2003

Firstpage

122

Lastpage

126

Abstract

We examine how a network intrusion detection system can be used as a trigger for service checking and reporting. This approach reduces the amount of false alerts (false positives) and raises the quality of the alert report. A sample data over the Christmas period of year 2002 is analyzed as an example and detection of unauthorized SSH servers used as the main application. Unauthorized interactive backdoors to a network belong to the most dangerous class of intrusions (D. Zamboni et al., 1998). These backdoors are usually installed by root-kits, to hide the system compromise activity. They are a gateway to launch exploits, gain super-user access to hosts in the internal network and use the attacked network as a stepping stone to attack other networks. In this research, we have developed software and done statistical analysis to assess and prevent such situations.

Keywords

alarm systems; authorisation; computer crime; computer networks; network servers; statistical analysis; telecommunication security; telecommunication traffic; alarm filtering; alert report; automatic backdoor analysis; false alert reduction; integrated service checker; network intrusion detection system; statistical analysis; super-user access; system compromise activity; unauthorized SSH server; unauthorized interactive backdoor; Automation; Computer worms; Electronic mail; Filtering; Intrusion detection; Intserv networks; Linux; Network servers; Statistical analysis; Telecommunication traffic;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Assurance Workshop, 2003. IEEE Systems, Man and Cybernetics Society

Print_ISBN

0-7803-7808-3

Type

conf

DOI

10.1109/SMCSIA.2003.1232410

Filename

1232410