| dc.description.abstract | Backdoor is a type of malware that is used to get unauthorized access to a system. When attackers enter through the device successfully, they can steal sensitive information, do criminal-espionage activity, or execute an advanced persistent threat attack. Because sophisticated attack takes time to set up and execute, backdoor is a choice for criminals to reconnect to the victim server. Although many devices have firewalls to prevent attacks, the variety of backdoors is still a serious problem. Researchers even found that some backdoors can bypass the firewall.
We propose a system, BlackCrab, based on the method of capturing the connection IP and comparing it with log files to detect backdoors. We compare the log files of the services we have set up on the machine to determine whether the connection is legal. Besides, we provide another method, hash value comparison, for some services that do not have real-time log records.
In our implementation, we chose seven common services and collected 21 backdoors targeting the Linux platform from the GitHub project and real-world backdoor samples. With 14,737 legitimate connections, 99.6% accuracy of passing inspections is achieved. Of 21 backdoors, 19 of them can be detected by BlackCrab. The overhead introduced by our system is negligible. | en_US |