Automatic backdoor analysis with a network intrusion detection system and an integrated service checker

In this paper we examine how a network intrusion detection system can be used as a trigger for service checking and reporting. This approach reduces the amount of false alerts (false positives) and raises the quality of the alert report. A sample data over the Christmas period of year 2002 is analyzed as an example and detection of unauthorized SSH servers used as the main application. Unauthorized interactive backdoors to a network belong to the most dangerous class of intrusions [1]. These backdoors are usually installed by root-kits, to hide the system compromise activity. They are a gateway to launch exploits, gain super-user access to hosts in the internal network and use the attacked network as a stepping stone to attack other networks. In this research we have developed software and done statistical analysis to assess and prevent such situations.