Greynets: a definition and evaluation of sparsely populated darknets

Authors:
Warren Harrop

Swinburne University of Technology, Melbourne, Australia

Swinburne University of Technology, Melbourne, Australia
View Profile

,
Grenville Armitage

Swinburne University of Technology, Melbourne, Australia

Swinburne University of Technology, Melbourne, Australia
View Profile

MineNet '05: Proceedings of the 2005 ACM SIGCOMM workshop on Mining network dataAugust 2005Pages 171–172https://doi.org/10.1145/1080173.1080177

Published:22 August 2005Publication History

MineNet '05: Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data

Pages 171–172

ABSTRACT

Darknets are often proposed to monitor for anomalous, externally sourced traffic, and require large, contiguous blocks of unused IP addresses - not always feasible for enterprise network operators. We introduce and evaluate the Greynet - a region of IP address space that is sparsely populated with 'darknet' addresses interspersed with active (or 'lit') IP addresses. Based on a small sample of traffic collected within a university campus network we saw that relatively sparse greynets can achieve useful levels of network scan detection.

References

"Bro: A System for Detecting Network Intruders in Real-Time", V. Paxson, Proceedings of the 7th USENIX Security Symposium, January 26-29, 1998 Google ScholarDigital Library
"Bro", http://www.icir.org/vern/bro-info.html, August 2004Google Scholar
D. Moore, C. Shannon, G. M. Voelkery, S. Savagey, "Network Telescopes: Technical Report", CAIDA, April 2004Google Scholar
Telescope Analysis, http://www.caida.org/analysis/security/telescope/, April 2005Google Scholar
M. Bailey, E. Cooke, "Tracking Global Threats with the Internet Motion Sensor", Nanog 32, September 7th, 2004Google Scholar
University of Michigan Internet Motion Sensor, "http://ims.eecs.umich.edu/", April 2005Google Scholar
E. Cooke, M. Bailey, Z. M. Mao, D. Watson, F. Jahanian, D. McPherson, "Toward Understanding Distributed Blackhole Placement", Conference on Computer and Communications Security, Proceedings of the 2004 ACM workshop on Rapid malcode, 2004 Google ScholarDigital Library
The Team Cymru Darknet Project, "http://www.cymru.com/Darknet/", April 2005Google Scholar
D. Moore, G. Voelker, S. Savage, "Inferring Internet Denial-of-Service Activity," 2001USENIX Security Symposium August 2001 Google ScholarDigital Library
S. Lau, "The Spinning Cube of Potential Doom", LBNL Computer Protection Brown Bag seminar, Jan 2004Google Scholar
S. Lau, "http://www.nersc.gov/nusers/security/TheSpinningCube.php", April 2005Google Scholar
G. Gu et al, "Worm Detection, Early Warning and Response Based on Local Victim Information", ACSAC, December 2004 Google ScholarDigital Library

Index Terms

Greynets: a definition and evaluation of sparsely populated darknets
1. Networks
  1. Network services
    1. Network monitoring

Recommendations

Analysis of a "/0" stealth scan from a botnet

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, ...
Read More
Analysis of a "/0" stealth scan from a botnet
IMC '12: Proceedings of the 2012 Internet Measurement Conference

Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial of service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, ...
Read More
A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & Security

In this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MineNet '05: Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
August 2005
296 pages
ISBN:1595930264
DOI:10.1145/1080173
Conference Chairs:
Subhabrata Sen
AT&T Labs-Research
,
Chuanyi Ji
Georgia Tech
,
Debanjan Saha
IBM Research
,
Joe McCloskey
Dept. of Defense
Copyright © 2005 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 22 August 2005
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Greynet
darknet
intrusion detection systems
network security
network telescope
sparse darknets
Qualifiers
- Article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 5
  Total Citations
  View Citations
- 430
  Total Downloads
- Downloads (Last 12 months)27
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.