ABSTRACT
Darknets are often proposed to monitor for anomalous, externally sourced traffic, and require large, contiguous blocks of unused IP addresses - not always feasible for enterprise network operators. We introduce and evaluate the Greynet - a region of IP address space that is sparsely populated with 'darknet' addresses interspersed with active (or 'lit') IP addresses. Based on a small sample of traffic collected within a university campus network we saw that relatively sparse greynets can achieve useful levels of network scan detection.
- "Bro: A System for Detecting Network Intruders in Real-Time", V. Paxson, Proceedings of the 7th USENIX Security Symposium, January 26-29, 1998 Google ScholarDigital Library
- "Bro", http://www.icir.org/vern/bro-info.html, August 2004Google Scholar
- D. Moore, C. Shannon, G. M. Voelkery, S. Savagey, "Network Telescopes: Technical Report", CAIDA, April 2004Google Scholar
- Telescope Analysis, http://www.caida.org/analysis/security/telescope/, April 2005Google Scholar
- M. Bailey, E. Cooke, "Tracking Global Threats with the Internet Motion Sensor", Nanog 32, September 7th, 2004Google Scholar
- University of Michigan Internet Motion Sensor, "http://ims.eecs.umich.edu/", April 2005Google Scholar
- E. Cooke, M. Bailey, Z. M. Mao, D. Watson, F. Jahanian, D. McPherson, "Toward Understanding Distributed Blackhole Placement", Conference on Computer and Communications Security, Proceedings of the 2004 ACM workshop on Rapid malcode, 2004 Google ScholarDigital Library
- The Team Cymru Darknet Project, "http://www.cymru.com/Darknet/", April 2005Google Scholar
- D. Moore, G. Voelker, S. Savage, "Inferring Internet Denial-of-Service Activity," 2001USENIX Security Symposium August 2001 Google ScholarDigital Library
- S. Lau, "The Spinning Cube of Potential Doom", LBNL Computer Protection Brown Bag seminar, Jan 2004Google Scholar
- S. Lau, "http://www.nersc.gov/nusers/security/TheSpinningCube.php", April 2005Google Scholar
- G. Gu et al, "Worm Detection, Early Warning and Response Based on Local Victim Information", ACSAC, December 2004 Google ScholarDigital Library
Index Terms
- Greynets: a definition and evaluation of sparsely populated darknets
Recommendations
Analysis of a "/0" stealth scan from a botnet
Botnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial-of-service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, ...
Analysis of a "/0" stealth scan from a botnet
IMC '12: Proceedings of the 2012 Internet Measurement ConferenceBotnets are the most common vehicle of cyber-criminal activity. They are used for spamming, phishing, denial of service attacks, brute-force cracking, stealing private information, and cyber warfare. Botnets carry out network scans for several reasons, ...
A Comparative study of Open Source IDSs according to their Ability to Detect Attacks
NISS '19: Proceedings of the 2nd International Conference on Networking, Information Systems & SecurityIn this paper, we focus on the important role of intrusion detection systems for detecting unauthorized actions initiated from both internal and external network by collecting and monitoring network traffic. We give a study of the open source Next-...
Comments