Tracking Darkports for Network Defense

12 years 10 months ago
Tracking Darkports for Network Defense
We exploit for defensive purposes the concept of darkports – the unused ports on active systems. We are particularly interested in such ports which transition to become active (i.e., become trans-darkports). Darkports are identified by passively observing and characterizing the connectivity behavior of internal hosts in a network as they respond to both legitimate connection attempts and scanning attempts. Darkports can be used to detect sophisticated scanning activity, enable fine-grained automated defense against automated malware attacks, and detect real-time changes in a network that may indicate a successful compromise. We show, in a direct comparison with Snort, that darkports offer a better scanning detection capability with fewer false positives and negatives. Our results also show that the network awareness gained by the use of darkports enables active response options to be safely focused exclusively on those systems that directly threaten the network. Finally, our evalu...
David Whyte, Paul C. van Oorschot, Evangelos Krana
Added 02 Jun 2010
Updated 02 Jun 2010
Type Conference
Year 2007
Authors David Whyte, Paul C. van Oorschot, Evangelos Kranakis
Comments (0)