Malicious agents like self-propagating worms often rely on port and/or address scanning to discover new potential victims. In such cases the ability to detect active scanners based on passive traffic monitoring is the prerequisite for taking countermeasures. In this work we evaluate experimentally two common algorithms for scanner detection based on extensive analysis of real traffic traces from a live 3G mobile net- work. We observe that in practice a large number of alarms are triggered by legitimate applications like p2p and suggest a new metric for discriminating between malicious and p2p scanners.
Detecting Scanners: Empirical Assessment on a 3G Network
RICCIATO, FABIO
2009-01-01
Abstract
Malicious agents like self-propagating worms often rely on port and/or address scanning to discover new potential victims. In such cases the ability to detect active scanners based on passive traffic monitoring is the prerequisite for taking countermeasures. In this work we evaluate experimentally two common algorithms for scanner detection based on extensive analysis of real traffic traces from a live 3G mobile net- work. We observe that in practice a large number of alarms are triggered by legitimate applications like p2p and suggest a new metric for discriminating between malicious and p2p scanners.File in questo prodotto:
Non ci sono file associati a questo prodotto.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
