Malicious agents like self-propagating worms often rely on port and/or address scanning to discover new potential victims. In such cases the ability to detect active scanners based on passive traffic monitoring is the prerequisite for taking countermeasures. In this work we evaluate experimentally two common algorithms for scanner detection based on extensive analysis of real traffic traces from a live 3G mobile net- work. We observe that in practice a large number of alarms are triggered by legitimate applications like p2p and suggest a new metric for discriminating between malicious and p2p scanners.

Detecting Scanners: Empirical Assessment on a 3G Network

RICCIATO, FABIO
2009

Abstract

Malicious agents like self-propagating worms often rely on port and/or address scanning to discover new potential victims. In such cases the ability to detect active scanners based on passive traffic monitoring is the prerequisite for taking countermeasures. In this work we evaluate experimentally two common algorithms for scanner detection based on extensive analysis of real traffic traces from a live 3G mobile net- work. We observe that in practice a large number of alarms are triggered by legitimate applications like p2p and suggest a new metric for discriminating between malicious and p2p scanners.
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: http://hdl.handle.net/11587/111157
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact