Defining and Evaluating Greynets (Sparse Darknets)

Harrop, Warren; Armitage, Grenville

doi:10.1109/lcn.2005.46

Cited by 23 publications

(9 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For instance, Bailey, et al and Cooke, et al have shown that, with an IPv4 network telescope, much more data is gathered when it is located near live hosts [4,8]. Likewise, Harrop et al discuss, in the context of enterprise IPv4 networks, the advantages of greynets, which have unused addresses interspersed with live addresses to produce visibility similar to that of a large, contiguous network telescope [17]. Since the IPv6 address space is vast, compared to IPv4, (and, consequently, sparse) this locality advantage is even more necessary to capture a network telescope sample of any meaningful size.…”

Section: Complications Of a Covering Prefixmentioning

confidence: 99%

Understanding IPv6 internet background radiation

Czyz

Lady

Miller

et al. 2013

Proceedings of the 2013 Conference on Internet Measurement Conference

View full text Add to dashboard Cite

We report the results of a study to collect and analyze IPv6 Internet background radiation. This study, the largest of its kind, collects unclaimed traffic on the IPv6 Internet by announcing five large /12 covering prefixes; these cover the majority of allocated IPv6 space on today's Internet. Our analysis characterizes the nature of this traffic across regions, over time, and by the allocation and routing status of the intended destinations, which we show help to identify the causes of this traffic. We compare results to unclaimed traffic in IPv4, and highlight case studies that explain a large fraction of the data or highlight notable properties. We describe how announced covering prefixes differ from traditional network telescopes, and show how this technique can help both network operators and the research community identify additional potential issues and misconfigurations in this critical Internet transition period.

show abstract

Section: Complications Of a Covering Prefixmentioning

confidence: 99%

Understanding IPv6 internet background radiation

Czyz

Lady

Miller

et al. 2013

Proceedings of the 2013 Conference on Internet Measurement Conference

View full text Add to dashboard Cite

show abstract

“…Therefore, we demonstrate the usefulness of the proposed approach through a case study on over a year of data. The data was collected from a greynet [37], [7], meaning that the unused IPs are from a network that is populated by both active and unused IP addresses.…”

Section: Analysis Of Darknet Trafficmentioning

confidence: 99%

DANTE: A framework for mining and monitoring darknet traffic

Cohen¹,

Mirsky²,

Elovici³

et al. 2020

Preprint

View full text Add to dashboard Cite

Trillions of network packets are sent over the Internet to destinations which do not exist. This 'darknet' traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In order to mine threat intelligence from this data, one must be able to handle large streams of logs and represent the traffic patterns in a meaningful way. However, by observing how network ports (services) are used, it is possible to capture the intent of each transmission. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. Then, when a host sends a new sequence, DANTE represents the transmission as the average embedding of the ports found that sequence. Finally, DANTE uses a novel and incremental time-series cluster tracking algorithm on observed sequences to detect recurring behaviors and new emerging threats. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time. We also compared DANTE to the current best approach and found DANTE to be more practical and effective at detecting darknet traffic patterns.

show abstract

“…Greynets [35,36] modify the darknet concept by monitoring unused IP addresses diffused amongst 'normal' active IP addresses in an operational enterprise network. Detecting worm scans within an enterprise network is particularly useful for detecting and tracking worms that have taken up residence on 'trusted' hosts inside the enterprise's boundaries.…”

Section: Network Monitoringmentioning

confidence: 99%

“…In recent times, people have explored the use of darknets 1 [41] and greynets [35] to passively monitor for the tell-tale signs of network scans in progress. In this paper we make use of the greynet to provide passively collected network intrusion information.…”

Section: Introductionmentioning

confidence: 99%

Real-time collaborative network monitoring and control using 3D game engines for representation and interaction

Harrop

Armitage

2006

Proceedings of the 3rd International Workshop on Visualization for Computer Security

View full text Add to dashboard Cite

Identifying and reacting to malicious or anomalous IP traffic is a significant challenge for network operators. Automated real-time responses have been simplistic and require followup actions by technically specialised employees. We describe a system where off-the-shelf 3D game-engine technology enables collaborative network control through familiar 'interaction' metaphors by translating network events into visually-orthogonal 'activities'. Anomalous behaviour is targeted by the managers-as-players using in-game techniques, such as 'shooting' or 'healing', resulting in defensive actions (such as updates to a firewall's access control list) being instantiated behind the scenes.

show abstract

Defining and Evaluating Greynets (Sparse Darknets)

Cited by 23 publications

References 4 publications

Understanding IPv6 internet background radiation

Understanding IPv6 internet background radiation

DANTE: A framework for mining and monitoring darknet traffic

Real-time collaborative network monitoring and control using 3D game engines for representation and interaction

Contact Info

Product

Resources

About