The Deployment of a Darknet on an Organization-Wide Network: An Empirical Analysis
Darknet sensors have the interesting property of collecting only suspicious traffic, including misconfiguration, backscatter and malicious traffic. The type of traffic collected highly depends on two parameters: the size and the location of the darknet sensor. The goals of this paper are to study empirically the relationship between these two parameters and to try to increase the volume of attackers detected by a given darknet sensor. Our empirical results reveal that on average, on a daily basis, 485 distinct external source IP addresses perform a TCP scan on one of the two /16 networks of our organizations network.Moreover, a given darknet sensor of 77 IP addresses deployed in the same/16 network collects on average attack traffic from 26% of these attackers.
Robin Berthier Michel Cukier
Center for Risk and Reliability Mechanical Engineering Department College Park, USA
国际会议
11th IEEE High Assurance Systems Engineering Symposium(HASE 2008)(第十一届IEEE高可信系统工程国际研讨会)
南京
英文
59-68
2008-12-03(万方平台首次上网日期,不代表论文的发表时间)