David Whyte
Carleton University
Canada

Paul van Oorschot
Carleton University
Canada

Evangelos Kranakis
Carleton University
Canada

We exploit for defensive purposes the concept of darkports - the unused ports on active systems. We are particularly interested in such ports which transition to become active (i.e., become trans-darkports). Darkports are identified by passively observing and characterizing the connectivity behavior of internal hosts in a network as they respond to both legitimate connection attempts and scanning attempts. Darkports can be used to detect sophisticated scanning activity, enable fine-grained automated defense against automated malware attacks, and detect real-time changes in a network that may indicate a successful compromise. We show, in a direct comparison with Snort, that darkports offer a better scanning detection capability with fewer false positives and negatives. Our results also show that the network awareness gained by the use of darkports enables active response options to be safely focused exclusively on those systems that directly threaten the network. Finally, our evaluation of darkports using three different network datasets illustrates that they are scalable and offer the ability to rapidly characterize and group hosts in a network into different exposure profiles that can be used to detect successful compromises or unauthorized network activity.

Keywords: Intrusion Detection, Enterprise Security, Network Scanning

Read Paper (in PDF)