Please use this identifier to cite or link to this item: http://hdl.handle.net/1959.3/2449

Download PDF (Published version) (Adobe Acrobat PDF, -1 bytes)

Title

Defining and evaluating greynets (sparse darknets)

Author(s)

Armitage, Grenville;  Harrop, W.

Abstract

Darknets are increasingly being proposed as a means by which network administrators can monitor for anomalous, externally sourced traffic. Current darknet designs require large, contiguous blocks of unused IP addresses - not always feasible for enterprise network operators. In this paper we introduce, define and evaluate the concept of a Greynet - a region of IP address space that is sparsely populated with 'darknet' addresses interspersed with active (or 'lit') IP addresses. We use raw traffic traces collected within a university network to evaluate how sparseness affects a greynet's effectiveness and hence show that enterprise operators can achieve useful levels of network scan detection, with only small numbers of 'dark' IP addresses making up their greynets.

Publication type

Conference paper

Research centre

Swinburne University of Technology. Faculty of Information and Communication Technologies

Source

Proceedings of the 30th IEEE Conference on Local Computer Networks LCN 2005, 15-17 November 2005, Sydney, New South Wales, Australia, pp. 344-350

Publication year

2005

Publisher

Institute of Electrical and Electronics Engineers

ISBN

0 7695 2421 4

Publisher URL

http://doi.ieeecomputersociety.org/10.1109/LCN.2005.46

Copyright

Copyright © 2005 IEEE. Published version of the paper reproduced here in accordance with the copyright policy of the publisher. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

Full text

Peer reviewed