Detecting Scanners: Empirical Assessment on a 3G Network

Vincenzo Falletta, Fabio Ricciato
2009 International Journal of Network Security  
Malicious agents like self-propagating worms often rely on port or address scanning to discover new potential victims. The ability to detect active scanners based on passive traffic monitoring is an important prerequisite for taking appropriate countermeasures. In this work we evaluate experimentally two common algorithms for scanner detection based on extensive analysis of real traffic traces from a live 3G mobile network. We observe that in practice a large number of alarms are triggered by
more » ... gitimate applications like peer-to-peer and suggest a new empirical metric for discriminating between worms and p2p scanners.
dblp:journals/ijnsec/FallettaR09 fatcat:73dowt7rmnct3benwnrtrgehtq