The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies
By: Andrea Sordello , Zhihao Wang , Kai Huang and more
Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset -- what we term erroneous outbound traffic -- is a lighter and revealing yet overlooked data source for identifying a broad range of security threats and network problems. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments and compromised hosts.
Similar Papers
ChamaleoNet: Programmable Passive Probe for Enhanced Visibility on Erroneous Traffic
Cryptography and Security
Finds hidden computer problems and attacks.
Five Blind Men and the Internet: Towards an Understanding of Internet Traffic
Networking and Internet Architecture
Shows how fast the internet is growing.
Noisy Networks, Nosy Neighbors: Inferring Privacy Invasive Information from Encrypted Wireless Traffic
Cryptography and Security
Lets neighbors spy on your smart home activities.