Date Added: Sep 2009
Malicious agents like self-propagating worms often rely on port or address scanning to discover new potential victims. The ability to detect active scanners based on passive traffic monitoring is an important prerequisite for taking appropriate countermeasures. In this paper, the authors evaluate experimentally two common algorithms for scanner detection based on extensive analysis of real traffic traces from a live 3G mobile network. They observe that in practice a large number of alarms are triggered by legitimate applications like peer-to-peer and suggest a new empirical metric for discriminating between worms and p2p scanners.