Tracking Darkports for Network Defense
The authors exploit for defensive purposes the concept of darkports the unused ports on active systems. They are particularly interested in such ports which transition to become active (i.e. become trans-darkports). Darkports are identified by passively observing and characterizing the connectivity behavior of internal hosts in a network as they respond to both legitimate connection attempts and scanning attempts. Darkports can be used to detect sophisticated scanning activity, enable fine-grained automated defense against automated malware attacks, and detect real-time changes in a network that may indicate a successful compromise. They show, in a direct comparison with Snort, that darkports offer a better scanning detection capability with fewer false positives and negatives.