Greynets: a definition and evaluation of sparsely populated darknets

Authors:
Warren Harrop;Grenville Armitage
Affiliations:
Swinburne University of Technology, Melbourne, Australia;Swinburne University of Technology, Melbourne, Australia
Venue:
Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data
Year:
2005

Citing 4
Cited 2

Toward understanding distributed blackhole placement

Proceedings of the 2004 ACM workshop on Rapid malcode
Worm Detection, Early Warning and Response Based on Local Victim Information

ACSAC '04 Proceedings of the 20th Annual Computer Security Applications Conference
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Bro: a system for detecting network intruders in real-time

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7

Real-time collaborative network monitoring and control using 3D game engines for representation and interaction

Proceedings of the 3rd international workshop on Visualization for computer security
Modifying first person shooter games to perform real time network monitoring and control tasks

NetGames '06 Proceedings of 5th ACM SIGCOMM workshop on Network and system support for games

Quantified Score

Hi-index	0.00

Visualization

Abstract

Darknets are often proposed to monitor for anomalous, externally sourced traffic, and require large, contiguous blocks of unused IP addresses - not always feasible for enterprise network operators. We introduce and evaluate the Greynet - a region of IP address space that is sparsely populated with 'darknet' addresses interspersed with active (or 'lit') IP addresses. Based on a small sample of traffic collected within a university campus network we saw that relatively sparse greynets can achieve useful levels of network scan detection.