Defining and evaluating greynets (sparse darknets)
conference contribution
posted on 2024-07-11, 11:37 authored by Warren Harrop, Grenville ArmitageDarknets are increasingly being proposed as a means by which network administrators can monitor for anomalous, externally sourced traffic. Current darknet designs require large, contiguous blocks of unused IP addresses - not always feasible for enterprise network operators. In this paper we introduce, define and evaluate the concept of a Greynet - a region of IP address space that is sparsely populated with 'darknet' addresses interspersed with active (or 'lit') IP addresses. We use raw traffic traces collected within a university network to evaluate how sparseness affects a greynet's effectiveness and hence show that enterprise operators can achieve useful levels of network scan detection, with only small numbers of 'dark' IP addresses making up their greynets.
History
Available versions
PDF (Published version)Publisher DOI
ISBN
769524214Journal title
Proceedings - Conference on Local Computer Networks, LCNConference name
Conference on Local Computer Networks, LCNVolume
2005Pagination
6 ppPublisher
Institute of Electrical and Electronics EngineersCopyright statement
Copyright © 2005 IEEE. The published version is reproduced in accordance with the copyright policy of the publisher. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.Language
engUsage metrics
Categories
No categories selectedKeywords
Licence
Exports
RefWorks
BibTeX
Ref. manager
Endnote
DataCite
NLM
DC