Archivio Istituzionale della RicercaPassive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset --- what we term erroneous outbound traffic --- would suffice to discover a broad class of malicious, suspicious, and anomalous patterns. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments, and compromised hosts.
Poster: The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies / Sordello, Andrea; Wang, Zhihao; Huang, Kai; Cornacchia, Alessandro; Mellia, Marco. - ELETTRONICO. - (2025), pp. 1078-1079. ( 2025 Internet Measurement Conference (IMC) Madison, WI, USA 28-31 Ottobre 2025) [10.1145/3730567.3768599].
Poster: The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies
Sordello, Andrea;Wang, Zhihao;Huang,Kai;Mellia, Marco
2025
Abstract
Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset --- what we term erroneous outbound traffic --- would suffice to discover a broad class of malicious, suspicious, and anomalous patterns. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments, and compromised hosts.
| File | Dimensione | Formato | |
|---|---|---|---|
|
3730567.3768599.pdf
accesso riservato
Descrizione: Articolo pubblicato
Tipologia:
2a Post-print versione editoriale / Version of Record
Licenza:
Non Pubblico - Accesso privato/ristretto
Dimensione
1.3 MB
Formato
Adobe PDF
|
1.3 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/3003457