Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset --- what we term erroneous outbound traffic --- would suffice to discover a broad class of malicious, suspicious, and anomalous patterns. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments, and compromised hosts.
Poster: The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies / Sordello, Andrea; Wang, Zhihao; Huang, Kai; Cornacchia, Alessandro; Mellia, Marco. - ELETTRONICO. - (In corso di stampa). (Intervento presentato al convegno 2025 Internet Measurement Conference (IMC) tenutosi a Madison, WI, USA nel 28-31 Ottobre 2025) [10.1145/3730567.3768599].
Poster: The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies
Sordello, Andrea;Wang, Zhihao;Huang,Kai;Mellia, Marco
In corso di stampa
Abstract
Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset --- what we term erroneous outbound traffic --- would suffice to discover a broad class of malicious, suspicious, and anomalous patterns. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments, and compromised hosts.Pubblicazioni consigliate
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
https://hdl.handle.net/11583/3003457