Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset --- what we term erroneous outbound traffic --- would suffice to discover a broad class of malicious, suspicious, and anomalous patterns. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments, and compromised hosts.

Poster: The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies / Sordello, Andrea; Wang, Zhihao; Huang, Kai; Cornacchia, Alessandro; Mellia, Marco. - ELETTRONICO. - (In corso di stampa). (Intervento presentato al convegno 2025 Internet Measurement Conference (IMC) tenutosi a Madison, WI, USA nel 28-31 Ottobre 2025) [10.1145/3730567.3768599].

Poster: The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies

Sordello, Andrea;Wang, Zhihao;Huang,Kai;Mellia, Marco
In corso di stampa

Abstract

Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset --- what we term erroneous outbound traffic --- would suffice to discover a broad class of malicious, suspicious, and anomalous patterns. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments, and compromised hosts.
In corso di stampa
979-8-4007-1860-1
File in questo prodotto:
Non ci sono file associati a questo prodotto.
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/3003457