Tracking Darkports for Network Defense

We exploit for defensive purposes the concept of darkports ­ the unused ports on active systems. We are particularly in- terested in such ports which transition to become active (i.e. become trans-darkports). Darkports are identified by pas- sively observing and characterizing the connectivity behav- ior of internal hosts in a network as they respond to both le- gitimate connection attempts and scanning attempts. Dark- ports can be used to detect sophisticated scanning activity, enable fine-grained automated defense against automated malware attacks, and detect real-time changes in a network that may indicate a successful compromise. We show, in a direct comparison with Snort, that darkports offer a better scanning detection capability with fewer false positives and negatives. Our results also show that the network awareness gained by the use of darkports enables active response op- tions to be safely focused exclusively on those systems that directly threaten the network.