Check out the new USENIX Web site.

USENIX, The Advanced Computing Systems Association

1st USENIX Workshop on Hot Topics in Security

Pp. 51–55 of the Proceedings

Exposure Maps: Removing Reliance on Attribution During Scan Detection

David Whyte, P.C. van Oorschot, and Evangelos Kranakis, Carleton University


Current scanning detection algorithms are based on an underlying assumption that scanning activity can be attributed to a meaningful specific source (i.e. the root cause or scan controller). Sophisticated scanning activity including the use of botnets, idle scanning, and throwaway systems violates this assumption. We propose a class of scanning detection algorithms that focus on what is being scanned for instead of who is performing the scanning. We pursue this idea, introduce the concept of exposuremaps, and report on a preliminary proof-of-concept that allows one to: (1) estimate the information or exposures revealed to an adversary as a result of scanning activity; (2) detect sophisticated or targeted scanning activity with a footprint as low as a single packet or event; and (3) discover real-time changes in network exposures that may be indicative of a successful attack.
  • View the full text of this paper in PDF.
    Click here if you have forgotten your password Until July 2007, you will need your USENIX membership identification in order to access the full papers. The Proceedings are published as a collective work, © 2006 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.
To become a USENIX Member, please see our Membership Information.

Last changed: 4 Aug. 2006 ch