Theoretic derivations of scan detection operating on darknet traffic

Cyber space continues to be threatened by various debilitating attacks. In this context, executing passive measurements by analyzing Internet-scale, one-way darknet traffic has proven to be an effective approach to shed light on Internet-wide maliciousness. While typically such measurements are solely conducted from the empirical perspective on already deployed darknet IP spaces using off-the-shelf Intrusion Detection Systems (IDS), their multidimensional theoretical foundations, relations and implications continue to be obscured. In this article, we take a first step towards comprehending the relation between attackers' behaviors, the width of the darknet vantage points, the probability of detection and the minimum detection time. We perform stochastic modeling, derivation, validation, inter-correlation and analysis of such parameters to provide numerous insightful inferences, such as the most effective IDS and the most suitable darknet IP space, given various attackers' activities in the presence of detection time/probability constraints. One of the outcomes suggests that the detection strategy employed by the widely-deployed Bro IDS is ideal for inferring slow, stealthy probing activities by leveraging passive measurements. Further, the results do not recommend deploying the strategy utilized by the Snort IDS when the available darknet IP space is relatively small, which is a typical scenario when darknets are operated and employed on organizational networks. In addition, we provide an optimization problem set that identifies a new botnet early infection strategy, which can be leveraged by evolving stealthy bots to circumvent a certain IDS strategy as it operates on the darknet IP space. The implications of this formal derivation are especially factual with the advent of evolving paradigms such as IPv6 deployments, and the proliferation of highly-distributed, orchestrated, large-scale and stealthy probing botnets.