Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Preprint |
| Published: |
2026
|
| Subjects: | |
| Online Access: | https://arxiv.org/abs/2601.06280 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1866909986511126528 |
|---|---|
| author | Sordello, Andrea Wang, Zhihao Huang, Kai Cornacchia, Alessandro Mellia, Marco |
| author_facet | Sordello, Andrea Wang, Zhihao Huang, Kai Cornacchia, Alessandro Mellia, Marco |
| contents | Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset -- what we term erroneous outbound traffic -- is a lighter and revealing yet overlooked data source for identifying a broad range of security threats and network problems. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments and compromised hosts. |
| format | Preprint |
| id |
arxiv_https___arxiv_org_abs_2601_06280 |
| institution | arXiv |
| publishDate | 2026 |
| record_format | arxiv |
| spellingShingle | The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies Sordello, Andrea Wang, Zhihao Huang, Kai Cornacchia, Alessandro Mellia, Marco Networking and Internet Architecture Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset -- what we term erroneous outbound traffic -- is a lighter and revealing yet overlooked data source for identifying a broad range of security threats and network problems. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments and compromised hosts. |
| title | The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies |
| topic | Networking and Internet Architecture |
| url | https://arxiv.org/abs/2601.06280 |