Toronto Networking Seminar

Scan Detection and Analysis using Exposure Maps and Darkports

Paul Van Oorschot
School of Computer Science
Carleton University 

Date:  Friday, April 20,  2pm
Location: BA 4287 (Bahen Center)


We define darkports as unused ports on active Internet-accessible systems, and are particularly interested when they transition to become active. We make use of darkports for several defensive purposes: to detect sophisticated scanning activity, to enable fine-grained automated defense against automated malware attacks, and to detect real-time changes in a network that may indicate a successful compromise. We compare our technique with the popular Snort intrusion detection tool, and also evaluate it using different network datasets for an application we refer to as generating exposure profiles. This is joint work with Dave Whyte and Evangelos Kranakis.


Paul Van Oorschot (Ph.D. Waterloo, 1988) is a Professor in the School of Computer Science at Carleton University, and Canada Research Chair in Network and Software Security.  He founded Carleton's Digital Security Group, and directs Carleton's Computer Security Lab (  Van Oorschot has worked in R&D in network security and cryptography at Bell-Northern Research, and Entrust Technologies (Ottawa) as VP, Chief Scientist, and Chief Security Architect. He co-authored the standard Handbook of Applied Cryptography, serves regularly on international conference program committees, and will be program chair of USENIX Security 2008. His research interests include authentication and identity management, network security, software protection, usable security, and security infrastructures.  http://