The Potential of Erroneous Outbound Traffic Analysis to Unveil Silent Internal Anomalies
Andrea Sordello, Zhihao Wang, Kai Huang, Alessandro Cornacchia, Marco Mellia
TL;DR
The paper challenges the inbound-centric paradigm of passive network measurement by showing that erroneous outbound traffic—packets from internal hosts that fail to complete connections or generate ICMP errors—provides a low-volume, high-signal data source for detecting internal threats and misconfigurations. It implements a stateful, SDN-driven monitor that logs only erroneous outbound traffic, enabling targeted analysis without processing the bulk benign traffic. Using a three-month campus subnet deployment, the study demonstrates that erroneous outbound traffic reveals silent anomalies such as compromised hosts, faulty DNS clients, and decommissioned deployments. The authors propose an unsupervised analysis pipeline—encompassing representation learning, clustering, pattern mining, and LLM-based hypothesis validation—to automatically identify symptoms and explain root causes, paving the way for proactive network troubleshooting and security assurance.
Abstract
Passive measurement has traditionally focused on inbound traffic to detect malicious activity, based on the assumption that threats originate externally. In this paper, we offer a complementary perspective by examining outbound traffic, and argue that a narrow subset -- what we term erroneous outbound traffic -- is a lighter and revealing yet overlooked data source for identifying a broad range of security threats and network problems. This traffic consists of packets sent by internal hosts that either receive no response, trigger ICMP errors, or are ICMP error messages themselves generated in response to unsolicited requests. To demonstrate its potential, we collect and analyse erroneous traffic from a large network, uncovering a variety of previously unnoticed issues, including misconfigurations, obsolete deployments and compromised hosts.
