Abstract This paper presents an investigative analysis of network scans and scan detection algorithms. Visualisation is employed to review network telescope traffic and identify incidents of scan activity. Some of the identified phenomena appear to be novel forms of host discovery. The scan detection algorithms of Snort and Bro are critiqued by comparing the visualised scans with alert output. Where human assessment disagrees with the alert output, explanations are sought after by analysing the detection algorithms. The algorithms of the Snort and Bro intrusion detection systems are based on counting unique connection attempts to destination addresses and ports. For Snort, notable false positive and false negative cases result due to a grossly oversimplified method of counting unique destination addresses and ports. 1

Moore et al., from the C ooperative Association for I nternet Data Analysis (CAIDA), proposed in recent years another measurement and monitoring method for the network and Internet. Network Telescopes are used to detect malicious traffic events generated from Denial of Service attacks, worm infected hosts and misconfiguration. This report is focused on endemic and pandemic incidents (DoS, Worm) and how these incidents observed through different Darknet topologies and statistical models. Furthermore, network telescopes effectiveness will be examined for broader understanding and evaluation.