We propose a model for using firewall log entries of denied inbound Internet traffic for indirect discovery of local IP addresses that have security problems. This method is used successfully to discover two computers on the network of Southern Illinois University which were infected with malicious feral software, as well as two more IP addresses on the university network with other security problems.
Langin, Chet, Zhou, Hongbo and Rahimi, Shahram. "A Model to Use Denied Internet Traffic to Indirectly Discover Internal Network Security Problems." (Dec 2008).