Classifying malicious activities in Honeynets using entropy and volume-based thresholds

A Honeynet is a network designed by the Honeynet Project organization to gather information on security threats and attacks. Honeynets are being used by numerous institutions to proactively improve network security by identifying malicious and unauthorized activities in production and private networks. A Honeynet captures a substantial amount of network data and logs. The analysis of these datasets to identify malicious activities is a challenging task. The main aim of the work in this paper is to employ an anomaly detection technique to classify different types of malicious activities present in Honeynet. In particular, we use feature-based and volume-based schemes for Honeynet data classification. A detailed analysis of various traffic features is carried out, and the most appropriate ones for Honeynet traffic are selected. The classification of malicious activities is achieved by applying entropy-based distributions and traffic volume distributions. Entropy-based distributions are used for feature-based parameters, whereas traffic volume distributions are used for volume-based parameters. The behavior of various anomalies or malicious activities is classified using the selected features and their respective threshold values. Finally, we propose a mapping between the various anomalies and their associated behavior, which can be further used to identify similar anomalies in other Honeynet data sets. Copyright © 2012 John Wiley & Sons, Ltd.

[1]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[2]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[3]  Qi Shi,et al.  DiDDeM: a system for early detection of TCP SYN flood attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[4]  Mohammad Tariqul Islam,et al.  Smart Antenna UKM Testbed for Digital Beamforming System , 2009, EURASIP J. Adv. Signal Process..

[5]  Alberto Dainotti,et al.  Wavelet-based Detection of DoS Attacks. , 2006 .

[6]  Antonio Pescapè,et al.  NIS04-1: Wavelet-based Detection of DoS Attacks , 2006, IEEE Globecom 2006.

[7]  Sokratis K. Katsikas,et al.  Reducing false positives in intrusion detection systems , 2010, Comput. Secur..

[8]  Honeypots,et al.  Honeypots Definitions and Value of Honeypots , .

[9]  Xenofontas A. Dimitropoulos,et al.  Histogram-based traffic anomaly detection , 2009, IEEE Transactions on Network and Service Management.

[10]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[11]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[12]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[13]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[14]  E. Balas,et al.  Towards a third generation data capture architecture for honeynets , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[15]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[16]  Radu State,et al.  Activity Monitoring for large honeynets and network telescopes , 2008 .

[17]  Khaled Salah,et al.  An Entropy-Based Countermeasure against Intelligent DoS Attacks Targeting Firewalls , 2009, 2009 IEEE International Symposium on Policies for Distributed Systems and Networks.

[18]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[19]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[20]  Vinod Yegneswaran,et al.  Employing Honeynets For Network Situational Awareness , 2010, Cyber Situational Awareness.