Identifying network traffic features suitable for honeynet data analysis

A honeynet is a solution designed by the Honeynet Project organization to gather information on security threats and it can be used to proactively improve network security. A honeynet captures a substantial amount of data and logs for analysis in order to identify malicious activities and this is a challenging task. The main aim of this work is to identify the best traffic features or parameters that can be used in an anomaly detection technique to identify anomalies in honeynet traffic. In this work, a detailed analysis of feature-based and volume-based parameters is carried out and the most appropriate features for honeynet traffic are selected. Unlike other techniques proposed in the literature, our work combines entropy distributions for feature-based parameters and volume distributions for volume-based parameters to evaluate the different features. The features were evaluated using real honeynet traces released by the Honeynet project organization and other sources.

[1]  Xenofontas A. Dimitropoulos,et al.  Histogram-based traffic anomaly detection , 2009, IEEE Transactions on Network and Service Management.

[2]  George Nychis,et al.  An Empirical Evaluation of Entropy-based Anomaly Detection , 2007 .

[3]  Qi Shi,et al.  DiDDeM: a system for early detection of TCP SYN flood attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[4]  Shunji Abe,et al.  Detecting DoS attacks using packet size distribution , 2007, 2007 2nd Bio-Inspired Models of Network, Information and Computing Systems.

[5]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[6]  Henry L. Owen,et al.  The use of Honeynets to detect exploited systems across large enterprise networks , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[7]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[8]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[9]  Antonio Pescapè,et al.  NIS04-1: Wavelet-based Detection of DoS Attacks , 2006, IEEE Globecom 2006.