An Entropy and Volume-Based Approach for Identifying Malicious Activities in Honeynet Traffic

• Published in: 2011 International Conference on Cyberworlds pp. 23 - 30
• Main Authors: Sqalli, M. H., Firdous, S. N., Baig, Z., Azzedin, F.
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.10.2011
• Subjects: Anomaly Detection; Cybersecurity; Educational institutions; Entropy; Feature extraction; Honeynet; IP networks; Organizations; Payloads; Security
• ISBN: 9781457714535; 1457714531
• DOI: 10.1109/CW.2011.35

Honeynets are an increasingly popular choice deployed by organizations to lure attackers into a trap network, for collection and analysis of unauthorized network activity. A Honeynet captures substantial amount of data and logs for analysis in order to identify malicious activities perpetrated by the hacker community. The analysis of this large amount of data is a challenging task. Through this paper, we propose a technique based on the entropy and volume thresholds of selected network features to efficiently analyze Honeynet data, and identify malicious activities. Our technique consists of both feature-based and volume-based schemes to identify malicious activities in the Honeynet traffic. Through deployment of our proposed approach, a detailed analysis of various traffic features is conducted and the most appropriate features for Honeynet traffic are thereupon selected. The anomalies are identified using entropy distributions and volume distributions, along with their corresponding threshold levels. The proposed scheme proves to be effective in identifying most types of anomalies seen in Honeynet traffic.