Classifying malicious activities in Honeynets using entropy and volume-based thresholds


Correspondence: Mohammed H. Sqalli, Computer Engineering Department, King Fahd University of Petroleum and Minerals, Dhahran 31261, Saudi Arabia.



A Honeynet is a network designed by the Honeynet Project organization to gather information on security threats and attacks. Honeynets are being used by numerous institutions to proactively improve network security by identifying malicious and unauthorized activities in production and private networks. A Honeynet captures a substantial amount of network data and logs. The analysis of these datasets to identify malicious activities is a challenging task. The main aim of the work in this paper is to employ an anomaly detection technique to classify different types of malicious activities present in Honeynet. In particular, we use feature-based and volume-based schemes for Honeynet data classification. A detailed analysis of various traffic features is carried out, and the most appropriate ones for Honeynet traffic are selected. The classification of malicious activities is achieved by applying entropy-based distributions and traffic volume distributions. Entropy-based distributions are used for feature-based parameters, whereas traffic volume distributions are used for volume-based parameters. The behavior of various anomalies or malicious activities is classified using the selected features and their respective threshold values. Finally, we propose a mapping between the various anomalies and their associated behavior, which can be further used to identify similar anomalies in other Honeynet data sets. Copyright © 2012 John Wiley & Sons, Ltd.