An Entropy and Volume-Based Approach for Identifying Malicious Activities in Honeynet Traffic

摘要

Honey nets are an increasingly popular choice deployed by organizations to lure attackers into a trap network, for collection and analysis of unauthorized network activity. A Honey net captures substantial amount of data and logs for analysis in order to identify malicious activities perpetrated by the hacker community. The analysis of this large amount of data is a challenging task. Through this paper, we propose a technique based on the entropy and volume thresholds of selected network features to efficiently analyze Honey net data, and identify malicious activities. Our technique consists of both feature-based and volume-based schemes to identify malicious activities in the Honey net traffic. Through deployment of our proposed approach, a detailed analysis of various traffic features is conducted and the most appropriate features for Honey net traffic are thereupon selected. The anomalies are identified using entropy distributions and volume distributions, along with their corresponding threshold levels. The proposed scheme proves to be effective in identifying most types of anomalies seen in Honey net traffic.