An Entropy and Volume-Based Approach for Identifying Malicious Activities in Honeynet Traffic

2011 International Conference on Cyberworlds Pub Date : 2011-10-04 DOI:10.1109/CW.2011.35

M. Sqalli, S. Firdous, Z. Baig, Farag Azzedin

{"title":"An Entropy and Volume-Based Approach for Identifying Malicious Activities in Honeynet Traffic","authors":"M. Sqalli, S. Firdous, Z. Baig, Farag Azzedin","doi":"10.1109/CW.2011.35","DOIUrl":null,"url":null,"abstract":"Honey nets are an increasingly popular choice deployed by organizations to lure attackers into a trap network, for collection and analysis of unauthorized network activity. A Honey net captures substantial amount of data and logs for analysis in order to identify malicious activities perpetrated by the hacker community. The analysis of this large amount of data is a challenging task. Through this paper, we propose a technique based on the entropy and volume thresholds of selected network features to efficiently analyze Honey net data, and identify malicious activities. Our technique consists of both feature-based and volume-based schemes to identify malicious activities in the Honey net traffic. Through deployment of our proposed approach, a detailed analysis of various traffic features is conducted and the most appropriate features for Honey net traffic are thereupon selected. The anomalies are identified using entropy distributions and volume distributions, along with their corresponding threshold levels. The proposed scheme proves to be effective in identifying most types of anomalies seen in Honey net traffic.","PeriodicalId":231796,"journal":{"name":"2011 International Conference on Cyberworlds","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2011-10-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2011 International Conference on Cyberworlds","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CW.2011.35","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

Honey nets are an increasingly popular choice deployed by organizations to lure attackers into a trap network, for collection and analysis of unauthorized network activity. A Honey net captures substantial amount of data and logs for analysis in order to identify malicious activities perpetrated by the hacker community. The analysis of this large amount of data is a challenging task. Through this paper, we propose a technique based on the entropy and volume thresholds of selected network features to efficiently analyze Honey net data, and identify malicious activities. Our technique consists of both feature-based and volume-based schemes to identify malicious activities in the Honey net traffic. Through deployment of our proposed approach, a detailed analysis of various traffic features is conducted and the most appropriate features for Honey net traffic are thereupon selected. The anomalies are identified using entropy distributions and volume distributions, along with their corresponding threshold levels. The proposed scheme proves to be effective in identifying most types of anomalies seen in Honey net traffic.

查看原文本刊更多论文

基于熵和体积的蜜网流量恶意活动识别方法

蜜糖网是一种越来越受欢迎的选择，被组织用来引诱攻击者进入陷阱网络，收集和分析未经授权的网络活动。蜜糖网捕获大量的数据和日志进行分析，以识别由黑客社区实施的恶意活动。分析如此大量的数据是一项具有挑战性的任务。通过本文，我们提出了一种基于所选网络特征的熵和体积阈值的技术来有效地分析蜂蜜网数据，并识别恶意活动。我们的技术包括基于特征和基于容量的方案来识别Honey网络流量中的恶意活动。通过部署我们提出的方法，我们对各种流量特征进行了详细的分析，从而选择了最适合Honey网流量的特征。使用熵分布和体积分布及其相应的阈值水平来识别异常。事实证明，该方案可以有效地识别蜂蜜网络流量中的大多数异常类型。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2011 International Conference on Cyberworlds

自引率

0.00%

发文量