Classifying malicious activities in Honeynets using entropy and volume-based thresholds

Mohammed H. Sqalli, Syed Naeem Firdous, Khaled Salah, Marwan Abu-Amara

Research output: Contribution to journalArticlepeer-review

3 Scopus citations


A Honeynet is a network designed by the Honeynet Project organization to gather information on security threats and attacks. Honeynets are being used by numerous institutions to proactively improve network security by identifying malicious and unauthorized activities in production and private networks. A Honeynet captures a substantial amount of network data and logs. The analysis of these datasets to identify malicious activities is a challenging task. The main aim of the work in this paper is to employ an anomaly detection technique to classify different types of malicious activities present in Honeynet. In particular, we use feature-based and volume-based schemes for Honeynet data classification. A detailed analysis of various traffic features is carried out, and the most appropriate ones for Honeynet traffic are selected. The classification of malicious activities is achieved by applying entropy-based distributions and traffic volume distributions. Entropy-based distributions are used for feature-based parameters, whereas traffic volume distributions are used for volume-based parameters. The behavior of various anomalies or malicious activities is classified using the selected features and their respective threshold values. Finally, we propose a mapping between the various anomalies and their associated behavior, which can be further used to identify similar anomalies in other Honeynet data sets.

Original languageBritish English
Pages (from-to)567-583
Number of pages17
JournalSecurity and Communication Networks
Issue number5
StatePublished - May 2013


  • Classification
  • Honeynet
  • Malicious, entropy
  • Security


Dive into the research topics of 'Classifying malicious activities in Honeynets using entropy and volume-based thresholds'. Together they form a unique fingerprint.

Cite this