Identifying network traffic features suitable for honeynet data analysis

Mohammed H. Sqalli; Syed Naeem Firdous; Khaled Salah; Marwan Abu-Amara

doi:10.1109/CCECE.2011.6030620

Identifying network traffic features suitable for honeynet data analysis

Mohammed H. Sqalli, Syed Naeem Firdous, Khaled Salah, Marwan Abu-Amara

Electrical Engineering

King Fahd University for Petroleum and Minerals (KFUPM)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

1 Scopus citations

Abstract

A honeynet is a solution designed by the Honeynet Project organization to gather information on security threats and it can be used to proactively improve network security. A honeynet captures a substantial amount of data and logs for analysis in order to identify malicious activities and this is a challenging task. The main aim of this work is to identify the best traffic features or parameters that can be used in an anomaly detection technique to identify anomalies in honeynet traffic. In this work, a detailed analysis of feature-based and volume-based parameters is carried out and the most appropriate features for honeynet traffic are selected. Unlike other techniques proposed in the literature, our work combines entropy distributions for feature-based parameters and volume distributions for volume-based parameters to evaluate the different features. The features were evaluated using real honeynet traces released by the Honeynet project organization and other sources.

Original language	British English
Title of host publication	2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011
Pages	1044-1048
Number of pages	5
DOIs	https://doi.org/10.1109/CCECE.2011.6030620
State	Published - 2011
Event	2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011 - Niagara Falls, ON, Canada Duration: 8 May 2011 → 11 May 2011

Publication series

Name	Canadian Conference on Electrical and Computer Engineering
ISSN (Print)	0840-7789

Conference

Conference	2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011
Country/Territory	Canada
City	Niagara Falls, ON
Period	8/05/11 → 11/05/11

Keywords

entropy
feature evaluation
Honeynet Traffic
network forensics
network security

Access to Document

10.1109/CCECE.2011.6030620

Cite this

@inproceedings{11666ed4c7f24b388f880fef72bb892e,

title = "Identifying network traffic features suitable for honeynet data analysis",

abstract = "A honeynet is a solution designed by the Honeynet Project organization to gather information on security threats and it can be used to proactively improve network security. A honeynet captures a substantial amount of data and logs for analysis in order to identify malicious activities and this is a challenging task. The main aim of this work is to identify the best traffic features or parameters that can be used in an anomaly detection technique to identify anomalies in honeynet traffic. In this work, a detailed analysis of feature-based and volume-based parameters is carried out and the most appropriate features for honeynet traffic are selected. Unlike other techniques proposed in the literature, our work combines entropy distributions for feature-based parameters and volume distributions for volume-based parameters to evaluate the different features. The features were evaluated using real honeynet traces released by the Honeynet project organization and other sources.",

keywords = "entropy, feature evaluation, Honeynet Traffic, network forensics, network security",

author = "Sqalli, {Mohammed H.} and Firdous, {Syed Naeem} and Khaled Salah and Marwan Abu-Amara",

year = "2011",

doi = "10.1109/CCECE.2011.6030620",

language = "British English",

isbn = "9781424497898",

series = "Canadian Conference on Electrical and Computer Engineering",

pages = "1044--1048",

booktitle = "2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011",

note = "2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011 ; Conference date: 08-05-2011 Through 11-05-2011",

}

Sqalli, MH, Firdous, SN, Salah, K & Abu-Amara, M 2011, Identifying network traffic features suitable for honeynet data analysis. in 2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011., 6030620, Canadian Conference on Electrical and Computer Engineering, pp. 1044-1048, 2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011, Niagara Falls, ON, Canada, 8/05/11. https://doi.org/10.1109/CCECE.2011.6030620

Identifying network traffic features suitable for honeynet data analysis. / Sqalli, Mohammed H.; Firdous, Syed Naeem; Salah, Khaled et al.
2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011. 2011. p. 1044-1048 6030620 (Canadian Conference on Electrical and Computer Engineering).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Identifying network traffic features suitable for honeynet data analysis

AU - Sqalli, Mohammed H.

AU - Firdous, Syed Naeem

AU - Salah, Khaled

AU - Abu-Amara, Marwan

PY - 2011

Y1 - 2011

N2 - A honeynet is a solution designed by the Honeynet Project organization to gather information on security threats and it can be used to proactively improve network security. A honeynet captures a substantial amount of data and logs for analysis in order to identify malicious activities and this is a challenging task. The main aim of this work is to identify the best traffic features or parameters that can be used in an anomaly detection technique to identify anomalies in honeynet traffic. In this work, a detailed analysis of feature-based and volume-based parameters is carried out and the most appropriate features for honeynet traffic are selected. Unlike other techniques proposed in the literature, our work combines entropy distributions for feature-based parameters and volume distributions for volume-based parameters to evaluate the different features. The features were evaluated using real honeynet traces released by the Honeynet project organization and other sources.

AB - A honeynet is a solution designed by the Honeynet Project organization to gather information on security threats and it can be used to proactively improve network security. A honeynet captures a substantial amount of data and logs for analysis in order to identify malicious activities and this is a challenging task. The main aim of this work is to identify the best traffic features or parameters that can be used in an anomaly detection technique to identify anomalies in honeynet traffic. In this work, a detailed analysis of feature-based and volume-based parameters is carried out and the most appropriate features for honeynet traffic are selected. Unlike other techniques proposed in the literature, our work combines entropy distributions for feature-based parameters and volume distributions for volume-based parameters to evaluate the different features. The features were evaluated using real honeynet traces released by the Honeynet project organization and other sources.

KW - entropy

KW - feature evaluation

KW - Honeynet Traffic

KW - network forensics

KW - network security

UR - http://www.scopus.com/inward/record.url?scp=80053980607&partnerID=8YFLogxK

U2 - 10.1109/CCECE.2011.6030620

DO - 10.1109/CCECE.2011.6030620

M3 - Conference contribution

AN - SCOPUS:80053980607

SN - 9781424497898

T3 - Canadian Conference on Electrical and Computer Engineering

SP - 1044

EP - 1048

BT - 2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011

T2 - 2011 Canadian Conference on Electrical and Computer Engineering, CCECE 2011

Y2 - 8 May 2011 through 11 May 2011

ER -

Identifying network traffic features suitable for honeynet data analysis

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this