Employing Honeynets For Network Situational Awareness

  • Paul Barford
  • Yan Chen
  • Anup Goyal
  • Zhichun Li
  • Vern Paxson
  • Vinod Yegneswaran
Part of the Advances in Information Security book series (ADIS, volume 46)


Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one’s network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. We explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing “situational awareness.” We present such a system, built using the Bro network intrusion detection system coupled with statistical analysis of numerous honeynet “events”, and discuss experiences drawn from many months of operation. In particular, we develop methodologies by which sites receiving such probes can infer—using purely local observation—information about the probing activity: What scanning strategies does the probing employ? Is this an attack that specifically targets the site, or is the site only incidentally probed as part of a larger, indiscriminant attack? One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show good potential for contributing towards effective situational awareness. Our analysis draws upon extensive honeynet data to explore the prevalence of different types of scanning, including properties, such as trend, uniformity, coordination, and darknet-avoidance. In addition, we design schemes to extrapolate the global properties of scanning events (e.g., total population and target scope) as inferred from the limited local view of a honeynet. Cross-validating with data from DShield shows that such inferences exhibit promising accuracy.


Situational Awareness Interarrival Time Address Space Source Count Source Arrival 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    OS Platform Statistics by W3school.
  5. 5.
    M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In Network and Distributed Security Symposium, San Diego, CA, January 2005.Google Scholar
  6. 6.
    J. Bethencourt et al. Mapping internet sensors with probe response attacks. In Proc. of the USENIX Security, 2005.Google Scholar
  7. 7.
    J. Cai et al. Honeynets and honeygames: A game theoretic approach to defending network monitors. Technical Report TR1577, University of Wiscconsin, 2006.Google Scholar
  8. 8.
    E. Cooke, M. Bailey, M. Mao, D. Watson, F. Jahanian, and D. McPherson. Toward understanding distributed blackhole placement. In Proceedings of CCS Workshop on Rapid Malcode (WORM ’04), October 2004.Google Scholar
  9. 9.
    J. R. Crandall, Z. Su, and S. F. Wu. On deriving unknown vulnerabilities from zeroday polymorphic and metamorphic worm exploits. In Proc. of ACM CCS, 2005.Google Scholar
  10. 10.
  11. 11.
    German Honeynet Project. Tracking Botnets., 2005.
  12. 12.
    G. Gu et al. Bothunter: Detecting malware infection through ids-driven dialog correlation. In Proc. of USENIX Security, 2007.Google Scholar
  13. 13.
    G. Gu et al. Botsniffer: Detecting botnet command and control channels in network traffic. In Proc. of NDSS, 2008.Google Scholar
  14. 14.
    The Honeynet Project., 2003.
  15. 15.
    M. G. Kendall. Rank Correlation Methods. Griffin., 1976.Google Scholar
  16. 16.
    H. Kim and B. Karp. Autograph: Toward automated, distributed worm signature detection. In 13 th USENIX Security Symposium, San Diego, California, August 2004.Google Scholar
  17. 17.
    C. Kreibich and J. Crowcroft. Honeycomb–creating intrusion detection signatures using honeypots. In 2 nd Workshop on Hot Topics in Networks (Hotnets-II), Cambridge, Massachusetts, November 2003.Google Scholar
  18. 18.
    A. Kumar et al. Exploiting underlying structure for detailed reconstruction of an internet scale event. In Proc. of ACM IMC, 2005.Google Scholar
  19. 19.
    Z. Li, A. Goyal, Y. Chen, and V. Paxson. Towards situational awareness of large-scale botnet events using honeynets. Technical Report NWU-EECS-08-08, Northwestern University, 2008.Google Scholar
  20. 20.
    D. Moore. Network telescopes: Observing small or distant security events. Invited Presentation at the 11th USENIX Security Symposium, 2002.Google Scholar
  21. 21.
    D. Moore et al. Inside the slammer worm. IEEE Security and Privacy, 2003.Google Scholar
  22. 22.
    D. Moore, C. Shannon, and J. Brown. Code red: A case study on the spread and victims of an internet worm. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, November 2002.Google Scholar
  23. 23.
    D. Moore, G. Voelker, and S. Savage. Inferring internet denial of service activity. In Proceedings of the 2001 USENIX Security Symposium, Washington D.C., August 2001.Google Scholar
  24. 24.
    Navy Aviation Schools Command. Situational Awareness., 2005.
  25. 25.
    Network Centric Operations Industry Consortium. Situational Awareness., 2005.
  26. 26.
    R. Pang et al. Characteristics of Internet background radiation. In Proc. of ACM IMC, 2004.Google Scholar
  27. 27.
    R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, 2004.Google Scholar
  28. 28.
    V. Paxson. BRO: A system for detecting network intruders in real time. In 7 th USENIX Security Symposium, San Antonio, Texas, January 1998.Google Scholar
  29. 29.
    N. Provos. A virtual honeypot framework. In Proceedings of USENIX Security Symposium, San Diego, CA, August 2004.Google Scholar
  30. 30.
    N. Provos. A virtual honeypot framework. In Proc. of USENIX Security, 2004.Google Scholar
  31. 31.
    M. Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Proc. of ACM IMC, 2006.Google Scholar
  32. 32.
    J. A. Rice. Mathematical Statistics and Data Analysis. Duxbury Press, 1994.Google Scholar
  33. 33.
    S. Singh, C. Estan, G. Varghese, and S. Savage. The Earlybird system for real-time detection of unknown worms. In Operating System Design and Implementation, 2004.Google Scholar
  34. 34.
    S. Staniford et al. How to 0wn the Internet in your spare time. In Proc. of USENIX Security, 2002.Google Scholar
  35. 35.
    W. E. Weisstein. Stirling Number of the Second Kind.
  36. 36.
    V. Yegneswaran, P. Barford, and D. Plonka. On the design and use of internet sinks for network abuse monitoring. In Proceedings of Recent Advances in Intrusion Detection, 2004.Google Scholar
  37. 37.
    V. Yegneswaran, P. Barford, and J. Ullrich. Internet intrusions: Global characteristics and prevalence. In Proceedings of ACM SIGMETRICS, June 2003.Google Scholar
  38. 38.
    V. Yegneswaran, J. T. Giffin, P. Barford, and S. Jha. An Architecture for Semantic-Aware Signature Generation. In Proceedings of USENIX Security Symposium, 2005.Google Scholar

Copyright information

© Springer-Verlag US 2010

Authors and Affiliations

  • Paul Barford
    • 1
  • Yan Chen
    • 2
  • Anup Goyal
    • 2
  • Zhichun Li
    • 2
  • Vern Paxson
    • 3
  • Vinod Yegneswaran
    • 4
  1. 1.University of WisconsinWisconsinUSA
  2. 2.Northwestern UniversityNorthwesternUSA
  3. 3.University of California, International Computer Science InstituteBerkeleyUSA
  4. 4.SRI InternationalPlease Provide CityPlease Provide Country

Personalised recommendations