Advertisement

Understanding Honeypot Data by an Unsupervised Neural Visualization

  • Álvaro Alonso
  • Santiago Porras
  • Enaitz Ezpeleta
  • Ekhiotz Vergara
  • Ignacio Arenaza
  • Roberto Uribeetxeberria
  • Urko Zurutuza
  • Álvaro Herrero
  • Emilio Corchado
Part of the Advances in Intelligent and Soft Computing book series (AINSC, volume 85)

Abstract

Neural projection techniques can adaptively map high-dimensional data into a low-dimensional space, for the user-friendly visualization of data collected by different security tools. Such techniques are applied in this study for the visual inspection of honeypot data, which may be seen as a complementary network security tool that sheds light on internal data structures through visual inspection. Empirical verification of the proposed projection methods was performed in an experimental domain where data were captured from a honeypot network. Experiments showed that visual inspection of these data, contributes to easily gain a deep understanding of attack patterns and strategies.

Keywords

Projection Models Artificial Neural Networks Unsupervised Learning Network & Computer Security Intrusion Detection Honeypots 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Myerson, J.M.: Identifying Enterprise Network Vulnerabilities. International Journal of Network Management 12(3), 135–144 (2002)CrossRefGoogle Scholar
  2. 2.
    Becker, R.A., Eick, S.G., Wilks, A.R.: Visualizing Network Data. IEEE Transactions on Visualization and Computer Graphics 1(1), 16–28 (1995)CrossRefGoogle Scholar
  3. 3.
    D’Amico, A.D., Goodall, J.R., Tesone, D.R., Kopylec, J.K.: Visual Discovery in Computer Network Defense. IEEE Computer Graphics and Applications 27(5), 20–27 (2007)CrossRefGoogle Scholar
  4. 4.
    Goodall, J.R., Lutters, W.G., Rheingans, P., Komlodi, A.: Focusing on Context in Network Traffic Analysis. IEEE Computer Graphics and Applications 26(2), 72–80 (2006)CrossRefGoogle Scholar
  5. 5.
    Itoh, T., Takakura, H., Sawada, A., Koyamada, K.: Hierarchical Visualization of Network Intrusion Detection Data. IEEE Computer Graphics and Applications 26(2), 40–47 (2006)CrossRefGoogle Scholar
  6. 6.
    Livnat, Y., Agutter, J., Moon, S., Erbacher, R.F., Foresti, S.: A Visualization Paradigm for Network Intrusion Detection. In: Sixth Annual IEEE SMC Information Assurance Workshop, IAW 2005 (2005)Google Scholar
  7. 7.
    Herrero, Á., Corchado, E., Gastaldo, P., Zunino, R.: Neural Projection Techniques for the Visual Inspection of Network Traffic. Neurocomputing 72(16-18), 3649–3658 (2009)CrossRefGoogle Scholar
  8. 8.
    Herrero, Á., Corchado, E., Pellicer, M.A., Abraham, A.: MOVIH-IDS: A Mobile-Visualization Hybrid Intrusion Detection System. Neurocomputing 72(13-15), 2775–2784 (2009)CrossRefGoogle Scholar
  9. 9.
    Charles, K.A.: Decoy Systems: A New Player in Network Security and Computer Incident Response. International Journal of Digital Evidence 2(3) (2004)Google Scholar
  10. 10.
    Provos, N.: A Virtual Honeypot Framework. In: 13th USENIX Security Symposium 132 (2004)Google Scholar
  11. 11.
    Baecher, P., Koetter, M., Holz, T., Dornseif, M., Freiling, F.: The Nepenthes Platform: An Efficient Approach to Collect Malware. In: Zamboni, D., Krügel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 165–184. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-service Activity. ACM Transactions on Computer Systems 24(2), 115–139 (2006)CrossRefGoogle Scholar
  13. 13.
    Ahlberg, C., Shneiderman, B.: Visual Information Seeking: Tight Coupling of Dynamic Query Filters with Starfield Displays. In: Readings in Information Visualization: using Vision to Think, pp. 244–250. Morgan Kaufmann Publishers Inc., San Francisco (1999)Google Scholar
  14. 14.
    Goodall, J.R., Lutters, W.G., Rheingans, P., Komlodi, A.: Preserving the Big Picture: Visual Network Traffic Analysis with TNV. In: IEEE Workshop on Visualization for Computer Security (VizSEC 2005). IEEE Computer Society, Los Alamitos (2005)Google Scholar
  15. 15.
    Laskov, P., Dussel, P., Schafer, C., Rieck, K.: Learning Intrusion Detection: Supervised or Unsupervised? In: Roli, F., Vitulano, S. (eds.) ICIAP 2005. LNCS, vol. 3617, pp. 50–57. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  16. 16.
    Oja, E.: A Simplified Neuron Model as a Principal Component Analyzer. Journal of Mathematical Biology 15(3), 267–273 (1982)zbMATHCrossRefMathSciNetGoogle Scholar
  17. 17.
    Sanger, D.: Contribution Analysis: a Technique for Assigning Responsibilities to Hidden Units in Connectionist Networks. Connection Science 1(2), 115–138 (1989)CrossRefGoogle Scholar
  18. 18.
    Fyfe, C.: A Neural Network for PCA and Beyond. Neural Processing Letters 6(1-2), 33–41 (1997)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Corchado, E., Fyfe, C.: Connectionist Techniques for the Identification and Suppression of Interfering Underlying Factors. International Journal of Pattern Recognition and Artificial Intelligence 17(8), 1447–1466 (2003)CrossRefGoogle Scholar
  20. 20.
    Fyfe, C., Corchado, E.: Maximum Likelihood Hebbian Rules. In: 10th European Symposium on Artificial Neural Networks, ESANN 2002 (2002)Google Scholar
  21. 21.
    Friedman, J.H., Tukey, J.W.: A Projection Pursuit Algorithm for Exploratory Data-Analysis. IEEE Transactions on Computers 23(9), 881–890 (1974)zbMATHCrossRefGoogle Scholar
  22. 22.
    Corchado, E., MacDonald, D., Fyfe, C.: Maximum and Minimum Likelihood Hebbian Learning for Exploratory Projection Pursuit. Data Mining and Knowledge Discovery 8(3), 203–225 (2004)CrossRefMathSciNetGoogle Scholar
  23. 23.
    McHugh, J.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory. ACM Trans. Information System Security 3(4), 262–294 (2000)CrossRefGoogle Scholar
  24. 24.
    Zurutuza, U., Uribeetxeberria, R., Zamboni, D.: A Data Mining Approach for Analysis of Worm Activity through Automatic Signature Generation. In: 1st ACM Workshop on AISec. ACM, New York (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Álvaro Alonso
    • 1
  • Santiago Porras
    • 1
  • Enaitz Ezpeleta
    • 2
  • Ekhiotz Vergara
    • 2
  • Ignacio Arenaza
    • 2
  • Roberto Uribeetxeberria
    • 2
  • Urko Zurutuza
    • 2
  • Álvaro Herrero
    • 1
  • Emilio Corchado
    • 3
  1. 1.Civil Engineering DepartmentUniversity of BurgosBurgosSpain
  2. 2.Electronics and Computing DepartmentMondragon UniversityArrasate-MondragonSpain
  3. 3.Departamento de Informática y AutomáticaUniversity of SalamancaSalamancaSpain

Personalised recommendations