HonIDS: enhancing honeypot system with intrusion detection models

Honeypots are highly valued for their detective function. However, suitable detection models use in honeypot system have not been fully explored. We present HonIDS, a honeypot system for detecting malicious hosts and intruders in local network. HonIDS is characterized by its layered structure and is enhanced by two detection models: TFRPP (times, frequency, range, port risk, average payload length) model and Bayes model. The basic idea of these models is that although it is hard to directly judge whether one interaction with the honeypots is an attack or malicious activity, it is possible to identify intruders by analyzing the plentiful and global events of honeypots in a given period of time. The TFRPP model gives the honeypot system the ability to assess different risks, by assigning dubiety scores to the hosts who visited honeypots. The Bayes detection model can detect some main types of attacks by classification. The results of our evaluation experiments indicate that TFRPP model and Bayes model are effective and suitable for honeypot system