Identifying network traffic features suitable for honeynet data analysis

A honeynet is a solution designed by the Honeynet Project organization to gather information on security threats and it can be used to proactively improve network security. A honeynet captures a substantial amount of data and logs for analysis in order to identify malicious activities and this is a challenging task. The main aim of this work is to identify the best traffic features or parameters that can be used in an anomaly detection technique to identify anomalies in honeynet traffic. In this work, a detailed analysis of feature-based and volume-based parameters is carried out and the most appropriate features for honeynet traffic are selected. Unlike other techniques proposed in the literature, our work combines entropy distributions for feature-based parameters and volume distributions for volume-based parameters to evaluate the different features. The features were evaluated using real honeynet traces released by the Honeynet project organization and other sources.