Transformation of honeypot raw data into structured data

Majed SANAN, Mahmoud RAMMAL, WASSIM RAMMAL

ABSTRACT Network analyzer is capture, recording, and analysis of network events in order to find out the source of security attacks or other problem incidents. This system addresses the major challenges in collection, examination and analysis processes. We suggest a model for collecting network data, identifying suspicious packets, examining protocol features changed and validating the attack. This model has been built with exact reference to security attacks on TCP/IP protocol[1]. The packet capture file is analyzed for important TCP/IP protocol features to mark suspicious packets. The header information encapsulated in the packet capture file is ported to a database. Rule sets designed for various TCP/IP attacks are queried on the database to calculate various statistical thresholds. This information validates the presence of attacks and will be very useful for the investigation phase. The reduced packet capture size is easy to manage as only marked packets are considered. The protocol features usually manipulated by the attackers is available in database format for next stage analysis and investigation. The model has been tested with a sample attack dataset and the results are satisfactory. The model can be extended to include attacks on other protocols. Keywords: honeypots, network, analyzer,attacks.

Title:	Transformation of honeypot raw data into structured data
Author Name:	Majed SANAN, Mahmoud RAMMAL, WASSIM RAMMAL
Abstract:	ABSTRACT Network analyzer is capture, recording, and analysis of network events in order to find out the source of security attacks or other problem incidents. This system addresses the major challenges in collection, examination and analysis processes. We suggest a model for collecting network data, identifying suspicious packets, examining protocol features changed and validating the attack. This model has been built with exact reference to security attacks on TCP/IP protocol[1]. The packet capture file is analyzed for important TCP/IP protocol features to mark suspicious packets. The header information encapsulated in the packet capture file is ported to a database. Rule sets designed for various TCP/IP attacks are queried on the database to calculate various statistical thresholds. This information validates the presence of attacks and will be very useful for the investigation phase. The reduced packet capture size is easy to manage as only marked packets are considered. The protocol features usually manipulated by the attackers is available in database format for next stage analysis and investigation. The model has been tested with a sample attack dataset and the results are satisfactory. The model can be extended to include attacks on other protocols. Keywords: honeypots, network, analyzer,attacks.
Cite this article:	Majed SANAN, Mahmoud RAMMAL, WASSIM RAMMAL , " Transformation of honeypot raw data into structured data " , International Journal of Emerging Trends & Technology in Computer Science (IJETTCS), Volume 4, Issue 3, May - June 2015 , pp. 142-146 , ISSN 2278-6856.
Full Text [PDF] Home