Classification of malicious network streams using honeynets

Misuse-based intrusion detection systems alone cannot cope with the dynamic nature of the security threats faced today by organizations globally. Variants of malware and exploits are emerging on the global canvas at an ever-increasing rate. There is a need to automate their detection by observing their malicious footprints over network streams. In this paper we evaluate a proposed technique to measure the relative similarity or level of maliciousness between different categories of malicious network streams captured by honeynets. This is measured by quantifying areas of analogous information or entropy between incoming network streams and reference malicious samples. Machine learning methods are used to quickly cluster similar groups of streams from the datasets. This technique is then evaluated using a large dataset and the correctness of the classifier is verified by using `area under the receiver operating characteristic curves´(ROC AUC) measures across various string metric-based classifiers.