Identifying Scanning Activities in Honeynet Data Using Data Mining

Businesses attract different types of attacks mostly due to the financial benefits associated with gaining unauthorized access. As a first step to launching attacks, attackers scan production networks looking for open services and vulnerable software. These scanning or enumeration activities, if monitored properly, can be used as early warning systems against a much sophisticated and dedicated attack. Honey nets are deployed for the purpose of tracking malicious activities and learn about hackers´ origin, methods and attacks. However, today´s Honey nets produce an enormous amount of data which becomes a challenge to analyze. In this paper, we attempt to separate and identify scanning traffic from other types of traffic. To accomplish this, we have developed a tool that utilizes known data mining techniques to find the scanning activities in Honey net data, which is an aggregate traffic data collected by multiple Honey pots. Being able to identify scanning activities will allow security analysts to focus more on other types of traffic, and hence be able to study and analyze other types of attacks.