Abstract—Effective network security administration depends to a great extent on having accurate, concise, high-quality information about malicious activity in one’s network. Honeynets can potentially provide such detailed information, but the volume and diversity of this data can prove overwhelming. In this paper we explore ways to integrate honeypot data into daily network security monitoring with a goal of sufficiently classifying and summarizing the data to provide ongoing “situational awareness. ” We present such a system, built using the Bro NIDS, and discuss experiences drawn from six months operation. One key aspect of this environment is its ability to provide insight into large-scale events. We look at the problem of accurately classifying botnet sweeps and worm outbreaks, which turns out to be difficult to grapple with due to the high dimensionality of such incidents. Using datasets collected during a number of these events, we explore the utility of several analysis methods, finding that when used together they show promise for contributing towards effective situational awareness. I
To submit an update or takedown request for this paper, please submit an Update/Correction/Removal Request.