Visualisation of Honeypot Data Using Graphviz and Afterglow

This research in progress paper explores the use of Graphviz and Afterglow for the analysis of data emanating from a honeypot system. Honeypot systems gather a wide range of data that is often difficult to readily search for patterns and trends using conventional log file analysis techniques. The data from the honeypots has been statically extracted and processed through Afterglow scripts to produce inputs suitable for use by the DOT graph based tools contained within Graphviz. This paper explores some of the benefits and drawbacks of currently using this type of approach

Visualisation of Honeypot Data Using Graphviz and Afterglow

This research in progress paper explores the use of Graphviz and Afterglow for the analysis of data emanating from a honeypot system. Honeypot systems gather a wide range of data that is often difficult to readily search for patterns and trends using conventional log file analysis techniques. The data from the honeypots has been statically extracted and processed through Afterglow scripts to produce inputs suitable for use by the DOT graph based tools contained within Graphviz. This paper explores some of the benefits and drawbacks of currently using this type of approach

Visualization of honeypot data using Graphviz and Afterglow

This research in progress paper explores the use of Graphviz and Afterglow for the analysis of data emanating from a honeypot system. Honeypot systems gather a wide range of data that is often difficult to readily search for patterns and trends using conventional log file analysis techniques. The data from the honeypots has been statically extracted and processed through Afterglow scripts to produce inputs suitable for use by the DOT graph based tools contained within Graphviz. This paper explores some of the benefits and drawbacks of currently using this type of approach. Keywords: honeypot, network forensics, visualization, Graphviz, Afterglo

Identifikasi Malicious Host dalam Local Area Network Menggunakan Teknik Graph Clustering dan Filtering

Keamanan pada Local Area Network (LAN) sekarang ini adalah masalah serius yang harus diperhatikan. Penyebab LAN menjadi tidak aman dikarenakan teknologi firewall tidak mampu melindungi host (komputer) dalam LAN dari penyebaran malware. Penyebaran malware yang terdapat dalam LAN dilakukan oleh host di dalam LAN yang disebut sebagai malicious host. Tindakan untuk mengurangi penyebaran malware dalam LAN dapat dilakukan dengan mengidentifikasi malicious host. Penelitian ini mengusulkan metode identifikasi malicious host berdasarkan aktivitas ARP request dengan menggunakan teknik graph clustering-filtering. Teknik graph clustering-filtering merupakan langkah-langkah pengelompokan serta penyaringan node dan edge berdasarkan parameter dari graph seperti weight edge, out-degree node dan weight out-degree node yang bertujuan untuk mengidentifikasi malicious host. Berdasarkan parameter dari graph seperti out-degree node dan weight out-degree node, penghitungan persentase aktivitas host dapat dilakukan untuk menunjukkan seberapa besar tingkat aktivitas host dalam melakukan broadcast ARP request, sehingga hasil penghitungan persentase aktivitas host dapat menentukan host yang diidentifikasi sebagai malicious host. Hasil penerapan teknik graph clustering-filtering terhadap 511 node dan 4144 edge didapatkan melalui pengamatan dan pengambilan data selama 3 jam dalam LAN kampus dapat divisualisasikan menjadi hanya 22 node dan 328 edge. Hasil penghitungan berdasarkan persentase jumlah aktivitas host menunjukkan 22 node menjadi 6 node yang diperkirakan sebagai malicious host. Dengan demikian, visualisasi graph menggunakan teknik graph clustering-filtering dan persentase aktivitas host dapat mengidentifikasi jumlah host yang dicurigai sebagai  malicious host.AbstractLocal Area Network (LAN) security is a serious problem to consider. The cause of LAN becomes insecure because firewall technology is not able to protect the host (computer) in LAN from spreading malware. The spread of malware contained within a LAN is carried out by hosts in the LAN which are referred to as malicious hosts. Actions to reduce the spread of malware in the LAN can be done by identifying malicious hosts. This paper proposes a method of identifying malicious hosts based on ARP request activities using graph clustering-filtering techniques. Graph clustering-filtering techniques are steps of grouping and filtering nodes and edges based on graph parameters such as weight edges, out-degree nodes and weight out-degree nodes that aim to identify malicious hosts. Based on parameters from the graph such as out-degree node and weight out-degree node, the calculation of the percentage of host activity can be done to show how much the level of host activity in broadcasting an ARP request, so that the result of calculating the percentage of host activity can determine a host that is categorized as a malicious host. The results of graph visualization using graph clustering-filtering technique can display fewer nodes and edges, from 511 nodes and 4144 edges to 22 nodes and 328 edges observed and collected in a LAN within 3 hour in the campus LAN. The results of the calculation of the percentage of host activity show hosts from 22 nodes become only 6 nodes which are suspected as malicious hosts. Overall, graph visualization with graph clustering-filtering techniques and the percentage of host activity can find a number of hosts identified as malicious hosts