Characterizing Honeypot-Captured Cyber-attacks: Statistical Framework and Case Study

We propose the first statistical framework for rigorously analyzing honeypot-captured cyber-attack data. The framework is built on the novel concept of stochastic cyber-attack process, a new kind of mathematical objects for describing cyber-attacks. To demonstrate use of the framework, we apply it to analyze a lowinteraction honeypot dataset, while noting that the framework can be equally applied to analyze high-interaction honeypot data that contains richer information about the attacks. The case study finds, for the first time, that Long-Range Dependence (LRD) is exhibited by honeypot-captured cyber-attacks. The case study confirms that by exploiting the statistical properties (LRD in this case), it is feasible to predict cyber-attacks (at least in terms of attack rate) with good accuracy. This kind of prediction capability would provide sufficient early-warning time for defenders to adjust their defense configurations or resource allocations. The idea of “gray-box” (rather than “black-box”) prediction is central to the utility of the statistical framework, and represents a significant step towards ultimately understanding (the degree of) the predictability of cyber-attacks. Attacks on the internet keep on increasing and it causes harm to our security system. In order to minimize this threat, it is necessary to have a security system that has the ability to detect zero-day attacks and block them. “Honeypot is the proactive defense technology, in which resources placed in a network with the aim to observe and capture new attacks”. This paper proposes a honeypot-based model for intrusion detection system (IDS) to obtain the best useful data about the attacker. The ability and the limitations of Honeypots were tested and aspects of it that need to be improved were identified. In the future, we aim to use this trend for early prevention so that pre-emptive action is taken before any unexpected harm to our security system.