Honeyboost: Boosting honeypot performance with data fusion and anomaly detection

TL;DR

Honeyboost is an unsupervised framework that enhances honeypot-based network anomaly detection by combining data fusion techniques and anomaly detection methods to improve early attack prediction and reduce false positives.

Contribution

It introduces a novel, unsupervised, dual-approach framework that significantly improves honeypot performance and anomaly detection accuracy in network security.

Findings

Effective early detection of suspicious nodes

Low false positive rates achieved with extreme value theory

Improved identification of malicious activities

Abstract

With cyber incidents and data breaches becoming increasingly common, being able to predict a cyberattack has never been more crucial. The ability of Network Anomaly Detection Systems (NADS) to identify unusual behavior makes them useful in predicting such attacks. However, NADS often suffer from high false positive rates. In this paper, we introduce a novel framework called Honeyboost that enhances the performance of honeypot aided NADS. Using data from the LAN Security Monitoring Project, Honeyboost identifies most anomalous nodes before they access the honeypot aiding early detection and prediction. Furthermore, using extreme value theory, we achieve the highly desirable low false positive rates. Honeyboost is an unsupervised method comprising two approaches: horizontal and vertical. The horizontal approach constructs a time series from the communications of each node, with node-level features encapsulating their behavior over time. The vertical approach finds anomalies in each protocol space. Using a window-based model, which is typically used in online scenarios, the horizontal and vertical approaches are combined to identify anomalies and gain useful insights. Experimental results indicate the efficacy of our framework in identifying suspicious activities of nodes.