Research On Application Of Data Mining In Honeypot Log Analysis

Honeypot is a new kind of proactive security technology. It is a deceptive system aiming at attracting attacks or invasions which can be used to protect products, so that hackers'information can be collected. It has flexible configuration and a variety of settings to provide network security. Honeypot only collects a small and valuable set of data. Compared to Intrusion Detection Systems (IDS), Honeypot greatly reduces the false negative, false positives, so that system administrators can focus on data analysis.As network security issues continue to rise both in number and in variety, analysis based on mass attacks on Honeypot's log is more difficult and time-consuming, which entails the use of data mining technologies to effectively improve the efficiency of data analysis. Data mining methods can be in the form of unsupervised knowledge discovery process (e.g. Knowledge Discovery in Databases), extracting the pattern that people are interested, including prior knowledge of the unknown and the law from a large number of network packets. Applying data mining technologies in Honeypot log analysis can utilize discovered patterns or rules to forecast attack trends, and identify the characteristics and patterns of attack behaviors.This paper first describes the principles and current status of Honeypot technology using open source software Honeyd as the example, and then conducts a detailed data mining analysis on the preprocessed log data, including cluster analysis, association rule mining and sequence analysis algorithms to identify similarity between different data records and relevance, and those with frequent occurrences of time sequence of audit data, in order to discover and understand the behavior of attackers and attack patterns. This paper establishes a set of data mining algorithms suitable for log analysis, and improves the efficiency of related algorithms.Finally, testing is conducted on real Honeyd log data collected in the public network environment where multiple data mining algorithms are implemented and compared in terms of applicability and effectiveness, verifying the feasibility of applying data mining technologies in the field of Honeypot log analysis.