Abnormal network packets identification using header information collected from Honeywall architecture

Figures & data

Figure 1. A workflow for Cyberattack alert and data collection by V. K. Nguyen et al. (2019).

Figure 2. Honeynet architecture collects network attack data.

Figure 3. Container of a Honeynet Architecture for actual data collection.

Table 1. Information extracted from alert.

Keyword	Description
msg	The msg keyword tells the logging and alerting engine the message to print with the packet dump or alert.
Reference	The reference keyword allows rules to include references to external attack identification systems.
gid	The gid keyword (generator id) is used to identify what part of Snort generates the event when a particular rule fires.
sid	The sid keyword is used to identify Snort rules.
rev	The rev keyword is used to identify unique revisions of Snort rules.
classtype	The classtype keyword is used to categorize a rule as detecting an attack that is part of a more general type of attack class.
priority	The priority keyword assigns a severity level to rules.
metadata	The metadata keyword allows a rule writer to embed additional information about the rule, typically in a key-value format.

Table 2. General attack type collected.

STT	Classtype	Alert	Priority
1	Attempted Administrator Privilege Gain	1516	High
2	Web Application Attack	196	High
3	Potential Corporate Privacy Violation	90	High
4	Attempted User Privilege Gain	32	High
5	A Network Trojan was detected	4	High
6	Potentially Bad Traffic	504514	Medium
7	Attempted Denial of Service	1239	Medium
8	Attempted Information Leak	151	Medium
9	Unknown Traffic	19597	Low
10	Generic Protocol Command Decode	7587	Low
11	Not Suspicious Traffic	25	Low

Figure 4. Threats detected by various approaches. (a) Honeynet. (b) Firewall.

Figure 5. Distribution of locations where accessed our experimental servers exhibited on a world map.

Table 3. Emails of spam and malware in 2020 collected via Firewall.

Month	Total of emails	Spam emails	Malware
1	233	78	11
2	35	13	1
3	192	129	1
4	352	296	0
5	199	136	4
6	298	235	8
7	190	125	2
8	220	153	109
9	367	298	625
10	162.526	92.858	103
11	433.428	336.844	23
12	1.608.666	1.405.676	20

Table 4. 29 characteristics of network attack data.

No.	Features	No.	Features
1	duration	16	srv_rerror_rate
2	protocol_type	17	same_srv_rate
3	service	18	diff_srv_rate
4	flags	19	srv_diff_host_rate
5	src_bytes	20	dst_host_count
6	dst_bytes	21	dst_host_srv_count
7	land	22	dst_host_same_srv_rate
8	wrong_fragment	23	dst_host_diff_srv_rate
9	urgent	24	dst_host_same_src_port_rate
10	hot	25	dst_host_srv_diff_host_rate
11	count	26	dst_host_serror_rate
12	srv_count	27	dst_host_srv_serror_rate
13	serror_rate	28	dst_host_rerror_rate
14	srv_serror_rate	29	dst_host_srv_rerror_rate
15	rerror_rate

Table 5. Information about the number of records of the two experimental datasets.

	Normal	Low	Medium	High
Dataset with 4 classes	78,564	12,346	107,086	990
Dataset with 2 classes	78,564	120,422

Figure 6. Percentage distribution of classes in collected data. The left chart reveals the data class distribution of the binary classification tasks, while the other exhibits 4-class classification tasks.

Figure 7. LDA-based classification data representation.

Figure 8. Performance comparison of classic machine learning and deep learning algorithms. The X-axis includes abbreviations of the method names, while Y-axis shows the accuracy metric.

Figure 9. Training and testing results with ACC and AUC measurements. The X-axis includes abbreviations of the method names while Y-axis shows the numbers ranging from 0.5 to 1 to reveal the performance in accuracy and AUC.

Figure 10. Results of ACC and AUC with different filters on CNN1D.

Figure 11. ACC and AUC results with different numbers of convolution layers.

Figure 12. The results in the accuracy of training and testing phases for the 2-class and 4-class classification problems.

Table 6. Performance comparison in accuracy on the test set between 2-class and 4-class classification tasks with various learning algorithms.

	CNN1D	GBC	LDA	RF
Binary classification	0.99262	0.99933	0.96426	0.99887
4-label classification	0.93530	0.96939	0.89726	0.96935

Figure 13. Training time (in seconds in the y-axis) of the classification task.

Table 7. General attack type obtained after ten days.

Classtype	Alert	Priority
Web Application Attack	120	High
Potential Corporate Privacy Violation	10	High
Attempted User Privilege Gain	3	High
Potentially Bad Traffic	25654	Medium
Unknown Traffic	1271	Low
Generic Protocol Command Decode	6	Low

Table 8. Comparison of providing warnings between IDS-AC and Snort.

Priority	IDS-AC	Snort
High	1007	133
Medium	12557	25654
Low	742	1277
Total	14306	27064

Nguyen, V. K., Nhat Quang Truong, M., Le, V. L., Thang Le, Q., & Nguyen, T. H. (2019). A novel approach for data collection and network attack warning. In 2019 11th international conference on knowledge and systems engineering (KSE) (pp. 1–6). IEEE. https://doi.org/10.1109/KSE.2019.8919494

 Google Scholar

Availability of data, code, and material

Data and experimental scripts and data of this study are published at the Github repository link https://github.com/dzokha/ids-ac.