Title: Using Decision Trees to Extract IDS Rules from Honeypot Data

Issue Number: Vol. 4, No. 3
Year of Publication: May - 2015
Page Numbers: 427-441
Authors: Pedro Henrique Matheus da Costa Ferreira , Leandro Nunes de Castro
Journal Name: International Journal of Cyber-Security and Digital Forensics (IJCSDF)
- Hong Kong
DOI:  http://dx.doi.org/10.17781/P001677


It has been almost two decades since the first honeypot was proposed. Despite that, although there are several studies involving network traffic data, few are those ded-icated to extract knowledge from honeypot data. The pre-sent paper uses data collected by honeypots to create rules and signatures for intrusion detection systems. The rules are extracted from decision trees constructed based on the data of real honeypots installed on internet con-nections without any filter. The results of the experiments showed that the extraction of rules for an intrusion detec-tion system is possible using data mining techniques, in particular decision trees. The technique proposed allows the analyst to summarize the data into a tree, where he/she can identify problems and extract rules to help re-ducing or even mitigate the security problems pointed out by the honeypot.