A machine learning based approach for intrusion prevention using honeypot interaction patterns as training data

Abstract

The work conducted in this dissertation revolves around the study of various intrusion detection systems and techniques that are used for detection. Subsequently, a prototype is developed having supervised machine learning capabilities that can be deployed on a network and used by experts to help prevent attacks. The benefits of such an approach is the ability for the system to continue learning with the aid of a supervisor, eliminating the need to continuously update databases used by traditional intrusion detection systems. A platform containing several honeypots was installed on a virtual machine with unrestricted Internet access. The honeypots were used to collect interaction data generated by attackers. Cowrie, a medium interaction honeypot, was chosen for the prototype. Scripts were written to process this data into a recognisable format by WEKA, an open source machine learning software. The classification file generated by this tool is uploaded to a web server and used to present the result in a simple and concise manner. The intrusion detection prototype was validated by testing several components of the system. Tests targeted the operation of the platform, the data gathering process, the classification output and web interface. The interface hosted on the web server provides the user with real time status of the platform. The result is a functioning intrusion detection system that relies on machine learning techniques to classify traffic generated from honeypot interactions, with its benefits and limitations.