Honeyboost: Boosting honeypot performance with data fusion and anomaly detection

With cyber incidents and data breaches becoming increasingly common, being able to predict a cyberattack has never been more crucial. Network Anomaly Detection Systems (NADS) ability to identify unusual behavior makes them useful in predicting such attacks. In this paper, we introduce a novel framework to enhance the performance of honeypot aided NADS. We use a hybrid of two approaches: horizontal and vertical. The horizontal approach constructs a time series from the communications of each node, with node-level features encapsulating their behavior over time. The vertical approach finds anomalies in each protocol space. To the best of our knowledge, this is the first time node-level features have been used in honeypot aided NADS. Furthermore, using extreme value theory, anomaly detection with low false positive rates is possible. Experimental results indicate the efficacy of our framework in identifying suspicious activities of nodes from node-level features, often before the honeypot does.