SWIM: An Effective Method to Perceive Cyberspace Situation from Honeynet

As a traditional and impactful proactive defense technology, honeynet is used by network defender to imitate normal production process, which traps and captures the behavior of attackers in order to analyze the methods and tools, and also to forecast the attacking intention and situation. However, the data obtained from honeynet usually have problems such as multiple types, high redundancy and low semantics level, which make it difficult to indicate network security situation directly. Through studying biological immune mechanism, a honeynet security warning model based on Danger Theory (an “SWIM”) is proposed. By utilizing the dendritic cell algorithm, this article discusses in detail the definition and mapping for input signals, capture of honeynet antigens, fundamental analysis for output signals, as well as the security early warning. The simulation results show that, in the face of typical network attacks, SWIM accurately reflects the attacking strength, which is capable of implementing the efficient network early warning.