Abstract
Monitoring Internet traffic is critical in order to acquire a good understanding of threats and in designing efficient security systems. While honeypots are flexible security tools for gathering intelligence of Internet attacks, traffic collected by honeypots is of high dimensionality that makes it difficult to characterize. In this paper, we propose the use of principal component analysis, a multivariate analysis technique, for characterizing honeypot traffic and separating latent groups of activities. In addition, we show the usefulness of principal component plots in visualizing the interrelationships between the detected groups of acitivities and in finding outliers. This work is demonstrated through the use of low interaction honeypot traffic data from the Leurre.com project, a world wide deployment of low interaction honeypots.