Due to the rapid growth in amount of information and transfer of messages, network security has become an increasingly important part of modern society. Traditionally, information security is primarily defensive and uses tools such as firewalls and intrusion detection systems to protect the information. The attackers are several steps ahead of defensive mechanisms. From this perspective, it is necessary to find new approaches to protect information and infrastructure of the organizations. Effective approaches to protect them can be obtained via analysis of honeypots and honeynets.

A honeypot is “a computing resource, whose value is in being attacked” [1]. Lance Spitzner defines honeypots as “an information system resource whose value lies in unauthorized or illicit use of that resource” [2]. Honeypots are very useful tools for learning about attackers and their objectives, methods and tools.

The honeypots can be classified by several aspects. According to their role, there are two types of honeypots – client-side and server-side honeypots. The main role of client-side honeypots is “to identify and detect malicious activities across the Internet” [3]. For example Thug [4]. On the other hand, server-side honeypots are useful in detecting new exploits, collecting malware, and enriching research of threat analysis, e.g., Conpot [5].

Another classification of honeypot is by level of interaction. The level of interaction can be defined as the range of possibilities the attacker is given after penetrating the system. Low-interaction honeypot emulates service, or couple of services, but it does not provide complete operating system. Examples of this type of honeypots are Dionaea [6] and HoneyD [7]. In order to get more information about attackers, their methods and attacks, a complete operating system with all services is used. This type of honeypot is referred as high-interaction honeypot. Main aim of this type of honeypot is to provide the attacker access to a real operating system, where nothing is emulated or restricted [1]. Examples of this type of honeypots are Sebek [8] and HonSSH [9].

Honeynet extends “the concept of a single honeypot to a highly controlled network of honeypots” [10]. However, there is “no single rule on how one should deploy this architecture” [11]. There are three core parts of the honeynet architecture that define honeynet architecture [2], [11]:

• Data capture – monitors and logs all activities of attacker within the honeynet.

• Data control – purpose is to control the activity of attacker.

• Data collection – all data are captured and stored in one central location.

The first two parts are the most important, and they are applicable to every honeynet deployment. The last part – data collection – is applied by organization in case that organization has multiple honeynets in distributed environments.

Some authors, e.g., Shi-wei [12] and Rammidi [13], add data analysis to the above-mentioned core parts. Data analysis is an ability of honeynet to analyse the data, which are being collected from it. Data analysis is used for “understanding, analysing, and tracking the captured probes, attacks or some other malicious activities” [1].

Collection of data from honeypots and honeynets and subsequent analysis of these data is the main purpose of using these tools. Learning new unconventional information about the attackers and their methods helps with protection of the organizations.

The main aim of this paper is to obtain information about attackers using visualization and analysis of time-oriented data (temporal data). By the term time-oriented data we mean the data that are in some way connected to time. More precisely, they are data values that are associated with time primitives [14].

Honeypots and honeynets capture a number of different data. Each record collected by honeypots contains at least the following data:

• timestamp,

• service,

• IP address of honeypot, and

• IP address of attacker.

Timestamps are important collected data. Timestamp can be defined as, an unambiguous representation of some instant in time” [15]. Each honeypot adds a timestamp to each record. Therefore, data collected by honeypots can be considered the time-oriented data. From timestamp the units or periods of time can be obtained. Later in this paper, analysis of data collected over one year is presented. Therefore, month, week, day, day of the week, and hour are used as criteria for time-oriented analysis. The following information can be obtained from these data:

• information about time of the attack in terms of the objective of the attack – honeynets and source of the attack (using time zones).

• information about the progress of the attack against honeynet for a time period,

• information about number of attacks against honeynet considering the time aspect – day, hour or month.

To formalize the scope of our work, authors state three research questions:

• At what time do the attacks occur?

• On which day of the month and day of the week do the attackers attack?

• From which time zones do the attackers attack?

This paper is organized into six sections. In Section II paper focuses on the papers related to visualization and analysis in the honeypots and honeynets. Section III outlines the dataset and research method for experiment. In Sections IV and V there are lessons learned by time-oriented visualization. The last Section contains conclusions and author’s suggestions on the future research.