AI-Based-Honeypot-Attack-Detection-System: A Network Attack Detection System Based on Honeypots and Machine Learning

Project Name: AI-Based-Honeypot-Attack-Detection-System Original Author: Sidd1007 Source: GitHub (Link: https://github.com/Sidd1007/AI-Based-Honeypot-Attack-Detection-System) Core Functions: Combines Cowrie and Dionaea honeypot technologies with the Random Forest machine learning algorithm, extracts features from honeypot logs and automatically classifies brute-force attacks and interactive attacks, providing intelligent analysis capabilities for network security defense.

Definition of Honeypot

A security mechanism that lures attackers by setting up seemingly valuable targets, records and analyzes attack behaviors, and any access can be regarded as suspicious activity.

Honeypots Used in the Project

1. Cowrie: A medium-interactive SSH/Telnet honeypot that simulates a Unix environment, recording brute-force attacks, shell interactions, command execution, file downloads, etc.
2. Dionaea: A low-interactive honeypot that simulates vulnerable services like SMB and MSSQL, capturing malware payloads.

System operation is divided into 6 phases:

1. Honeypot Deployment: Deploy Cowrie and Dionaea in an isolated environment, configure logs and monitoring.
2. Attack Capture: Record incoming connections, login attempts, command execution, file downloads, etc.
3. Feature Extraction: Extract features from logs (total number of attempts, number of unique usernames, number of failed/successful attempts, average time interval, number of command executions, session duration).
4. Dataset Generation: Organize features into CSV format.
5. Model Training: Use scikit-learn to train a Random Forest classifier (ensemble learning to improve accuracy and robustness).
6. Attack Prediction: The model classifies new activities as brute-force attacks or interactive attacks.

Feature Engineering

Feature design reflects attack patterns:

• High-frequency login attempts with short intervals → Brute-force attack
• Complex command sequences + long sessions → Interactive attack
• Large number of unique usernames → Dictionary attack

Model Performance

The Random Forest classifier achieves an average cross-validation accuracy of 71.67% (considering attack diversity and log noise, this is a usable benchmark).

Visualization

Provides scripts for confusion matrix and feature importance visualization to help understand the model's decision logic.

1. Security Operations Center (SOC): Automatically classify honeypot alerts, helping analysts prioritize high-risk interactive attacks.
2. Threat Intelligence Collection: Accumulate labeled data to train more accurate models, collect attacker behavior patterns and tool preferences.
3. Security Research and Education: Provide practical cases for students/beginners, covering honeypot deployment, log analysis, feature engineering, and machine learning applications.

1. Expand Honeypot Types: Introduce Conpot (industrial control systems), Glastopf (web applications), etc., to expand attack coverage.
2. Try Other Algorithms: Such as XGBoost, LightGBM, or deep learning models to improve accuracy.
3. Real-Time Detection: Expand from offline batch processing to a real-time stream processing architecture.
4. Attacker Profiling: Combine multi-honeypot data to build behavior profiles and correlation analysis.

AI-Based-Honeypot-Attack-Detection-System is a typical project combining traditional security technology with modern AI, demonstrating the process of converting honeypot data into machine learning features and the application of Random Forest. Target Audience:

• Students who are new to network security machine learning
• Security engineers who need to quickly build an attack detection prototype It provides a clear and runnable starting point for relevant personnel.