ShadowMesh: An Adaptive Honeypot System Combining Deep Reinforcement Learning and Generative AI

ShadowMesh is an innovative cybersecurity defense project that combines deep reinforcement learning, generative AI, and traditional honeypot technologies. It aims to address the pain point of traditional honeypots being easily identifiable due to their static nature, building an intelligent deception system that dynamically adapts to attackers' behaviors. Its goals are to prolong attackers' stay time, collect rich threat intelligence, and generate executable defense rules.

As an important tool for observing attackers and collecting threat intelligence, traditional honeypots attract attackers by simulating vulnerable systems. However, their static nature makes them easily identifiable by experienced attackers (e.g., overly perfect configurations lack of real user traces, suspicious blank areas, etc.), leading attackers to terminate sessions quickly. This results in the loss of opportunities to continuously collect intelligence and restricts their application effectiveness in Advanced Persistent Threat (APT) environments.

ShadowMesh adopts a layered collaborative architecture, with core design concepts including adaptive deception mechanisms, generative decoy content, and telemetry-driven defense output: 1.Infrastructure Layer:-Orchestrated via Docker Compose, including Cowrie SSH honeypot, Elasticsearch log storage, and Kibana visualization, ensuring environment consistency 2.Log and Telemetry Layer:-Python converts Cowrie raw logs into structured Elasticsearch documents; session aggregation layer builds attacker session profiles 3.Attacker Simulation Layer:-Paramiko-based simulator generates multi-profile test data to support reinforcement learning training 4.Generative Decoy Layer:-Connects to large models via OpenRouter API to generate realistic files (configurations, logs, user data, etc.) 5.Rule Generation Layer:-Extracts features from session summaries to generate Snort network detection rules and YARA malware detection rules 6.Reinforcement Learning Agent Layer (Planned):-Defines observation space, action space, and reward functions to enable autonomous adjustment of defense strategies.

As of the document writing time, the implemented features include: -Containerized SSH honeypot stack deployment -Log forwarding and session aggregation pipeline -Multi-profile attacker simulator -AI-driven decoy file generation -Preliminary Snort/YARA rule generation -Reinforcement learning agent interface and scaffolding -Adaptive bridge module (dynamic decoy deployment) Future milestones: Train reinforcement learning strategies and real-time execution loops, expand web deception surfaces, and conduct formal evaluation of static baselines.

ShadowMesh represents a shift from static decoys to a dynamic defense ecosystem: -For enterprise SOC: Integrate into threat detection systems, provide early warnings, and produce detection rules to harden real assets -Technical value: Demonstrate the practical application of generative AI and reinforcement learning in cybersecurity prove that defenders can use AI to counter attackers' AI tools and upgrade defense systems.

Although ShadowMesh is in the development stage its design concept is clear. Its goal is to build an intelligent honeypot framework that is hard to fingerprint, has high observation value,and aligns with modern threat intelligence processes. Researchers and practitioners interested in active defense,deception technologies, or AI security applications are encouraged to pay attention to and participate in this project.