Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems
Abstract
:1. Introduction
2. Related Work
3. Methodology
3.1. Dataset Selection and Exploratory Data Analysis (EDA)
- Event Timeline (Figure 3): Revealed activity bursts, including sudden spikes in event frequency associated with distributed denial-of-service (DDoS) or botnet activities (e.g., setup Dota3 botnet). Significant spikes are observed between the 400 and 500 s mark, indicating periods of increased activity or anomalies in the system.
- Label FreDquency istributions and Combinations (Figure 4 and Figure 5): Highlighted the occurrences of suspicious (‘sus’) and malicious (‘evil’) labels, as well as their combinations to provide a deeper understanding of label occurrences and relationships across training, validation, and test datasets. The combination distribution illustrated in Figure 5 reveals the significant variations and challenges that impact the development and evaluation of the anomaly detection model. In the training dataset, notably, malicious events (sus = 1, evil = 1) are absent, constituting 0% of the dataset. This lack of exposure to malicious activity during training presents a critical challenge for the model because it may struggle to effectively detect and classify rare but severe threats in unseen data. Similarly, the validation dataset demonstrates a pronounced imbalance. Malicious events are again entirely absent. This imbalance restricts the capacity of the model to fine-tune its parameters for detecting severe threats. Consequently, the model may perform well in classifying benign and suspicious activities but fails to generalize effectively when encountering malicious events in real-world scenarios. By contrast, the test dataset offers a distinct distribution, with a significant proportion of malicious events. This dataset provides a unique opportunity to rigorously evaluate the model’s ability to detect and classify severe threats under realistic conditions. However, the comparatively lower representation of benign and suspicious events highlights the necessity of the model to balance its classification capabilities across all activity types to avoid overfitting to the dominant malicious class. Overall, the distribution imbalances across these datasets present notable challenges for model development and evaluation. Although the training and validation datasets lack sufficient representation of malicious events, the test dataset emphasizes the importance of detecting these critical threats. To address these challenges, the pre-processing stage focuses on strategies to balance the datasets, ensuring a well-rounded and effective anomaly detection model that performs robustly in diverse scenarios. As shown in Table 1, the majority of events are benign, with only 13.88% being classified as malicious.
- Correlation Heatmaps (Figure 6): Conducted to examine the relationships among the selected features and the target variables across the training, validation, and testing datasets and their respective impacts on model design and pre-processing decisions. These heatmaps provide valuable insights into feature dependencies and their potential influence on model training and evaluation. The correlation heatmaps were generated by computing Pearson correlation coefficients for all pairs of numeric features using pandas’ corr() function and visualized with seaborn’s heatmap(). In the training dataset, a strong correlation is observed between userId and the sus, indicating a significant relationship between user activity patterns and suspicious behavior. However, no data are available for the evil label in the training set, limiting insights into its interaction with other features. The perfect positive correlation (1.0) observed between the processId and threadId features indicates that these features are essentially identical, implying possible redundancy. The features eventId and argsNum show moderate positive correlations (0.63), highlighting their relevance in distinguishing event characteristics. Other features, such as ParentProcessId, exhibited weak correlations with the target variable, suggesting limited predictive utility. Additionally, most feature correlations remain near zero, indicating minimal multicollinearity, which is favorable for machine learning models such as iForest that assume feature independence. In the validation dataset, the correlation patterns are consistent with those of the training dataset, and sus maintained strong correlation with userId (0.99). However, no substantial correlations are evident between the other features and the target variable, which reinforces the independence assumption. Interestingly, MountNamespace displays a relatively negative correlation with several features, potentially indicating distinct behavior patterns associated with this feature. The test dataset reveals distinct correlation patterns, given the significant presence of malicious events (evil). The feature evil exhibits a strong correlation with userId (0.90) and parentProcessId (0.72). Furthermore, the sus and timestamp features exhibit a moderate positive correlation with the evil feature, with correlation coefficients of 0.73 and 0.70, respectively. This indicates their significance in identifying malicious activities. The higher prevalence of malicious events in the test set contributes to stronger correlations with specific features, providing a realistic context for model evaluation.
3.2. Data Pre-Processing
- Data Transformation: This step ensured consistency and compatibility across dataset formats. Raw features are transformed to align with the requirements of the anomaly detection model, adhering to the recommendations and suggestions outlined in [11]. These transformations aimed to optimize the feature representation, thereby improving the model performance. In the proposed iForest model, we employed the same set of engineered features to ensure consistency and comparability.
- Data Standardization: To address variations in feature scales, data standardization is performed by normalizing the feature values. This process ensured that the features are on a comparable scale, enhancing the convergence of the model during training. The target variable, sus (suspicious activity), served as the primary label for model training. Standardizing the data is particularly crucial for the iForest algorithm because it relies on consistent feature scaling to accurately detect anomalies. We standardized all seven input features using the StandardScaler() class from the scikit-learn library to ensure zero mean and unit variance across each dimension. The following Python code snippet illustrates how we applied it:scaler = StandardScaler()X_train_scaled = scaler.fit_transform(X_train)X_val_scaled = scaler.transform(X_val)X_test_scaled = scaler.transform(X_test)
3.3. Machine Learning Model Training
3.4. Model Validation and Evaluation
4. Experimentation Results and Discussion
4.1. Confusion Matrix Analysis
4.2. Sensitivity Analysis
4.3. Precision Analysis
4.4. F1-Score Analysis
4.5. Accuracy Analysis
4.6. Area Under the Receiver Operating Characteristic Curve (AUROC) Analysis
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Verma, R. Cybersecurity Challenges in the Era of Digital Transformation; Infinity Publication Pvt. Ltd.: Lunawada, India, 2024; p. 187. [Google Scholar] [CrossRef]
- Pearson, N. A larger problem: Financial and reputational risks. Comput. Fraud. Secur. 2014, 2014, 11–13. [Google Scholar] [CrossRef]
- Mahdi, A.A. Machine learning applications of network security enhancement: Review. Comput. Sci. Res. J. 2024, 5, 2283–2300. [Google Scholar] [CrossRef]
- Albtosh, L.B. Advancements in cybersecurity and machine learning: A comprehensive review of recent research. World J. Adv. Eng. Technol. Sci. 2024, 13, 271–284. [Google Scholar] [CrossRef]
- Phulre, A.K.; Jain, S.; Jain, G. Evaluating Security Enhancement Through Machine Learning Approaches for Anomaly-Based Intrusion Detection Systems. In Proceedings of the 2024 IEEE International Students’ Conference on Electrical, Electronics and Computer Science (SCEECS), Bhopal, India, 24–25 February 2024; pp. 1–5. [Google Scholar] [CrossRef]
- Vajpayee, P.; Hossain, G. Reduction of Cyber Value at Risk (CVaR) Through AI Enabled Anomaly Detection. In Proceedings of the SoutheastCon 2024, Atlanta, GA, USA, 15–24 March 2024; pp. 623–629. [Google Scholar] [CrossRef]
- Arjunan, T. Detecting Anomalies and Intrusions in Unstructured Cybersecurity Data Using Natural Language Processing. Int. J. Sci. Technol. Eng. 2024, 12, 1023–1029. [Google Scholar] [CrossRef]
- Tushkanova, O.; Levshun, D.; Branitskiy, A.; Fedorchenko, E.; Novikova, E.; Kotenko, I. Detection of Cyberattacks and Anomalies in Cyber-Physical Systems: Approaches, Data Sources, Evaluation. Algorithms 2023, 16, 85. [Google Scholar] [CrossRef]
- Amal, M.; Venkadesh, P. Review of cyber attack detection: Honeypot system. Webology 2022, 19, 5497–5514. [Google Scholar]
- Baisholan, N.; Baisholanova, K.; Kubayev, K.; Alimzhanova, Z.; Baimuldina, N. Corporate network anomaly detection methodology utilizing machine learning algorithms. Smart Sci. 2024, 12, 666–678. [Google Scholar] [CrossRef]
- Highnam, K.; Arulkumaran, K.; Hanif, Z.; Jennings, N.R. BETH Dataset: Real Cybersecurity Data for Anomaly Detection Research. In Proceedings of the ICML Workshop on Uncertainty and Robustness in Deep Learning, Virtual, 23 July 2021. [Google Scholar]
- Landauer, M.; Onder, S.; Skopik, F.; Wurzenberger, M. Deep learning for anomaly detection in log data: A survey. Mach. Learn. Appl. 2023, 12, 100470. [Google Scholar] [CrossRef]
- Diamantoulakis, P.; Dalamagkas, C.; Radoglou-Grammatikis, P.; Sarigiannidis, P.; Karagiannidis, G. Game Theoretic Honeypot Deployment in Smart Grid. Sensors 2020, 20, 4199. [Google Scholar] [CrossRef] [PubMed]
- Kandanaarachchi, S.; Ochiai, H.; Rao, A. Honeyboost: Boosting honeypot performance with data fusion and anomaly detection. arXiv 2021, arXiv:2105.02526. [Google Scholar] [CrossRef]
- Tian, W.; Du, M.; Ji, X.; Liu, G.; Dai, Y.; Han, Z. Honeypot detection strategy against advanced persistent threats in industrial internet of things: A prospect theoretic game. IEEE Internet Things J. 2021, 8, 17372–17381. [Google Scholar] [CrossRef]
- Radoglou-Grammatikis, P.; Sarigiannidis, P.; Diamantoulakis, P.; Lagkas, T.; Saoulidis, T.; Fountoukidis, E.; Karagiannidis, G. Strategic honeypot deployment in ultra-dense beyond 5g networks: A reinforcement learning approach. IEEE Trans. Emerg. Top. Comput. 2022, 12, 643–655. [Google Scholar] [CrossRef]
- Tian, W.; Ji, X.; Liu, W.; Liu, G.; Zhai, J.; Dai, Y.; Huang, S. Prospect theoretic study of honeypot defense against advanced persistent threats in power grid. IEEE Access 2020, 8, 64075–64085. [Google Scholar] [CrossRef]
- Albaseer, A.; Abdi, N.; Abdallah, M.; Qaraqe, M.; Al-Kuwari, S. FedPot: A Quality-Aware Collaborative and Incentivized Honeypot-Based Detector for Smart Grid Networks. IEEE Trans. Netw. Serv. Manag. 2024, 21, 4844–4860. [Google Scholar] [CrossRef]
- Rehman, M.U.; Ahmadi, H.; Hassan, W.U. FLASH: A Comprehensive Approach to Intrusion Detection via Provenance Graph Representation Learning. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23 May 2024; p. 139. [Google Scholar]
- Mo, X.; Zhang, Y.; Zhang, L.Y.; Luo, W.; Sun, N.; Hu, S.; Gao, S.; Xiang, Y. Robust backdoor detection for deep learning via topological evolution dynamics. In Proceedings of the 2024 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 19–23 May 2024; p. 171. [Google Scholar]
- Inam, M.A.; Chen, Y.; Goyal, A.; Liu, J.; Mink, J.; Michael, N.; Gaur, S.; Bates, A.; Hassan, W.U. Sok: History is a vast early warning system: Auditing the provenance of system intrusions. In Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 21–25 May 2023; pp. 2620–2638. [Google Scholar]
- Thudumu, S.; Branch, P.; Jin, J.; Singh, J.J. A comprehensive survey of anomaly detection techniques for high dimensional big data. J. Big Data 2020, 7, 42. [Google Scholar] [CrossRef]
- Stolfo, S.J.; Hershkop, S.; Bui, L.H.; Ferster, R.; Wang, K. Anomaly detection in computer security and an application to file system accesses. In Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2005; pp. 14–28. [Google Scholar] [CrossRef]
- Available online: https://www.kaggle.com/datasets/katehighnam/beth-dataset/data (accessed on 2 December 2024).
Type | Combination 1 | Count | Percentage |
---|---|---|---|
Benign Events | (0, 0) | 967,564 | 84.79% |
Suspicious Events | (1, 0) | 15,082 | 1.32% |
Malicious Events | (1, 1) | 158,432 | 13.88% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Alatawi, E.; Albalawi, U. Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems. Symmetry 2025, 17, 628. https://doi.org/10.3390/sym17050628
Alatawi E, Albalawi U. Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems. Symmetry. 2025; 17(5):628. https://doi.org/10.3390/sym17050628
Chicago/Turabian StyleAlatawi, Eman, and Umar Albalawi. 2025. "Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems" Symmetry 17, no. 5: 628. https://doi.org/10.3390/sym17050628
APA StyleAlatawi, E., & Albalawi, U. (2025). Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems. Symmetry, 17(5), 628. https://doi.org/10.3390/sym17050628