Sign in to use this feature.

Years

Between: -

Subjects

remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline
remove_circle_outline

Journals

Article Types

Countries / Regions

Search Results (72)

Search Parameters:
Keywords = honeypot

Order results
Result details
Results per page
Select all
Export citation of selected articles as:
27 pages, 2037 KB  
Article
Microservice-Oriented Cyber Deception Platform with Containerized Honeypots and Real-Time Telemetry
by Muhammad Shahzad and Muhsin Hassanu Saleh
J. Cybersecur. Priv. 2026, 6(4), 117; https://doi.org/10.3390/jcp6040117 - 2 Jul 2026
Viewed by 171
Abstract
The growing reliance on cyber deception as a defensive mechanism has revealed persistent limitations in existing deception infrastructures, particularly in their ability to scale, adapt, and provide continuous observability under realistic adversarial workloads. Conventional honeypot deployments are predominantly monolithic and statically configured, which [...] Read more.
The growing reliance on cyber deception as a defensive mechanism has revealed persistent limitations in existing deception infrastructures, particularly in their ability to scale, adapt, and provide continuous observability under realistic adversarial workloads. Conventional honeypot deployments are predominantly monolithic and statically configured, which constrains their responsiveness to dynamic attack conditions and limits their applicability in contemporary distributed environments. This work presents a microservice-oriented cyber deception platform that reconceptualizes deception infrastructure as a composition of loosely coupled, independently deployable services. The platform integrates containerized honeypots, a lightweight API-driven orchestration layer, and a centralized telemetry pipeline to enable rapid instantiation, dynamic reconfiguration, and high-resolution monitoring of attacker interactions. Unlike prior approaches that treat deployment, orchestration, and monitoring as separate concerns, the proposed design explicitly unifies these components within a single, measurable system architecture. To support principled reasoning about system behaviour, the paper introduces first-order analytical models that characterize deployment latency, resource utilisation, telemetry throughput, and operational cost as functions of attacker concurrency. These models are not intended as exact predictors, but as tractable abstractions that enable interpretation of system performance and guide capacity planning. Model parameters are empirically derived and validated through controlled experimentation. Evaluation is conducted within a reproducible cyber-range environment using scripted adversarial workloads that emulate reconnaissance, authentication attempts, and sustained interactive sessions. The results indicate that containerised deployment reduces instantiation latency to approximately 1.2 s under warm-start conditions, compared to tens of seconds for virtual machine-based baselines. Resource utilisation exhibits approximately linear scaling under moderate concurrency, while the telemetry pipeline sustains ingestion rates exceeding 18,000 events per minute without observable loss. Stress testing further reveals that telemetry processing, rather than orchestration, constitutes the primary scalability bottleneck. These findings suggest that microservice-based architectures can provide a viable and extensible infrastructure substrate for cyber deception, supporting both operational deployment and integration with higher-level adaptive and learning-based defence mechanisms. The contribution of this work lies not in introducing new deception strategies, but in enabling their practical realisation through a scalable and observable system design. Full article
(This article belongs to the Section Security Engineering & Applications)
Show Figures

Figure 1

25 pages, 12027 KB  
Article
Automated Cyber Threat Intelligence Extraction from Distributed Honeypots: A Hybrid Machine Learning Approach
by Hessa Abdulaziz AlJuhaiman, Qazi Emad-ul-Haq, Kyounggon Kim and Seokhee Lee
Electronics 2026, 15(13), 2900; https://doi.org/10.3390/electronics15132900 - 2 Jul 2026
Viewed by 217
Abstract
The exponential growth of Indicators of Compromise (IoCs) has overwhelmed manual triage processes in Security Operations Centers (SOCs), necessitating automated solutions for large-scale log analysis. This study proposes a hybrid machine learning framework that integrates supervised and unsupervised learning to automate the classification, [...] Read more.
The exponential growth of Indicators of Compromise (IoCs) has overwhelmed manual triage processes in Security Operations Centers (SOCs), necessitating automated solutions for large-scale log analysis. This study proposes a hybrid machine learning framework that integrates supervised and unsupervised learning to automate the classification, clustering, and contextual interpretation of Cyber Threat Intelligence (CTI). The primary contribution lies in a multi-stage feature engineering pipeline that enriches raw SIEM logs with cyclical temporal encoding and geographical metadata. In the supervised phase, a comparative evaluation of gradient boosting classifiers—XGBoost, LightGBM, and CatBoost—demonstrates that all three achieve competitive performance in categorizing known attack techniques, consistently outperforming the Random Forest baseline. The results indicate that classifier performance is dataset-dependent, and practitioners are encouraged to select the most suitable model based on their operational environment. Simultaneously, the unsupervised phase employs density-based clustering to identify emerging and previously unknown threat patterns by correlating adversarial behaviors with source attribution. By combining these two approaches, the framework ensures near-real-time feasibility and significantly enhances the scalability of automated threat extraction from distributed honeypot environments. Full article
(This article belongs to the Special Issue AI in Cybersecurity, 3rd Edition)
Show Figures

Figure 1

21 pages, 311 KB  
Article
Containment Invariants: Securing Intentionally Vulnerable Systems for Education, Training, and Research
by Stanislav Abaimov
J. Cybersecur. Priv. 2026, 6(3), 100; https://doi.org/10.3390/jcp6030100 - 8 Jun 2026
Viewed by 251
Abstract
The rise of capture-the-flag (CTF) competitions and offensive security training requires the deployment of systems that are, by design, flawed. This creates a unique architectural paradox: how does one host a system intended to be compromised without compromising the host itself? This paper [...] Read more.
The rise of capture-the-flag (CTF) competitions and offensive security training requires the deployment of systems that are, by design, flawed. This creates a unique architectural paradox: how does one host a system intended to be compromised without compromising the host itself? This paper classifies the security principles of “range engineering”—the discipline of engineering the environment. This research study synthesizes evidence across the cyber-range, honeypot, ICS/OT testbed, and cloud-isolation literature to derive a containment-focused classification of threat planes, security invariants, boundary mechanisms and properties, and operational controls for intentionally vulnerable environments used in education, training, and research. Five security invariants are derived under the assumption of expected compromise and mapped to boundary families and measurable operational objectives. The analysis further identifies under-evidenced areas, particularly control-plane isolation, corrective controls for cross-tenant failures, and systematic validation of externalization defenses. Full article
(This article belongs to the Section Security Engineering & Applications)
29 pages, 2257 KB  
Article
DYNAMIT: K-Medoids-Based Machine Learning for Scalable Honeynet Deception and Intelligent Threat Profiling
by Yan Maraden, Zaki Ananda, I Gde Dharma Nugraha and Riri Fitri Sari
Electronics 2026, 15(11), 2490; https://doi.org/10.3390/electronics15112490 - 5 Jun 2026
Viewed by 223
Abstract
As the internet and complex network infrastructures continue to expand, so does the threat of sophisticated cyberattacks, compelling organizations to adopt advanced proactive defenses. A cornerstone of these defensive strategies is the honeypot. However, existing dynamic solutions often rely on reactive deployment or [...] Read more.
As the internet and complex network infrastructures continue to expand, so does the threat of sophisticated cyberattacks, compelling organizations to adopt advanced proactive defenses. A cornerstone of these defensive strategies is the honeypot. However, existing dynamic solutions often rely on reactive deployment or centroid-based clustering (e.g., K-Means), which mathematically yields invalid, unrealistic host profiles. Because intelligent threat detection increasingly relies on high-fidelity honeypot data to analyze adversary tactics, deploying easily fingerprinted decoys fundamentally undermines downstream AI-driven defense mechanisms. To overcome this limitation, we propose DYNAMIT, an intelligent honeynet deployment system that resolves the centroid validity problem by utilizing the unsupervised K-Medoids algorithm. By combining K-Medoids with a novel hybrid Manhattan-Jaccard distance metric, DYNAMIT selects valid, existing hosts as templates based on categorical hardware and binary software similarities. The system then leverages containerization and network virtualization to simulate multiple realistic, internet-facing honeypot profiles from a single physical host, ensuring the decoys remain indistinguishable from legitimate targets. Our evaluation demonstrates that DYNAMIT accurately captures the intended number of clusters with a low relative error (18.75% for 40 hosts and 6.625% for 1000 hosts) while maintaining minimal resource overhead, establishing it as a highly scalable and robust data-generation prerequisite for modern intelligent network security. Full article
Show Figures

Figure 1

48 pages, 4107 KB  
Article
Designing CAPTCHA Systems with Reinforcement Learning for Adaptive Defense
by Meghana Indukuri, Eman Naseerkhan, Joshua Rose, Martin Tran and Younghee Park
Electronics 2026, 15(11), 2363; https://doi.org/10.3390/electronics15112363 - 30 May 2026
Viewed by 500
Abstract
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems remain a widely deployed defense against automated abuse, but advances in machine learning have reduced the effectiveness of traditional challenge-based designs and exposed limitations in proprietary risk-scoring systems. This paper [...] Read more.
CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) systems remain a widely deployed defense against automated abuse, but advances in machine learning have reduced the effectiveness of traditional challenge-based designs and exposed limitations in proprietary risk-scoring systems. This paper presents an adaptive, reinforcement learning-based CAPTCHA defense framework for high-security web applications. The proposed system formulates bot detection as a partially observable Markov decision process and uses a Proximal Policy Optimization (PPO) agent with Long Short-Term Memory to analyze streamed behavioral telemetry, including mouse movements, clicks, keystrokes, and scrolling, over sequential interaction windows. During the observation phase, the agent can continue observing or deploy a honeypot as an early-intervention and evidence-gathering action; after sufficient session evidence is accumulated, it can issue graded CAPTCHA challenges, allow a session, or block it. To complement the sequential agent, the framework also includes an XGBoost classifier that produces a session-level human-likelihood score as a supervised benchmark. The accompanying reinforcement learning environment and code base are publicly available, allowing future researchers to train, evaluate, and extend adaptive CAPTCHA policies as bot capabilities evolve. Experiments conducted on a sandbox ticket-purchasing web application demonstrate that the proposed methodology achieves strong preliminary performance on human-generated sessions and real bot sessions produced by scripted, replay-based, and Large Language Model (LLM)-powered agents. Among the evaluated reinforcement learning algorithm variants, Soft PPO achieved the best performance with 97.7% accuracy, 100% precision, and a 97.6% F1 score. Correspondingly, the XGBoost classifier achieved 99.48% accuracy, a 1.000 ROC-AUC (receiver operating characteristic area under the curve), and a 0.9919 F1 score. Our results indicate that sequential reinforcement learning can support accurate and low-friction bot detection, while the accompanying classifier provides a complementary binary benchmark. Compared to proprietary systems, the proposed framework emphasizes transparency, auditability, and explicit sequential decision-making rather than black-box risk scoring. Overall, this work introduces a publicly available, open, and adaptive CAPTCHA defense framework that supports transparent experimentation with behavior-based bot mitigation while also identifying the remaining limits that must be addressed before commercial deployment. Full article
(This article belongs to the Special Issue Novel Approaches for Deep Learning in Cybersecurity)
Show Figures

Figure 1

20 pages, 521 KB  
Review
CSAM Desistance via AI, Chatbots and Automated Warnings
by Paul A. Watters, Joel Scanlan, Jeremy Prichard and Richard Wortley
Electronics 2026, 15(11), 2281; https://doi.org/10.3390/electronics15112281 - 25 May 2026
Viewed by 425
Abstract
Automated warning messages for child sexual abuse material (CSAM) desistance are scalable, real-time digital interventions designed to interrupt user behaviors associated with the search for, access to, consumption, or distribution of CSAM by delivering salient prompts—such as pop-ups, overlays, embedded alerts, or chatbot [...] Read more.
Automated warning messages for child sexual abuse material (CSAM) desistance are scalable, real-time digital interventions designed to interrupt user behaviors associated with the search for, access to, consumption, or distribution of CSAM by delivering salient prompts—such as pop-ups, overlays, embedded alerts, or chatbot interactions—when high-risk online actions are detected (e.g., the use of flagged search terms, attempts to access known URLs, or engagement with borderline exploitative content). Unlike traditional law enforcement responses that typically occur after an offence, these systems intervene at the point of risk, adopting a preventive rather than punitive approach grounded in situational crime prevention theory and behavioral science, particularly cognitive interruption, to reduce perceived anonymity, increase awareness of legal and moral consequences, reinforce social norms, and redirect users toward desistance or support services. When deployed credibly and ethically, automated warning messages function as a critical complement to conventional enforcement by enabling early, scalable intervention that promotes behavioral reflection, desistance, and harm reduction within digital environments. Full article
Show Figures

Figure 1

14 pages, 513 KB  
Article
LLM-SSHH: An LLM-Powered SSH Honeypot Framework via State Snapshot
by Xiang Li, Nanfang Li, Zongrong Li, Lijun Yan, Denghui Ma, Haishan Cao, Xu Wang and Yu Liu
Appl. Syst. Innov. 2026, 9(5), 101; https://doi.org/10.3390/asi9050101 - 18 May 2026
Viewed by 444
Abstract
SSH honeypots serve as critical infrastructure for cyber threat intelligence, but existing LLM-based systems suffer from context window limitations causing state loss and hallucination-driven inconsistencies, making them easily detectable through simple verification tests. To address these limitations, we propose LLM-SSHH, a framework combining [...] Read more.
SSH honeypots serve as critical infrastructure for cyber threat intelligence, but existing LLM-based systems suffer from context window limitations causing state loss and hallucination-driven inconsistencies, making them easily detectable through simple verification tests. To address these limitations, we propose LLM-SSHH, a framework combining explicit state management with LLM generation to achieve long-term interaction consistency. The system maintains a persistent state snapshot organized as a three-component tuple capturing file system state, runtime context, and system metadata. The framework serializes the current state into LLM prompts and validates generated responses against state constraints to reject hallucinations. Validated responses update the state snapshot, forming a closed loop that ensures consistent state evolution throughout extended interactions. Experimental results demonstrate that LLM-SSHH achieves a mean detection rate of 0.150, representing a 3 to 4 times improvement over existing methods, significantly extending honeypot survivability for threat intelligence collection. Full article
Show Figures

Figure 1

20 pages, 3072 KB  
Article
Evolving IoT Botnet Threats and Practical Honeypot Observation: A Summary Review and Experimental Study
by Rajkumar Banoth, Santosh Reddy Addula, Aruna Kranthi Godishala, Rithwik Sannapu, Guna Sekhar Sajja, Deepak Kumar, Vinay Kumar Kasula and Chaitanya Tumma
J. Cybersecur. Priv. 2026, 6(3), 82; https://doi.org/10.3390/jcp6030082 - 2 May 2026
Viewed by 791
Abstract
The rapid proliferation of Internet of Things (IoT) devices has significantly increased the attack surface for large-scale botnet operations. While previous research, including detailed analyses using Cowrie and IoTPOT frameworks, has studied IoT botnet behavior, these studies often rely on retrospective datasets, isolated [...] Read more.
The rapid proliferation of Internet of Things (IoT) devices has significantly increased the attack surface for large-scale botnet operations. While previous research, including detailed analyses using Cowrie and IoTPOT frameworks, has studied IoT botnet behavior, these studies often rely on retrospective datasets, isolated protocol analyses, or hard-to-replicate setups. This paper addresses that gap with two main contributions: a structured review of ten influential IoT security studies from the USENIX Security Symposium and a confirmatory empirical experiment deploying Cowrie and IoTPOT honeypots simultaneously on a Microsoft Azure cloud-based virtual machine. Unlike earlier studies that focus on single protocols or large-scale environments, this work acts as a validation study, confirming well-known IoT botnet behaviors, including credential brute-force attacks, Mirai-style commands, and Telnet dominance, using real-time attack data collected from a reproducible, affordable cloud environment that simulates known IoT vulnerabilities (such as CVE-2016-10401, CVE-2017-17215, and CVE-2014-9222). Rather than revealing new attack methods, this study explicitly verifies the persistence of behaviors first documented almost ten years ago. The data indicates that attackers continue to exploit basic authentication flaws and reuse long-standing command sequences, confirming that core IoT vulnerabilities remain prevalent despite a decade of security research. It also highlights the ongoing gap between research progress and industry implementation. The analysis situates these findings within the broader evolution of IoT botnets, from early centralized command-and-control structures like Mirai to more resilient peer-to-peer networks that use anonymized channels and target high-wattage devices for power-grid manipulation. This study shows that small, cloud-based honeypots are valuable for continuous threat monitoring, model validation, and security assessments, providing a practical, reproducible approach for ongoing IoT security research. Full article
Show Figures

Figure 1

30 pages, 721 KB  
Review
A Review of Honeypots: Fingerprinting Techniques, Detection, and Evasion Mechanisms
by Arooj Chaudhry, Casper Andersen, Gaurav Choudhary and Nicola Dragoni
Future Internet 2026, 18(4), 190; https://doi.org/10.3390/fi18040190 - 1 Apr 2026
Viewed by 2436
Abstract
Honeypot fingerprinting poses a significant threat in cybersecurity, as attackers who are able to identify honeypot systems can successfully evade them, thereby greatly reducing their overall effectiveness as defensive and intelligence-gathering tools. Over the years, numerous studies have proposed a variety of analytical [...] Read more.
Honeypot fingerprinting poses a significant threat in cybersecurity, as attackers who are able to identify honeypot systems can successfully evade them, thereby greatly reducing their overall effectiveness as defensive and intelligence-gathering tools. Over the years, numerous studies have proposed a variety of analytical techniques and countermeasures to minimize honeypot fingerprinting and improve honeypot stealth. This paper presents a comprehensive examination of the methods and strategies that attackers employ to detect and fingerprint honeypot systems, including behavioural, network-based, and system-level indicators. In addition, this paper analyzes common vulnerabilities inherent in both low-interaction and high-interaction honeypots that facilitate successful fingerprinting. Existing anti-detection and obfuscation techniques are evaluated for their effectiveness and limitations. Specifically, this paper offers a structured analysis of honeypot fingerprinting techniques, examines attackers’ probing strategies, evaluates the most vulnerable protocol artifacts, and outlines mitigation strategies to reduce the likelihood of honeypot detection. Finally, this paper discusses how emerging technologies and increasingly complex computing environments, such as cloud infrastructure and virtualization, impact honeypot deployment, and it highlights open challenges and promising future research directions in the field of honeypot anti-fingerprinting. Full article
Show Figures

Figure 1

23 pages, 630 KB  
Article
Depth-First Search-Based Malicious Node Detection with Honeypot Technology in Wireless Sensor Networks
by Sercan Demirci, Doğan Yıldız, Durmuş Özkan Şahin and Asmaa Alaadin
Mathematics 2026, 14(6), 1050; https://doi.org/10.3390/math14061050 - 20 Mar 2026
Viewed by 527
Abstract
Wireless sensor networks (WSNs) are highly susceptible to Denial-of-Service (DoS) attacks due to their resource-constrained and distributed nature. In this study, we propose a novel trust-based malicious node detection mechanism that leverages a Depth-First Search (DFS) strategy to trace and identify attack sources [...] Read more.
Wireless sensor networks (WSNs) are highly susceptible to Denial-of-Service (DoS) attacks due to their resource-constrained and distributed nature. In this study, we propose a novel trust-based malicious node detection mechanism that leverages a Depth-First Search (DFS) strategy to trace and identify attack sources within clustered WSN architectures efficiently. The proposed approach dynamically evaluates trust scores between nodes to detect anomalous behaviors and employs a honeypot-based redirection system to isolate compromised nodes from the main communication flow. This combination enhances detection accuracy while minimizing false positives and energy overhead. The method is implemented and evaluated using a custom simulation environment. Comparative experimental results against state-of-the-art techniques such as the Evolved Trust Updating Mechanism (EVO) and Multi-agent Trust-based Intrusion Detection System (MULTI) demonstrate that our Trust-Based Honeypot (TBHP) achieves superior performance in terms of detection rate, false-alarm rate, and network lifetime extension. Full article
(This article belongs to the Topic Recent Advances in Security, Privacy, and Trust)
Show Figures

Figure 1

59 pages, 6917 KB  
Article
Evaluating Synthetic Cyber Deception Strategies Under Uncertainty via Game Theory Approach: Linking Information Leakage and Game Outcomes in Cyber Deception
by Mohammad Shahin, Mazdak Maghanaki and Fengshan Frank Chen
Sensors 2026, 26(6), 1748; https://doi.org/10.3390/s26061748 - 10 Mar 2026
Cited by 2 | Viewed by 1099
Abstract
The study develops a game-theoretic evaluation framework for cyber deception that quantifies deception benefit relative to an otherwise matched non-deceptive baseline and links strategic outcomes to information disclosure. A defender–attacker interaction is modeled through a paired design consisting of a baseline game without [...] Read more.
The study develops a game-theoretic evaluation framework for cyber deception that quantifies deception benefit relative to an otherwise matched non-deceptive baseline and links strategic outcomes to information disclosure. A defender–attacker interaction is modeled through a paired design consisting of a baseline game without deception and a corresponding decoy-enabled deception game, enabling direct measurement of deception impact through two operational metrics: the value of deception, defined as the baseline-referenced change in defender equilibrium utility attributable to deception, and the price of transparency, defined as the marginal loss induced by increased observability of the true system state. The analysis characterizes defender-optimal deception strategies, derives interpretable bounds and break-even conditions under which deception becomes ineffective due to cost or detectability, and establishes approximation properties that support scalable allocation rules. To complement equilibrium-based evaluation, the study introduces an information-theoretic uncertainty construct that captures the extent to which deception preserves attacker uncertainty after observation, providing a mechanism-level interpretation of when and why value of deception degrades as transparency increases. Computational experiments across heterogeneous scenarios demonstrate consistent cross-setting comparability, reveal tradeoffs among decoy realism, budget, and attacker rationality, and identify regimes in which simplified allocation heuristics approach optimal performance. Full article
Show Figures

Figure 1

20 pages, 1282 KB  
Article
Graph Neural Network-Guided TrapManager for Critical Path Identification and Decoy Deployment
by Rui Liu, Guangxia Xu and Zhenwei Hu
Mathematics 2026, 14(4), 683; https://doi.org/10.3390/math14040683 - 14 Feb 2026
Viewed by 608
Abstract
Static honeypot deployment and one-shot attack-path analysis often become ineffective against adaptive adversaries because fixed decoy layouts are easy to fingerprint and risk estimates quickly go stale. This paper presents a unified, mathematically grounded TrapManager framework that couples graph representation learning with budget-constrained [...] Read more.
Static honeypot deployment and one-shot attack-path analysis often become ineffective against adaptive adversaries because fixed decoy layouts are easy to fingerprint and risk estimates quickly go stale. This paper presents a unified, mathematically grounded TrapManager framework that couples graph representation learning with budget-constrained combinatorial optimization for dynamic cyber deception. We model attacker progression on vulnerability-based attack graphs and learn context-aware node embeddings using a Graph Attention Network (GAT) that fuses vulnerability-driven risk signals (e.g., CVSS-derived node scores) with structural features. The learned representations are used to estimate edge plausibility and rank candidate source–target routes at the path level. Given limited resources, we formulate pointTrap placement as a Mixed-Integer Programming (MIP) problem that maximizes the expected interception of high-risk paths while penalizing deployment cost under explicit budget constraints, including mandatory coverage of the top-ranked critical paths. To enable online adaptiveness, a pointTrap-triggered, event-driven feedback mechanism locally amplifies risk around alerted regions, updates path weights without retraining the GAT, and re-solves the MIP for rapid redeployment. Experiments on MulVAL-generated benchmark attack graphs and cross-domain transfer settings demonstrate fast convergence, strong discrimination between attack and non-attack edges, and early interception within a small number of hops even with minimal decoy budgets. Overall, the proposed framework provides a scalable and resource-efficient approach to closed-loop attack-path defense by integrating attention-based learning and integer optimization. Full article
Show Figures

Figure 1

29 pages, 4916 KB  
Article
SentinelGraph: Temporal Graph Reasoning for Sender Group Attribution in Honeypot Traffic
by Shiyu Wang, Cheng Tu, Min Zhang and Pengfei Xue
Electronics 2026, 15(4), 823; https://doi.org/10.3390/electronics15040823 - 14 Feb 2026
Viewed by 529
Abstract
Hosts generating unsolicited network traffic increasingly operate in a coordinated manner rather than in isolation. Scanning and exploitation activities are often distributed across multiple hosts that share common infrastructure, toolchains, and behavioral patterns, forming loosely coupled yet persistently aligned sender groups. Accurately attributing [...] Read more.
Hosts generating unsolicited network traffic increasingly operate in a coordinated manner rather than in isolation. Scanning and exploitation activities are often distributed across multiple hosts that share common infrastructure, toolchains, and behavioral patterns, forming loosely coupled yet persistently aligned sender groups. Accurately attributing such groups is critical for understanding organized activities and strengthening network defense capabilities. However, existing attribution approaches face notable limitations. Methods that rely on threat intelligence suffer from delayed updates and limited coverage. Static feature-based approaches ignore temporal ordering and therefore fail to capture multi-stage behavioral evolution. Although dynamic sequence models incorporate temporal patterns, they typically overlook the collaborative structural relationships among coordinated senders. In this paper, we propose SentinelGraph, a temporal graph reasoning framework for sender group attribution from honeypot traffic. SentinelGraph constructs a temporal knowledge graph and integrates a recurrent graph evolution module to jointly model coordination structures and their temporal dynamics. A structure enhancement module further exploits contextual information available at the target time, while an auxiliary relation loss encourages the learning of enriched entity representations. This design enables accurate attribution even for previously unseen senders by leveraging information from their observed neighbors. Experiments on real-world honeypot data demonstrate that SentinelGraph substantially outperforms state-of-the-art methods in modeling coordinated network behaviors. Full article
(This article belongs to the Special Issue AI in Network Security: Recent Advances and Prospects)
Show Figures

Figure 1

6 pages, 380 KB  
Proceeding Paper
Bridging the Data Gap in ML-Based NIDS: An Automated Honeynet Platform for Generating Real-World Malware Traffic Datasets
by Gabriel Ulloa Cano, Gabriel Sánchez Pérez, José Portillo-Portillo, Linda Karina Toscano Medina, Aldo Hernández Suárez, Jesús Olivares Mercado, Héctor Manuel Pérez Meana, Luis Javier García Villalba and Pablo Velarde Alvarado
Eng. Proc. 2026, 123(1), 36; https://doi.org/10.3390/engproc2026123036 - 13 Feb 2026
Viewed by 540
Abstract
The effectiveness of Machine Learning (ML)-based Network Intrusion Detection Systems (NIDS) is critically hampered by the scarcity of realistic and up-to-date malware traffic datasets. To address this gap, we present an automated platform for generating real-world malware traffic datasets. Our solution leverages a [...] Read more.
The effectiveness of Machine Learning (ML)-based Network Intrusion Detection Systems (NIDS) is critically hampered by the scarcity of realistic and up-to-date malware traffic datasets. To address this gap, we present an automated platform for generating real-world malware traffic datasets. Our solution leverages a production-environment honeynet (T-Pot), deployed within a university network and segmented via a secure WireGuard VPN, to capture live attacks using high-interaction honeypots (Dionaea, Cowrie, ADBhoney). A fully automated pipeline handles traffic capture, transfer, filtering based on honeypot logs, and malware analysis (VirusTotal, VxAPI). The output is the IPN-UAN-23 dataset—a curated, labeled corpus of malicious network traffic. This platform functions as a vital automated security tool, providing the continuous stream of actionable intelligence required to develop and refine robust ML-based NIDS within a DevSecOps lifecycle. Full article
(This article belongs to the Proceedings of First Summer School on Artificial Intelligence in Cybersecurity)
Show Figures

Figure 1

36 pages, 3068 KB  
Article
IRDS4C–CTIB: A Blockchain-Driven Deception Architecture for Ransomware Detection and Intelligence Sharing
by Ahmed El-Kosairy, Heba Aslan and Nashwa AbdelBaki
Future Internet 2026, 18(1), 66; https://doi.org/10.3390/fi18010066 - 21 Jan 2026
Viewed by 1014
Abstract
This paper introduces a cybersecurity framework that combines a deception-based ransomware detection system, called the Intrusion and Ransomware Detection System for Cloud (IRDS4C), with a blockchain-enabled Cyber Threat Intelligence platform (CTIB). The framework aims to improve the detection, reporting, and sharing of ransomware [...] Read more.
This paper introduces a cybersecurity framework that combines a deception-based ransomware detection system, called the Intrusion and Ransomware Detection System for Cloud (IRDS4C), with a blockchain-enabled Cyber Threat Intelligence platform (CTIB). The framework aims to improve the detection, reporting, and sharing of ransomware threats in cloud environments. IRDS4C uses deception techniques such as honeypots, honeytokens, pretender network paths, and decoy applications to identify ransomware behavior within cloud systems. Tests on 53 Windows-based ransomware samples from seven families showed an ordinary detection time of about 12 s, often quicker than tralatitious methods like file hashing or entropy analysis. These detection results are currently limited to Windows-based ransomware environments, and do not yet cover Linux, containerized, or hypervisor-level ransomware. Detected threats are formatted using STIX/TAXII standards and firmly shared through CTIB. CTIB applies a hybrid blockchain consensus of Proof of Stake (PoS) and Proof of Work (PoW) to ensure data integrity and protection from tampering. Security analysis shows that an attacker would need to control over 71% of the network to compromise the system. CTIB also improves trust, accuracy, and participation in intelligence sharing, while smart contracts control access to erogenous data. In a local prototype deployment (Hardhat devnet + FastAPI/Uvicorn), CTIB achieved 74.93–125.92 CTI submissions/min, The number of attempts or requests in each test was 100 with median end-to-end latency 455.55–724.99 ms (p95: 577.68–1364.17 ms) across PoW difficulty profiles (difficulty_bits = 8–16). Full article
(This article belongs to the Special Issue Anomaly and Intrusion Detection in Networks)
Show Figures

Graphical abstract

Back to TopTop