Creating an Adaptive Defense Architecture using an Adaptive Honeypot Algorithm and Network Traffic Classifier

Mohammed Shaad Mehboob Matcheswala


Supervised by Amir Javed; Moderated by Andrew Hood

In this age of digital transformation, more and more businesses rely on technology, making it the heart of most businesses. The rapid development of digital technologies has significantly changed security perspectives and increased the risk of cyber threats. The nature of cyber threats and attacks has changed, and cyber-attacks are now more frequent, complex, and target-orientated, while many businesses still lack the necessary knowledge to defend against them. Researchers are examining attackers' strategies for compromising devices to address the gap between cyber criminals and the average person. Honeypots offer a solution by tracking attackers' activities. These cybersecurity tools attract and monitor unauthorized access attempts and reveal attackers' methods and motives. By using honeypots such as Cowrie, Dionaea, Elasticpot, Honeytrap Gridpot, RDPy, and so on, these activities can be closely observed. Activities such as session duration, executed commands for example malware uploads, network scanning, port scanning, phishing emails, attempts to exploit systems in the network, and several other types of attack can be monitored. Despite their value, honeypots are eventually identified by the attackers, leading to this study's focus on an adaptive honeypot with a network traffic classifier using an adaptive defense architecture. This architecture uses a classifier model, trained through machine learning algorithms such as Random Forest, Naive Bayes, and ANN, to classify inbound network traffic as malicious or benign. Furthermore, if the network traffic is benign it is aimed to be redirected to the organization’s network and if it is classified as malicious it will be redirected to the honeypot. Additionally, this research also involves creating an algorithm for honeypots using reinforcement learning approaches such as Q-learning, which would help the honeypot to make it adaptable. A machine learning paradigm known as "reinforced learning" teaches an agent to make decisions by letting it experiment with the environment and learning from its mistakes while getting feedback in the form of rewards or punishments based on its actions. Reinforcement learning, known from gaming applications, treats attackers as players, and a honeypot environment is considered a gaming environment that enables reinforced learning agents to learn through rewards. Lastly, this study seeks to train the algorithm and validate the reinforced learning algorithm's efficiency based on rewards, offering a comprehensive strategy to enhance honeypot functionality and cybersecurity measures.

Final Report (05/10/2023) [Zip Archive]

Publication Form