HONEYPOT-BASED THREAT DETECTION SYSTEM
Course Instructor
Pramod Gupta
Abstract
Modern organizations face an escalating volume of cyberattacks that traditional perimeter-based and reactive security tools are ill-equipped to fully address. Intrusion detection systems and firewalls can identify and block known threats, but they provide limited insight into attacker methodology, tooling, and behavior once a system is compromised. This gap in defensive intelligence makes it difficult for security teams to anticipate attack patterns, improve detection logic, and build more resilient defenses. Honeypots address this limitation by deploying intentionally vulnerable decoy systems that lure malicious actors into a monitored environment, enabling defenders to observe attacker behavior without risk to production infrastructure.
Despite their utility, honeypot deployments in educational and small enterprise contexts are often limited to single-service configurations that capture only narrow attack vectors. Multi-layer honeypot frameworks capable of simultaneously capturing SSH brute force activity, malware delivery attempts, and credential theft across a unified logging and alerting pipeline remain underexplored in applied academic settings. Additionally, integrating real-time alerting and visual analytics into such deployments is rarely demonstrated end-to-end in a validated, reproducible environment.
This project addresses these gaps by designing, deploying, and validating a multi-layer honeypot-based threat detection system using the T-Pot CE framework on Ubuntu 24.04 in an isolated VMware environment. The system integrates Cowrie for SSH and Telnet deception, Dionaea for malware capture, and Canarytokens for credential-use alerting, unified under an Elasticsearch and Kibana stack for log aggregation and visualization. A custom Python alerting pipeline provides real-time email notification upon attacker session activity. The detection pipeline was validated through a structured five-stage simulated attack conducted from a Kali Linux environment using Nmap, Hydra, Metasploit, and standard post-exploitation techniques. Results confirmed successful detection across all attack stages, demonstrating the viability of multi-layer honeypot deployments as a practical and accessible mechanism for generating actionable defensive threat intelligence.
HONEYPOT-BASED THREAT DETECTION SYSTEM
Modern organizations face an escalating volume of cyberattacks that traditional perimeter-based and reactive security tools are ill-equipped to fully address. Intrusion detection systems and firewalls can identify and block known threats, but they provide limited insight into attacker methodology, tooling, and behavior once a system is compromised. This gap in defensive intelligence makes it difficult for security teams to anticipate attack patterns, improve detection logic, and build more resilient defenses. Honeypots address this limitation by deploying intentionally vulnerable decoy systems that lure malicious actors into a monitored environment, enabling defenders to observe attacker behavior without risk to production infrastructure.
Despite their utility, honeypot deployments in educational and small enterprise contexts are often limited to single-service configurations that capture only narrow attack vectors. Multi-layer honeypot frameworks capable of simultaneously capturing SSH brute force activity, malware delivery attempts, and credential theft across a unified logging and alerting pipeline remain underexplored in applied academic settings. Additionally, integrating real-time alerting and visual analytics into such deployments is rarely demonstrated end-to-end in a validated, reproducible environment.
This project addresses these gaps by designing, deploying, and validating a multi-layer honeypot-based threat detection system using the T-Pot CE framework on Ubuntu 24.04 in an isolated VMware environment. The system integrates Cowrie for SSH and Telnet deception, Dionaea for malware capture, and Canarytokens for credential-use alerting, unified under an Elasticsearch and Kibana stack for log aggregation and visualization. A custom Python alerting pipeline provides real-time email notification upon attacker session activity. The detection pipeline was validated through a structured five-stage simulated attack conducted from a Kali Linux environment using Nmap, Hydra, Metasploit, and standard post-exploitation techniques. Results confirmed successful detection across all attack stages, demonstrating the viability of multi-layer honeypot deployments as a practical and accessible mechanism for generating actionable defensive threat intelligence.
