Search Results (52)

Small and medium-sized enterprises (SMEs) are increasingly targeted by cyber threats but often lack the financial and technical resources to implement advanced security systems. This paper presents HoneyLite, a lightweight and dynamic honeypot-based security solution specifically designed to meet the constraints and cybersecurity needs of SMEs. Unlike traditional honeypots, HoneyLite integrates real-time network traffic analysis with automated malware detection via the VirusTotal API, enabling it to identify a wide range of cyber threats, including TCP scans, FTP/SSH intrusions, ICMP flood attacks, and malicious file uploads. Developed using open-source tools, the system operates with minimal resource overhead and is validated within a simulated virtual environment. It also generates detailed threat reports to support incident analysis and response. By combining affordability, adaptability, and comprehensive threat visibility, HoneyLite offers a practical and scalable solution to help SMEs detect, analyze, and respond to modern cyberattacks in real time. Full article

The integration of digital twins (DTs) with intelligent traffic systems (ITSs) holds strong potential for improving real-time management in smart cities. However, securing digital twins remains a significant challenge due to the dynamic and adversarial nature of cyber–physical environments. In this work, we propose TwinFedPot, an innovative digital twin-based security architecture that combines honeypot-driven data collection with Zero-Shot Learning (ZSL) for robust and adaptive cyber threat detection without requiring prior sampling. The framework leverages Inverse Federated Distillation (IFD) to train the DT server, where edge-deployed honeypots generate semantic predictions of anomalous behavior and upload soft logits instead of raw data. Unlike conventional federated approaches, TwinFedPot reverses the typical knowledge flow by distilling collective intelligence from the honeypots into a central teacher model hosted on the DT. This inversion allows the system to learn generalized attack patterns using only limited data, while preserving privacy and enhancing robustness. Experimental results demonstrate significant improvements in accuracy and F1-score, establishing TwinFedPot as a scalable and effective defense solution for smart traffic infrastructures. Full article

This study presents one of the most extensive analyses of the lifecycle of leaked authentication credentials to date, bridging the gap between database breaches and real-world cyberattacks. We analyze over 27 billion leaked credentials—nearly 4 billion unique—using a sophisticated data filtering and normalization pipeline to handle breach inconsistencies. Following this analysis, we deploy a distributed sensor network of 39 honeypots running 14 unique services across 9 networks over a one-year-long experiment, capturing one of the most comprehensive authentication datasets in the literature. We analyze leaked credentials, SSH and Telnet session data, and HTTP authentication requests for their composition, characteristics, attack patterns, and occurrence. We comparatively assess whether credentials from leaks surface in real-world attacks. We observe a significant overlap of honeypot logins with common password wordlists (e.g., Nmap, John) and defaultlists (e.g., Piata, Mirai), and limited overlaps between leaked credentials, logins, and dictionaries. We examine generative algorithms (e.g., keywalk patterns, hashcat rules), finding they are widely used by users but not attackers—unless included in wordlists. Our analyses uncover unseen passwords and methods likely designed to detect honeypots, highlighting an adversarial arms race. Our findings offer critical insights into password reuse, mutation, and attacker strategies, with implications for authentication security, attack detection, and digital forensics. Full article

Existing smart contract honeypot detection approaches exhibit high false negatives and positives due to (i) their inability to generate transaction sequences triggering order-dependent traps and (ii) their limited code coverage from traditional fuzzing’s random mutations. In this paper, we propose a hybrid fuzzing framework for smart contract honeypot detection based on taint analysis, SCH-Hunter. SCH-Hunter conducts source-code-level feature analysis of smart contracts and extracts data dependency relationships between variables from the generated Control Flow Graph to construct specific transaction sequences for fuzzing. A symbolic execution module is also introduced to resolve complex conditional branches that fuzzing alone fails to penetrate, enabling constraint solving. Furthermore, real-time dynamic taint propagation monitoring is implemented using taint analysis techniques, leveraging taint flow information to optimize seed mutation processes, thereby directing mutation resources toward high-value code regions. Finally, by integrating EVM (Ethereum Virtual Machine) code instrumentation with taint information flow analysis, the framework effectively identifies and detects security-sensitive operations, ultimately generating a comprehensive detection report. Empirical results are as follows. (i) For code coverage, SCH-Hunter performs better than the state-of-art tool, HoneyBadger, achieving higher average code coverage rates on both datasets, surpassing it by 4.79% and 17.41%, respectively. (ii) For detection capabilities, SCH-Hunter is not only roughly on par with HoneyBadger in terms of precision and recall rate but also capable of detecting a wider variety of smart contract honeypot techniques. (iii) For the evaluation of components, we conducted three ablation studies to demonstrate that the proposed modules in SCH-Hunter significantly improve the framework’s detection capability, code coverage, and detection efficiency, respectively. Full article

The increasing use of Internet of Things (IoT) devices has led to growing security concerns, necessitating advanced solutions to address emerging threats. Honeypots enhance IoT security by attracting and analyzing attackers. However, traditional honeypots struggle with adaptability and efficiency. This paper examines how machine learning enhances honeypot capabilities by improving threat detection and response mechanisms. A systematic literature review using the snowballing method explores the application of supervised, unsupervised, and reinforcement learning. Various classifiers for machine learning are analyzed to optimize honeypot architectures. This paper focuses on two types of honeypots: dynamic honeypots, which evolve to mislead attackers, and adaptive honeypots, which respond to threats in real time. By evaluating low-interaction, high-interaction, and hybrid honeypots, we determine how different machine learning techniques enhance detection and resource efficiency. Key findings include improved detection rates, with machine learning techniques, particularly supervised learning models like random forest, significantly enhancing detection accuracy, achieving up to 0.96 accuracy. Adaptive honeypots utilizing machine learning demonstrate better resource management, reducing false positives and optimizing computational resources. Despite these improvements, high computational demands and limited real-world testing hinder widespread adoption in IoT environments. This paper provides an overview of current trends, identifies research gaps, and offers insights for developing more intelligent IoT honeypots. There is no doubt that machine learning can help create more resilient and adaptive security solutions for IoT networks. Full article

Anomaly detection is essential in cybersecurity for identifying abnormal activities, a requirement that has grown increasingly critical with the complexity of cyberthreats. This study leverages the BPF-Extended Tracking Honeypot (BETH) dataset, a comprehensive resource designed to benchmark robustness in detecting anomalous behavior in kernel-level process and network logs. The symmetry of the proposed system lies in its ability to identify balanced and consistent patterns within kernel-level process logs, which form the foundation for accurately distinguishing anomalies. This study focuses on anomaly detection in kernel-level process logs by introducing an enhanced Isolation Forest (iForest) model, which is integrated into a structured framework that includes exploratory data analysis (EDA), data pre-processing, model training, validation, and evaluation. The proposed approach achieves a significant performance improvement in the anomaly detection results, with an area under the receiver operating characteristic curve (AUROC) score of 0.917—an approximate 7.88% increase over the baseline model’s AUROC of 0.850. Additionally, the model demonstrates high precision (99.57%), F1-score (91.69%), and accuracy (86.03%), effectively minimizing false positives while maintaining balanced detection capabilities. These results underscore the role of leveraging symmetry in designing advanced intrusion detection systems, offering a structured and efficient solution for identifying cyberthreats. Full article

The growing use of VPNs, proxy servers, and Tor browsers has significantly enhanced online privacy and anonymity. However, these technologies are also exploited by cybercriminals to obscure their identities, posing serious cybersecurity threats. Existing detection methods face challenges in accurately tracing the real IP addresses hidden behind these anonymization tools. This study presents a novel approach to unmasking true identities by leveraging honeypots and Canarytokens to track concealed connections. By embedding deceptive tracking mechanisms within decoy systems, we successfully capture the real IP addresses of users attempting to evade detection. Our methodology was rigorously tested across various network environments and payload types, ensuring effectiveness in real-world scenarios. The findings demonstrate the practicality and scalability of using Canarytokens for IP unmasking, providing a non-intrusive, legally compliant solution to combat online anonymity misuse. This research contributes to strengthening cyber threat intelligence, offering actionable insights for law enforcement, cybersecurity professionals, and digital forensics. Future work will focus on enhancing detection accuracy and addressing the advanced evasion tactics used by sophisticated attackers. Full article

Cybersecurity threats are becoming more intricate, requiring preemptive actions to safeguard digital assets. This paper examines the function of honeypots as critical instruments for threat detection, analysis, and mitigation. A novel methodology for comparative analysis of honeypots is presented, offering a systematic framework to assess their efficacy. Seven honeypot solutions, namely Dionaea, Cowrie, Honeyd, Kippo, Amun, Glastopf, and Thug, are analyzed, encompassing various categories, including SSH and HTTP honeypots. The solutions are assessed via simulated network attacks and comparative analyses based on established criteria, including detection range, reliability, scalability, and data integrity. Dionaea and Cowrie exhibited remarkable versatility and precision, whereas Honeyd revealed scalability benefits despite encountering data quality issues. The research emphasizes the smooth incorporation of honeypots with current security protocols, including firewalls and incident response strategies, while offering comprehensive insights into attackers’ tactics, techniques, and procedures (TTPs). Emerging trends are examined, such as incorporating machine learning for adaptive detection and creating cloud-based honeypots. Recommendations for optimizing honeypot deployment include strategic placement, comprehensive monitoring, and ongoing updates. This research provides a detailed framework for selecting and implementing honeypots customized to organizational requirements. Full article

The current cybersecurity ecosystem is proving insufficient in today’s increasingly sophisticated cyber attacks. Malware authors and intruders have pursued innovative avenues to circumvent emulated monitoring systems (EMSs) such as honeypots, virtual machines, sandboxes and debuggers to continue with their malicious activities while remaining inconspicuous. Cybercriminals are improving their ability to detect EMS, by finding indicators of deception (IoDs) to expose their presence and avoid detection. It is proving a challenge for security analysts to deploy and manage EMS to evaluate their deceptive capability. In this paper, we introduce the Hydrakon framework, which is composed of an EMS controller and several Linux and Windows 10 clients. The EMS controller automates the deployment and management of the clients and EMS for the purpose of measuring EMS deceptive capabilities. Experiments were conducted by applying custom detection vectors to client real machines, virtual machines and sandboxes, where various artifacts were extracted and stored as csv files on the EMS controller. The experiment leverages the cosine similarity metric to compare and identify similar artifacts between a real system and a virtual machine or sandbox. Our results show that Hydrakon offers a valid approach to assess the deceptive capabilities of EMS without the need to target specific IoD within the target system, thereby fostering more robust and effective emulated monitoring systems. Full article

The exponential growth and widespread adoption of Internet of Things (IoT) devices have introduced many vulnerabilities. Attackers frequently exploit these flaws, necessitating advanced technological approaches to protect against emerging cyber threats. This paper introduces a novel approach utilizing hardware honeypots as an additional defensive layer against hardware vulnerabilities, particularly hardware Trojans (HTs). HTs pose significant risks to the security of modern integrated circuits (ICs), potentially causing operational failures, denial of service, or data leakage through intentional modifications. The proposed system was implemented on a Raspberry Pi and tested on an emulated HT circuit using a Field-Programmable Gate Array (FPGA). This approach leverages hardware honeypots to detect and mitigate HTs in the IoT devices. The results demonstrate that the system effectively detects and mitigates HTs without imposing additional complexity on the IoT devices. The Trojan-agnostic solution offers full customization to meet specific security needs, providing a flexible and robust layer of security. These findings provide valuable insights into enhancing the security of IoT devices against hardware-based cyber threats, thereby contributing to the overall resilience of IoT networks. This innovative approach offers a promising solution to address the growing security challenges in IoT environments. Full article

The fast proliferation of Internet of Things (IoT) devices has dramatically altered healthcare, increasing the efficiency and efficacy of smart health ecosystems. However, this expansion has created substantial security risks, as cybercriminals increasingly target IoT devices in order to exploit their weaknesses and relay critical health information. The rising threat landscape poses serious concerns across various domains within healthcare, where the protection of patient information and the integrity of medical devices are paramount. Smart health systems, while offering numerous benefits, are particularly vulnerable to cyber-attacks due to the integration of IoT devices and the vast amounts of data they generate. Healthcare providers, although unable to control the actions of cyber adversaries, can take proactive steps to secure their systems by adopting robust cybersecurity measures, such as strong user authentication, regular system updates, and the implementation of advanced security technologies. This research introduces a groundbreaking approach to addressing the cybersecurity challenges in smart health ecosystems through the deployment of a novel cloud-enabled cyber threat-hunting platform. This platform leverages deception technology, which involves creating decoys, traps, and false information to divert cybercriminals away from legitimate health data and systems. By using this innovative approach, the platform assesses the cyber risks associated with smart health systems, offering actionable recommendations to healthcare stakeholders on how to minimize cyber risks and enhance the security posture of IoT-enabled healthcare solutions. Overall, this pioneering research represents a significant advancement in safeguarding the increasingly interconnected world of smart health ecosystems, providing a promising strategy for defending against the escalating cyber threats faced by the healthcare industry. Full article

The Central Australian red honey-pot ant Melophorus bagoti maintains non-cryptic ground-nesting colonies in the semi-desert habitat, performing all the activities outside the nest during the hottest periods of summer days. These ants rely on path integration and view-based cues for navigation. They manage waste by taking out unwanted food, dead nestmates, and some other wastes, typically depositing such items at distances > 5 m from the nest entrance, a process called dumping. We found that over multiple runs, dumpers headed in the same general direction, showing sector fidelity. Experienced ants dumped waste more efficiently than naive ants. Naive individuals, lacking prior exposure to the outdoor environment around the nest, exhibited much scanning and meandering during waste disposal. In contrast, experienced ants dumped waste with straighter paths and a notable absence of scanning behaviour. Furthermore, experienced dumpers deposited waste at a greater distance from the nest compared to their naive counterparts. We also investigated the navigational knowledge of naive and experienced dumpers by displacing them 2 m away from the nest. Naive dumpers were not oriented towards the nest in their initial trajectory at any of the 2 m test locations, whereas experienced dumpers were oriented towards the nest at all test locations. Naive dumpers were nest-oriented as a group, however, at the test location nearest to where they dumped their waste. These differences suggest that in red honey ants, learning supports waste disposal, with dumping being refined through experience. Dumpers gain greater spatial knowledge through repeated runs outside the nest, contributing to successful homing behaviour. Full article

The motivation for this work arose when noticing that definitions of honeypots’ interaction level are mainly based on the information technology environment and do not reflect operational technology even if several honeypot projects approach this field. Within operational technology, programmable logic controllers (PLCs) have a main role, resulting in several honeypot researchers choosing to mimic this device at a certain interaction level. However, searching for an interaction level definition that approaches PLCs results in few studies. In this context, this work aims to explore how to adapt the information technology definition of the interaction level in order to encompass PLCs and their specific features. The method chosen to obtain inputs was a literature review where, in attempting to keep the connection with information technology, the features were based in terms of honey system, honey service, and honey token. The findings of this review provide a means to translate these terms when developing a PLC honeypot for a desired interaction level, resulting in a metrics proposal for low and high interaction. Summarizing the proposed metrics, the system of a PLC can be considered as the vendor specific firmware, its unique device banner, and a realistic network topology. For services, a PLC honeypot reflects the tasks performed by the real device, thus resulting in industrial communication protocols, network management protocols, appropriate response times, code-related interactions, dynamic input and output data processing, physical process simulation, and web interface. Lastly, a PLC honey token can be approached with the PLC program file, MIB file, and software license, among other elements. Based on these metrics, researchers can better evaluate how to design a programmable logic controller honeypot or select tools that match their target interaction level. Full article

Clustering algorithms play a crucial role in early warning cybersecurity systems. They allow for the detection of new attack patterns and anomalies and enhance system performance. This paper discusses the problem of clustering data collected by a distributed system of network honeypots. In the proposed approach, when a network flow matches an attack signature, an appropriate label is assigned to it. This enables the use of semi-supervised learning algorithms and improves the quality of clustering results. The article compares the results of learning algorithms conducted with and without partial supervision, particularly non-negative matrix factorization and semi-supervised non-negative matrix factorization. Our results confirm the positive impact of labeling a portion of flows on the quality of clustering. Full article

With the continuous development of the civil aviation industry toward digitalization and intelligence, the closed architecture of traditional air traffic information networks struggles to meet the rapidly growing demands for air traffic services. Network function virtualization (NFV) is one of the key technologies that can address the rigidity of traditional air traffic information networks. NFV technology has facilitated the flexible deployment of air traffic services, but it has also expanded the attack surface of the network. In addressing the network attack risks faced by service function chains (SFCs) in NFV environments, a SFC protection method based on honeypots and backup technology (PBHB) is proposed to reduce the resource cost of protecting air traffic information networks while enhancing network security. Initially, PBHB utilizes the TAPD algorithm to deploy the primary VNFs as closely as possible to the shortest path between the source and destination endpoints, thus aiming to reduce SFC latency and save bandwidth resource costs. Subsequently, the RAHDR algorithm is employed to install honeypot VNFs in each physical platform that is at risk of side-channel attacks, thus updating the deployment status of honeypot VNFs in real time based on the VNF lifecycle in order to offer primary protection for SFCs. Lastly, the BDMPE algorithm was used to calculate the backup scheme with the highest protection efficiency to implement secondary protection for the SFCs that still do not meet the security requirements. Through experiments, the maximum backup limit for SFCs in PBHB was determined, confirming its satisfactory performance across various SFC arrival rates. Furthermore, performance comparisons with other SFC protection methods revealed that PBHB achieves optimizations in resources cost while ensuring SFC security and latency. Full article