An Adaptive Multi-Layered Honeynet Architecture for Threat Behavior Analysis via Deep Learning
This work addresses the problem of inefficient cyber threat analysis for security practitioners, but it is incremental as it builds on existing honeynet concepts with AI enhancements.
The paper tackles the inadequacy of static honeypots against sophisticated cyber threats by introducing ADLAH, an adaptive deep learning honeynet architecture that uses reinforcement learning to autonomously escalate sessions from low- to high-interaction honeypots, aiming to maximize threat intelligence while minimizing costs, though field-scale validation is not claimed.
The escalating sophistication and variety of cyber threats have rendered static honeypots inadequate, necessitating adaptive, intelligence-driven deception. In this work, ADLAH is introduced: an Adaptive Deep Learning Anomaly Detection Honeynet designed to maximize high-fidelity threat intelligence while minimizing cost through autonomous orchestration of infrastructure. The principal contribution is offered as an end-to-end architectural blueprint and vision for an AI-driven deception platform. Feasibility is evidenced by a functional prototype of the central decision mechanism, in which a reinforcement learning (RL) agent determines, in real time, when sessions should be escalated from low-interaction sensor nodes to dynamically provisioned, high-interaction honeypots. Because sufficient live data were unavailable, field-scale validation is not claimed; instead, design trade-offs and limitations are detailed, and a rigorous roadmap toward empirical evaluation at scale is provided. Beyond selective escalation and anomaly detection, the architecture pursues automated extraction, clustering, and versioning of bot attack chains, a core capability motivated by the empirical observation that exposed services are dominated by automated traffic. Together, these elements delineate a practical path toward cost-efficient capture of high-value adversary behavior, systematic bot versioning, and the production of actionable threat intelligence.