AI-Driven Honeypot: An Innovative Approach to Adaptive Cyber Security Defense
DOI:
https://doi.org/10.33333/lajc.vol13n2.01Keywords:
honeypot, artificial intelligence, cybersecurity, adaptive deception, GPT-4o, intrusion detectionAbstract
As cyber threats continue to grow in sophistication, the need for intelligent and adaptive defense mechanisms becomes increasingly more critical. This research investigates the integration of Artificial Intelligence (AI) into a honeypot system to distract, mislead through deception, and engage potential cyber attackers. The primary research question to answer was: “How can AI-driven adaptive deception improve the effectiveness of honeypots in cybersecurity?” To address this, a high-interaction honeypot was developed on a HTML website to be perceived as a reverse shell, with the implementation of OpenAI’s GPT-4o model to respond, impersonating a Linux terminal, while silently tracking and logging the attacker, and classifying all commands into three sub-categories – Safe, Suspicious and Malicious. The core methods included command logging, AI-driven risk classification, dynamic fake filesystem manipulation, and the escalation of behavior based on the attacker's actions. Attack simulations were performed by highly credible third-party cybersecurity experts to evaluate the honeypots effectiveness in engaging and tracking the attacker for as long as possible. The findings suggest that AI integration significantly improved the realism and engagement level of the honeypot, both in terms of enhancing intelligence gathering and the improvements from traditional static honeypots. However, full automation of behavioral escalation tuning remains an area to further explore. Overall, this study demonstrates that the integration of AI within traditional honeypot strategies can significantly enhance cyber defense systems.
Downloads
References
[1] L. Spitzner, “Definitions of honeypots,” in Honeypots: Tracking Hackers, Boston, MA, USA: Addison-Wesley, 2002.
[2] C. H. Malin, T. Gudaitis, T. J. Holt, and M. Kilger, “Sweet deception: Honeypots,” in Deception in the Digital Age, Cambridge, MA, USA: Academic Press, 2017, pp. 227–239, doi: 10.1016/B978-0-12-411630-6.00009-8.
[3] N. El Kamel, M. Eddabbah, Y. Lmoumen, and R. Touahni, “A smart agent design for cyber security based on honeypot and machine learning,” Security and Communication Networks, vol. 2020, art. no. 8865474, 2020, doi: 10.1155/2020/8865474.
[4] P. Radoglou-Grammatikis, P. Sarigiannidis, P. Diamantoulakis, T. Lagkas, T. Saoulidis, E. Fountoukidis, and G. Karagiannidis, “Strategic honeypot deployment in ultra-dense beyond 5G networks: A reinforcement learning approach,” IEEE Trans. Emerg. Topics Comput., vol. 12, no. 2, pp. 643–655, 2024, doi: 10.1109/TETC.2022.3184112.
[5] R. D. Ravipati and M. Abualkibash, “A survey on different machine learning algorithms and weak classifiers based on KDD and NSL-KDD datasets,” Int. J. Artif. Intell. Appl. (IJAIA), vol. 10, no. 3, pp. 1–11, 2019, doi: 10.5121/ijaia.2019.10301.
[6] R. C. Joshi and A. Sardana, Honeypots: A New Paradigm to Information Security. Enfield, NH, USA: Science Publishers (CRC Press), 2011.
[7] X. Yang, J. Yuan, H. Yang, Y. Kong, H. Zhang, and J. Zhao, “A highly interactive honeypot-based approach to network threat management,” Future Internet, vol. 15, no. 4, art. no. 127, 2023, doi: 10.3390/fi15040127.
[8] S. Srinivasa, J. M. Pedersen, and E. Vasilomanolakis, “Gotta catch ‘em all: A multistage framework for honeypot fingerprinting,” Digital Threats: Research and Practice, vol. 4, no. 3, art. no. 28, 2023.
[9] H. T. Otal and M. A. Canbaz, “LLM honeypot: Leveraging large language models as advanced interactive honeypot systems,” in Proc. IEEE Conf. Communications and Network Security (CNS), 2024, doi: 10.1109/CNS62487.2024.10735607.
[10] S. B. Weber, M. Feger, and M. Pilgermann, “Don’t stop believin’: A unified evaluation approach for LLM honeypots,” IEEE Access, 2024, doi: 10.1109/ACCESS.2024.3472460.
[11] C. Vasilatos, D. J. Mahboobeh, H. Lamri, M. Alam, and M. Maniatakos, “LLMPot: Automated LLM-based industrial protocol and physical process emulation for ICS honeypots,” arXiv preprint, 2024.
[12] A. Sezgin and A. Boyacı, “DecoyPot: A large language model-driven web API honeypot for realistic attacker engagement,” Computers & Security, vol. 154, art. no. 104458, 2025, doi: 10.1016/j.cose.2025.104458.
[13] S. A. Kareem, R. C. Sachan, and R. K. Malviya, “AI-driven adaptive honeypots for dynamic cyber threats,” SSRN preprint, 2024, doi: 10.2139/ssrn.4966935.
[14] M. Balamurugan, “AI-enhanced honeypots for zero-day exploit detection and mitigation,” Int. J. Multidisciplinary Res., vol. 6, no. 6, 2024, doi: 10.36948/ijfmr.2024.v06i06.32866.
[15] S. O. Tortosa, R. Barchino, J. A. Medina-Merodio, J. J. Martínez-Herráiz, P. Lanka, K. Gupta, and C. Varol, “Intelligent threat detection – AI-driven analysis of honeypot data to counter cyber threats,” Electronics, vol. 13, no. 13, art. no. 2465, 2024, doi: 10.3390/electronics13132465.
[16] Cackalacky, “DIY generative AI driven honeypot – Savvyjuan,” YouTube, 7 Jul. 2024. [Online]. Available: https://www.youtube.com/watch?v=0rzEpiAfeos
[17] M. B. Ozkok, B. Birinci, O. Cetin, B. Arief, and J. Hernandez-Castro, “Honeypot’s best friend? Investigating ChatGPT’s ability to evaluate honeypot logs,” in Proc. ACM Int. Conf. Series, 2024, pp. 128–135, doi: 10.1145/3655693.3655716.
[18] OpenAI et al., “GPT-4 technical report,” arXiv preprint arXiv:2303.08774, 2023.
[19] J. Franco, A. Aris, B. Canberk, and A. S. Uluagac, “A survey of honeypots and honeynets for Internet of Things, Industrial Internet of Things, and cyber-physical systems,” IEEE Commun. Surveys Tuts., 2021.
[20] F. Setianto, E. Tsani, F. Sadiq, G. Domalis, D. Tsakalidis, and P. Kostakos, “GPT-2C: A GPT-2 parser for Cowrie honeypot logs,” 2021.
[21] D. Farrell and M. Kennedy, The Well-Grounded Python Developer: How the Pros Use Python and Flask. Shelter Island, NY, USA: Manning, 2023.
[22] V. Cutting and N. Stephen, “A review on using Python as a preferred programming language for beginners,” Int. Res. J. Eng. Technol. (IRJET), 2021. [Online]. Available: https://www.irjet.net
[23] R. Diver, “AI jailbreaks: What they are and how they can be mitigated,” Microsoft Security Blog, 4 Jul. 2024. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2024/06/04/ai-jailbreaks-what-they-are-and-how-they-can-be-mitigated/
[24] A. Zakari, A. A. Lawan, and G. Bekaroo, “Towards improving the security of low-interaction honeypots: Insights from a comparative analysis,” in Lecture Notes in Electrical Engineering, vol. 416, 2017, pp. 314–321, doi: 10.1007/978-3-319-52171-8_28.
[25] Y. Kocaogullar, O. Cetin, B. Arief, C. Brierley, J. Pont, and J. Hernandez-Castro, “Hunting high or low: Evaluating the effectiveness of high-interaction and low-interaction honeypots,” 2025.
[26] N. Ilg, P. Duplys, D. Sisejkovic, and M. Menth, “A survey of contemporary open-source honeypots, frameworks, and tools,” J. Netw. Comput. Appl., vol. 220, art. no. 103737, 2023, doi: 10.1016/j.jnca.2023.103737.
[27] A. Javadpour, F. Ja’fari, T. Taleb, M. Shojafar, and C. Benzaïd, “A comprehensive survey on cyber deception techniques to improve honeypot performance,” Computers & Security, vol. 140, art. no. 103792, 2024, doi: 10.1016/j.cose.2024.103792.
[28] U. Bartwal, S. Mukhopadhyay, R. Negi, and S. Shukla, “Security orchestration, automation, and response engine for deployment of behavioral honeypots,” in Proc. 5th IEEE Conf. Dependable and Secure Computing (DSC), 2022, doi: 10.1109/DSC54232.2022.9888808.
[29] M. Oosterhof, “Cowrie: SSH/Telnet honeypot,” GitHub Repository. [Online]. Available: https://github.com/cowrie/cowrie (accessed Mar. 24, 2025).
[30] Computer Security Resource Center (CSRC), “Honeypot – Glossary,” NIST, CNSSI 4009-2015 from IETF RFC 4949 v2. [Online]. Available: https://csrc.nist.gov/glossary/term/honeypot (accessed Apr. 9, 2025).
[31] L. Zhang and Vrizlynn. L. L. Thing, “Three Decades of Deception Techniques in Active Cyber Defense - Retrospect and Outlook,” Computers & Security, vol. 106, p. 102288, Apr. 2021, doi: https://doi.org/10.1016/j.cose.2021.102288.
[32] L. Teo, Y. . -A. Sun and G. . -J. Ahn, "Defeating Internet attacks using risk awareness and active honeypots," Second IEEE International Information Assurance Workshop, 2004. Proceedings., Charlotte, NC, USA, 2004, pp. 155-167, doi: https://doi.org/10.1109/IWIA.2004.1288045
Published
Issue
Section
License
Copyright (c) 2026 Danny Corbett, Shahrzad Zargari

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Copyright Notice
Authors who publish this journal agree to the following terms:
- Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-Non-Commercial-Share-Alike 4.0 International 4.0 that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
- Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
- Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
Disclaimer
LAJC in no event shall be liable for any direct, indirect, incidental, punitive, or consequential copyright infringement claims related to articles that have been submitted for evaluation, or published in any issue of this journal. Find out more in our Disclaimer Notice.





