HoneyCloud: A Smart Scalable Honeypot Platform with ML-Based Threat Classification and Real-Time Attacker Profiling
Article Sidebar
Main Article Content
Abstract
The rapid proliferation of internet-connected systems has intensified the frequency and sophistication of cyberattacks, making traditional security mechanisms increasingly insufficient. This paper presents HoneyCloud, a smart, scalable honeypot platform designed to capture, classify, and visualize cyberattacks in real time. HoneyCloud deploys multi-protocol honeypots simulating SSH, FTP, and HTTP services to lure and log malicious activity. Captured events are processed through a machine learning pipeline based on the Isolation Forest algorithm, which classifies traffic into benign, anomalous, or malicious categories using ten semantic features including service port encoding, credential length analysis, dangerous pattern detection, and user identity classification. The platform incorporates a real-time attacker profiling engine that assigns dynamic risk scores and detects behavioural patterns such as brute force attacks, credential stuffing, and port scanning. A real-time dashboard powered by WebSockets and Server-Sent Events (SSE) provides security analysts with live visualisation of attack data, including timing heatmaps, service trends, credential intelligence, and attacker profiles. The system is containerised using Docker and designed for horizontal scalability. Evaluation through a structured simulation suite confirms the platform’s effectiveness in detecting and classifying attack behaviour with low-latency response times. HoneyCloud demonstrates a viable, deployable approach to proactive cyber threat intelligence for organisational security infrastructure.