The accelerating adoption of cloud computing has fundamentallyexpandedthedigitalattacksurface,makingcloud infrastructuresanincreasinglyattractivetargetforsophisticated adversaries. Conventional security mechanisms such as firewalls, intrusion detection systems, and antivirus platforms are primarily reactive in nature, offering limited visibility into attacker methodologies, behavioral progression, and exploitation tactics once initial contact occurs. To bridge this critical knowledge gap, this paper presents the design, implementation, and evaluation of a Cloud Honeypot Monitoring System deployed on Amazon Web Services that attracts, records, and analyzes malicious interactions within a fully isolated and controlled cloud environment. The system deploys decoy services emulating SSH, HTTP, and HTTPS protocols on AWS EC2 instances residing within an isolated VirtualPrivateCloud,andintegratesAWSCloudWatchandS3 forreal-timelogcaptureandpersistentstorage.APython-based backend constructed with Flask provides log parsing, event correlation, signature matching, and rule-based anomaly detection capabilities. A React and D3.js frontend dashboard renders live attack feeds, geographic distribution maps, attack type distribution charts, and complete attack lifecycle visualizations.Controlledattacksimulationsareexecutedusing Nmap, Metasploit, and custom Python scripts to generate realistic threat scenarios encompassing port scanning, brute- force credential attacks, reconnaissance activities, and exploitationattempts.Thesystemsuccessfullydemonstratedthe ability to attract, capture, process, and visualize attacker interactions in real time, while supporting exportable threat intelligence reports in JSON and CSV formats.
Introduction
Cloud computing has become the backbone of modern enterprise infrastructure by providing scalable, flexible, and cost-effective services. However, its widespread adoption has also increased cybersecurity risks, as attackers exploit cloud misconfigurations, authentication weaknesses, API vulnerabilities, and exposed services. Traditional security mechanisms mainly focus on blocking known threats but provide limited insight into attacker behavior, making it difficult to understand reconnaissance, exploitation, and persistence techniques.
To address this challenge, the study proposes a Cloud Honeypot Monitoring System that uses decoy cloud services to safely attract and monitor cyberattacks. Unlike conventional security tools, honeypots record every unauthorized interaction, enabling detailed analysis of attacker behavior with minimal false positives. The system is deployed on AWS using isolated EC2 instances within a Virtual Private Cloud (VPC), where SSH, HTTP, and HTTPS honeypots simulate vulnerable services. Attacker interactions are captured through CloudWatch, stored in Amazon S3, processed by a Python-Flask backend for log parsing, signature matching, event correlation, and anomaly detection, and visualized through a React-based dashboard.
A review of existing research shows that previous honeypot solutions focus on specific domains such as cloud intrusion detection, cryptocurrency deception, or IoT security, but lack an integrated cloud-native platform with real-time monitoring, structured analytics, and visualization. The proposed system fills this gap by combining multi-protocol honeypots, cloud-native logging, automated detection, and interactive threat intelligence into a unified framework.
The system architecture follows a modular pipeline consisting of attacker interaction, honeypot service emulation, traffic capture, backend processing, structured storage, and dashboard visualization. A mathematical model formally defines event extraction, honeypot state transitions, log correlation, detection rules, anomaly scoring, and alert generation, providing a rigorous foundation for the framework.
Implementation includes AWS VPC configuration, EC2-based honeypot deployment, CloudWatch and S3 logging infrastructure, a Flask REST API for analytics, and a React dashboard displaying attack statistics, live attack feeds, geographic distributions, and exportable threat intelligence. Validation was performed through controlled attack simulations using Nmap, Metasploit, and custom Python scripts to emulate reconnaissance, brute-force attacks, SQL injection, path traversal, and credential stuffing.
Experimental results confirmed successful deployment and reliable end-to-end operation. The system accurately captured, processed, and classified simulated attacks, with SSH brute-force attacks representing the largest share of detected events. The detection engine effectively reconstructed multi-stage attack sequences using signature matching and event correlation, while the dashboard provided near real-time visualization without significant processing delays.
The proposed system offers several advantages, including secure observation of attacker behavior without risking production infrastructure, scalable cloud-based deployment, modular architecture, multi-protocol monitoring, integrated signature and anomaly detection, and exportable threat intelligence. However, limitations remain, such as dependence on rule-based detection, support only for AWS environments, lack of automated response mechanisms, and evaluation using simulated rather than real-world attacks.
Future work will focus on integrating machine learning techniques for advanced anomaly detection, automated alerting through email or messaging platforms, external threat intelligence feeds, additional honeypot services (e.g., cloud storage, containers, IoT, databases), multi-cloud deployment across AWS, Azure, and Google Cloud, infrastructure automation using Terraform or CloudFormation, and advanced visualization features such as MITRE ATT&CK mapping and predictive attack analytics. Overall, the proposed Cloud Honeypot Monitoring System provides a scalable and effective platform for cloud security research, enabling organizations to better understand attacker behavior and strengthen proactive cybersecurity defenses.
Conclusion
This paper has presented the Cloud Honeypot Monitoring System, a comprehensive platform for attracting, capturing, analyzing, and visualizing malicious activities targeting cloud- based services. The system was designed to address a fundamental gap in cloud security research: the absence of a safe, isolated, and fully instrumented environment in which attacker behavior canbeobservedwithout constrainingthedepth of instrumentation or risking production infrastructure.
By deploying multi-protocol honeypots on AWS EC2 within an isolated Virtual Private Cloud, integrating CloudWatch and S3 for real-time log capture and durable storage, implementing a Python Flask backend providing log parsing, event correlation, signature matching, and anomaly detection, and delivering a React and D3.js dashboard for interactivevisualization,thesystemachievesitsstatedresearch objectivesinfull.Themathematicalmodelpresentedprovidesa rigorous formal specification defining event extraction functions, honeypot state transition models, correlation windows, detection predicates, anomaly score functions, and alert generation logic.
ControlledattacksimulationsusingNmap,Metasploit,and custom Python scripts validated the end-to-end pipeline, demonstrating correct capture and classification of SSH brute force, credential harvesting, SQL injection, path traversal, and web application attack activities. The modular architecture ensures the system can serve as a reusable research substrate, withindividualcomponentsreplaceableandextensibleasfuture requirements evolve. The Cloud Honeypot Monitoring System contributes a validated, replicable, and extensible platform for advancingempiricalunderstandingofcloud-targetedadversarial behavior and for developing the evidence-based defensive strategies that modern cloud security demands.
References
[1] P. A. Panditre and V. B. Gaikwad, “Attack detection in cloudvirtual environment and prevention using honeypot,” in Proc. IEEEInt. Conf. Comput. Commun. Informatics (ICCCI), 2018.
[2] Y. Uchibori, T. Sato, K. Nagayoshi, and K. Sakurai, “Honeypotmethod to lure attackers without holding crypto-assets,” in Proc.IEEE Int. Conf. Blockchain Cryptocurrency (ICBC), 2024.
[3] J. Franco, A. Aris, B. Canberk, and A. S. Uluagac, “A survey ofhoneypotsandhoneynetsforInternetofThings,IndustrialInternetof Things, and cyber-physical systems,” IEEE Commun. SurveysTuts., vol. 23, no. 2, pp. 997–1017, Secondquart. 2021.
[4] M. Nawrocki, M. Wählisch, T. C. Schmidt, C. Keil, and J.Schönfelder, “A survey on honeypot software and data analysis,”arXiv preprint arXiv:1608.06249, 2016.
[5] S. Provos and T. Holz, Virtual Honeypots: From Botnet TrackingtoIntrusionDetection.UpperSaddleRiver,NJ:Addison-Wesley,2007.
[6] Amazon Web Services, “Amazon CloudWatch documentation,”AWS Documentation, 2024. [Online]. Available:https://docs.aws.amazon.com/cloudwatch/
[7] Amazon Web Services, “Amazon EC2 documentation,” AWSDocumentation, 2024. [Online]. Available:https://docs.aws.amazon.com/ec2/
[8] Amazon Web Services, “Amazon S3 documentation,” AWSDocumentation, 2024. [Online]. Available:https://docs.aws.amazon.com/s3/
[9] M.Armbrustetal.,“Aviewofcloudcomputing,”Commun.ACM,vol. 53, no. 4, pp. 50–58, Apr. 2010.
[10] H. Burch and W. Cheswick, “Tracing anonymous packets to theirapproximate source,” in Proc. USENIX Large Installation Sys.Admin. Conf. (LISA), 2000, pp. 319–327.
[11] TheMetasploitProject,“Metasploitframeworkdocumentation,”
[12] Rapid7,2024.[Online].Available:https://docs.metasploit.com/
[13] G. Lyon, Nmap Network Scanning: The Official Nmap ProjectGuide to Network Discovery and Security Scanning. Insecure.ComLLC,2009.
[14] R.McGrewandR.Vaughn,“Experienceswithhoneypotsystems:Development, deployment, and analysis,” in Proc. 39th Annu.Hawaii Int. Conf. Syst. Sci. (HICSS), 2006.
[15] M.FiccoandM.Rak,“Stealthydenial-of-servicestrategyincloudcomputing,”IEEETrans.CloudComput.,vol.3,no.1,pp.80–94,Jan.–Mar.2015.
[16] G.Loukas,T.Vuong,R.Heartfield,G.Sakellari,Y.Yoon,andD.Gan,“Cloud-basedcyber-physicalintrusiondetectionforvehiclesusing deep learning,” IEEE Access, vol. 6, pp. 3491–3508, 2018.