AEGIS-AI: Autonomous Threat Deception and Detection Using Honeypot Networks

Abstract

The development of adaptive and intelligent defense mechanisms will require new approaches to defending against sophisticated cyber threats that can\'t be fully supported by existing intrusion detection (ID) systems. AEGIS-AI: A Framework for Autonomous Threat Deception and Detection is an autonomous framework based on both honeypots and reinforcement learning (RL) combined with deep neural networks (DNNs) to automate the way honeypots are employed as a deception technique for detecting and responding to malicious activity. The ability to change deception strategies in real time according to the attacker\'s behaviour is a key feature of AEGIS-AI. The dynamic deception strategy can be generated from an analysis of attacker\'s behaviour at any point in time using a Markov Decision Process (MDP) approach to provide optimal responses. The honeypots are subdivided into multi-service honeypots having different interactive capabilities, and the AI engine automatically coordinates the application of the deception techniques being employed as well as continuously improving them using Q-learning and anomaly detection-based models. The performance of the AEGIS-AI framework was evaluated against the CICIDS-2017 and Honeypot Datasets Customized for Your Organization Indicate an Accuracy Of 97.8% In Identifying Intrusions with A 1.4% Chance of False Positives and An Average Time Spent Engaging an Attacker with The System Of 520 Seconds. Thus, Custom Honeypot Datasets Outperform Previous (Static & Semi-Adaptive) Honeypot Baseline Performance by A Large Margin. The Use of Federated Learning to Share Threat Intelligence Across Multiple Geographically Dispersed Deployments While Maintaining Data Privacy Has Also Been Incorporated into The Framework. Additionally, The Paper Provides Mathematical Formulas for Evaluating the Effectiveness of Deception-Based Approaches to Honeypots, For Placing Game Theoretic Honeypots, And for Optimizing Resources Used in Maintaining a Honeypot System.

Introduction

The text presents AEGIS-AI, an AI-driven cybersecurity framework designed to improve intrusion detection and deception in modern networks. It addresses the limitations of traditional Intrusion Detection Systems (IDS), which rely on static signatures, produce high false positives, and only react after an attack has begun. It also improves upon static honeypots, which attackers can often identify and evade.

AEGIS-AI introduces an autonomous, adaptive honeypot system that combines low- and high-interaction honeypots with a central AI engine. This engine dynamically adjusts deception strategies based on attacker behavior. A key innovation is modeling honeypot behavior as a Markov Decision Process (MDP) and using reinforcement learning (Q-learning) to continuously optimize deception actions such as service emulation, response delay, and credential interaction. The goal is to maximize attacker engagement and intelligence collection while minimizing cost.

The system also includes a deep learning-based anomaly detection module for classifying network traffic and a game-theoretic model for optimal placement of honeypots in a network under resource constraints. Additionally, a deception effectiveness score is defined to measure realism, engagement, resistance to detection, and intelligence gain.

A major feature of AEGIS-AI is federated learning, which allows multiple deployments to share threat intelligence collaboratively without exposing sensitive data, improving collective defense.

Conclusion

This paper presents AEGIS AI, an autonomous honeypot network framework that uses reinforcement learning-based deception adaptation enhanced by deep learning-based anomaly detection to improve cyber threat detection capabilities. The Markov Decision Process (MDP) provides the means for ongoing optimisation of the deception strategies, while game theory is applied to deploy them resource-efficiently. The experimental evaluations demonstrate superior performance across all metrics with an achieved Accuracy of 97.8%, with a False Positive Rate of 1.4% and Estimated Mean Duration of Engagement of 520 seconds. Additionally, federated learning provides a mechanism for scalable and privacy-preserving collaborative defence. Future work will focus on the integration of AEGIS AI into Security Information and Event Management (SIEM) platforms, extending AEGIS AI to the Internet of Things (IoT) as well as the 5G environment, and testing adversarial robustness against attackers who are aware of the honeypot.

References

[1] D. Qurbonaliyeva, G. Abduraxmanova, \"Analysis of Methods of Attracting Attackers in the Honeypot,\" ICFNDS\'24, ACM, 2024. [2] A. Javadpour, F. Ja\'fari, T. Taleb, et al., \"A comprehensive survey on cyber deception techniques to improve honeypot performance,\" Computers & Security, vol. 140, 103792, 2024. [3] R. Valiyev, \"Cyber Threat Detection with Honeypots,\" ResearchGate, DOI: 10.13140/RG.2.2.11755.04643, 2025. [4] V. Heuveline, \"Honeypot Implementation in a Cloud Environment,\" arXiv:2301.00710, 2023. [5] W. Fan, Z. Du, \"HoneyDOC: An Efficient Honeypot Architecture Enabling All-Round Design,\" 2019. [6] M. Dodson, et al., \"Using Global Honeypot Networks to Detect Targeted ICS Attacks,\" NATO CCDCOE, 2020. [7] H. Zheng, et al., \"HoneyFL: Using Honeypots to Catch Backdoors in Federated Learning,\" IET Image Proc., 2025. [8] S. Thangam, et al., \"An Edge-enabled Virtual Honeypot Based IDS for V2X Security using ML,\" IAENG IJCS, vol. 51, no. 9, 2024. [9] Z. Moric, et al., \"Advancing Cybersecurity with Honeypots and Deception Strategies,\" Informatics, vol. 12, no. 14, 2025. [10] A.A. Kubba, \"A Systematic Review of Honeypot Data Collection, TI Platforms, and AI/ML Techniques,\" SSRN, 2025. [11] D.S. Morozov, et al., \"Honeypot and cyber deception as a tool for detecting cyber attacks on critical infrastructure,\" ResearchGate, 2024. [12] J. Franco, A. Aris, et al., \"A Survey of Honeypots and Honeynets for IoT, IIoT, and CPS,\" arXiv:2108.02287, 2021. [13] B.A. Alzahrani, \"Adaptive Deception Framework with Behavioral Analysis for Enhanced Cybersecurity Defense,\" arXiv:2510.02424, 2025. [14] S. Touch, J. Colin, \"A Comparison of an Adaptive Self-Guarded Honeypot with Conventional Honeypots,\" Appl. Sci., vol. 12, 5224, 2022. [15] K.R. Mohan Raj, et al., \"Adaptive distributed honeypot detection network for enhanced cybersecurity,\" Results in Eng., vol. 26, 105521, 2025. [16] D.A. Firmansyah, A. Zahra, \"Honeypot-Based Threat Detection using Machine Learning,\" IJETT, vol. 71, no. 8, pp. 243-252, 2023. [17] P. Lanka, K. Gupta, C. Varol, \"Intelligent Threat Detection—AI-Driven Analysis of Honeypot,\" Electronics, vol. 13, 2465, 2024. [18] V.S. Devi Priya, S.S. Chakkaravarthy, \"Containerized cloud-based honeypot deception for tracking attackers,\" Sci. Rep., vol. 13, 1437, 2023. [19] A. Nimmagadda, S.Y. Mehr, \"AI-Powered Intrusion Detection System with Honeypot,\" Int. J. Intell. Info. Sys., vol. 14, no. 4, 2025. [20] A.A. Yefimenko, et al., \"The sweet taste of IoT deception: an adaptive honeypot framework,\" J. Edge Computing, vol. 3, no. 2, pp. 207-223, 2024.

Copyright

Copyright © 2026 Shubhangi V. Muneshwar, Pragati Patil, Priyanka Choudhary. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.