Cloud-Based Honeypot for Cyber Threat Intelligence and Incident Response

Abstract

This paper introduces an advanced honeypot frame- work deployed in a cloud environment to improve cyber threat detection and facilitate efficient incident response. Leveraging Microsoft Azure technologies such as Artillery, Azure Monitor Agent, Log Analytics Workspace, and Microsoft Sentinel, the system is architected to monitor and analyze malicious behaviors in real-time. It enhances situational awareness through threat intelligence integration, behavioral analysis, and automated work- flows. By isolating suspicious activity and delivering actionable insights via detailed telemetry and visual dashboards, the system enables informed security operations. The effectiveness of the architecture is demonstrated through practical implementation, with discussions on performance, encountered challenges, and potential avenues for future development.

Introduction

The text outlines a cloud-based honeypot system for proactive cybersecurity in the context of increasingly sophisticated cyber threats. Traditional defenses like firewalls and signature-based IDS are inadequate against modern attacks, including zero-day exploits, automation-driven attacks, and advanced persistent threats (APTs). Honeypots—decoy systems mimicking vulnerable assets—attract attackers, enabling organizations to capture detailed telemetry of malicious activity for analysis without risking production systems.

Key Concepts and Advantages:

• Honeypots: Safely isolate interactions to gather attacker behavior, tools, and techniques, providing actionable threat intelligence.
• Cloud Deployment: Cloud platforms, such as Microsoft Azure, enhance honeypots with scalability, geographic diversity, and simplified configuration, allowing broader coverage and richer data collection.
• Data Analytics: Collected data is centralized using tools like Elasticsearch and Kibana (existing systems) or Microsoft Sentinel (proposed system) for real-time analysis, visualization, and anomaly detection.
• Threat Intelligence Sharing: Information can be shared with cybersecurity communities, law enforcement, and government agencies to strengthen collective defense.

Proposed System Architecture:

1. Honeypot Module: Deploys decoy virtual machines (VMs) with tools like Artillery to emulate exploitable services, capturing attacks such as brute-force logins and port scans.
2. Data Collection Module: Azure Monitor Agent (AMA) gathers telemetry from honeypots, storing it in the Log Analytics Workspace.
3. Threat Intelligence Module: Integrates external feeds (e.g., VirusTotal, AbuseIPDB) to validate threats and enhance detection accuracy.
4. SIEM Module: Microsoft Sentinel applies real-time analytics, behavior-based monitoring, and anomaly detection using Kusto Query Language (KQL).
5. Incident Response and Automation Module: Automated workflows via Azure Logic Apps trigger mitigation actions such as isolating affected VMs, blocking attacker IPs, generating alerts, and updating security dashboards.

Benefits of the Proposed System:

• Proactive Threat Detection: Enables early identification of threats before production systems are impacted.
• Automation: Reduces reliance on manual intervention, improving response speed and accuracy.
• Scalability: Cloud-native, multi-region deployment increases coverage across various attack vectors.
• Continuous Learning: Real-time telemetry supports ongoing research, machine learning-driven detection, and adaptive security strategies.
• Integrated Defense: Combines honeypots, threat intelligence, SIEM analytics, and automated playbooks into a closed-loop cybersecurity model.

Conclusion

The development and deployment of the proposed cloud- based honeypot framework mark a significant step forward in establishing an intelligent, scalable, and adaptive approach to cybersecurity. Built on Microsoft Azure and utilizing com- ponents such as Artillery and Microsoft Sentinel, the system enables persistent monitoring, automated threat detection, and efficient incident response within dynamic cloud environments. This project has demonstrated technical feasibility and operational simplicity, while also maintaining compliance with widely accepted data protection practices. The use of modular components allows for flexible expansion and integration with other security tools, ensuring that the system can evolve alongside emerging threats and infrastructure changes. Beyond basic threat detection, the system offers strategic advantages, including enriched threat intelligence, behavioral analysis, and real-time response automation. Its proactive design minimizes exposure to risk while enhancing visibility into attacker tac- tics and techniques. The combination of telemetry analysis, automated mitigation, and centralized monitoring contributes to stronger defense capabilities across organizational assets.In conclusion, the system fulfills its primary objectives by de- livering a forward-looking cybersecurity solution that is both cost-effective and operationally robust. It enhances detection accuracy, reduces exposure to threats, and equips security teams with the insights needed to respond rapidly and intelli- gently to modern cyberattacks.

References

[1] H. Almohannadi, I. Awan, J. Al Hamar, A. Cullen, J. Disso, and L. Armitage, ”Elasticsearch-Based Cyber Threat Intelligence from Honeypot Data,” Proceedings of the International Conference on Cyber Security, 2018. [2] ”Data Collection and Analysis in Honeypots and Honeynets,” Journal of Information Security, vol. 6, pp. 45–52, 2015, by P. Sokol, P. Pekarcik, and T. Bajtos. [3] ”An Overview of Cyber-Attack Modeling Analysis Techniques,” by H. Al-Mohannadi, Q. Mirza, et al. IEEE Fourth International Workshop on Cloud and Future Internet, 2016. [4] [4] D. Ovelgonne and colleagues, ”A Data-Driven Approach to Under- standing Human Behavior and Cyber Threat Susceptibility,” ACM Trans. Intell. Syst. Technol. (TIST), vol. 8, no. 3, 2017. [5] ”Honeyboost: Enhancing Honeypot Performance with Data Fusion and Anomaly Detection,” Proc. of the Cybersecurity Conference, 2020, N. Kandanaarachchi, H. Ochiai, and S. Rao. [6] ”Security Orchestration for Behavioral Honeypots,” by M. Bartwal, [7] S. Mukhopadhyay, R. Negi, and R. Shukla, IEEE Conf. on Security Automation, 2020. [8] L. Wang, C. Chen, et al., “ThingPot: An Interactive IoT Honeypot,” Proc. of the Int. Conf. on IoT Security, 2020. [9] S. Panda, A. Kumar, and P. Sahu, “HoneyCar: A Honeypot Framework for Internet of Vehicles,” IEEE Vehicular Technology Conf., 2021. [10] A. Deshpande, “HoneyMesh: Preventing DDoS Attacks Using a Dis- tributed Honeypot Network,” Proc. of the Int. Symp. on Network Defense, 2019. [11] H. Fan, M. Zhang, et al., “HoneyDOC: An Efficient Honeypot Architec- ture for Document Exploits,” IEEE Conf. on Threat Intelligence, 2019. [12] Dr. Dobb’s Journal of Software Tools, vol. 24, no. 12, pp. 21–29, 1999; [13] B. Schneier, ”Attack Trees.” [14] “Cloud Storage as an Attack Vector: A Case Study on Dropbox,” Proceedings of the USENIX Security Symposium, 2011. P. Mulazzani, [15] S. Schrittwieser, M. Huber, and E. Weippl. [16] ”Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by E. Hutchins, M. Cloppert, and R. Amin, Lockheed Martin Corp., 2010.

Copyright

Copyright © 2026 Gadhe Vijayendar Reddy, Varun Jangam, Md. Baber Yaseen, Dr. Mahammad Rafi D. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.