AI-Driven Intrusion Detection System Using SSH Honeypots
Article Information
Abstract
With the rapid evolution of cyber threats targeting critical services like SSH, traditional Intrusion Detection Systems (IDS) are often unable to handle zero-day attacks and advanced persistent threats. This work proposes an intelligent IDS powered by SSH honeypots combined with machine learning. The honeypots simulate vulnerable SSH services to capture attacker behavior, which is then analyzed using Random Forest classifiers and Autoencoders for accurate intrusion detection. Our AI-based framework shows robust detection rates across multiple attack vectors, offering dynamic adaptability to evolving threats. The proposed system demonstrates a promising defense mechanism, bridging the gap between traditional signature-based systems and modern AI-driven security solutions.
Graphical Abstract
Keywords
Data Availability Statement
Funding
Conflicts of Interest
Ethical Approval and Consent to Participate
References
- Amornchantanakorn, S., & Phumdara, T. (2025, February). Remote Server techniques with SSH (Secure Shell) for Managing Server Computers of The Office of General Education and Innovative Electronic Learning, Suan Sunandha Rajabhat University. In INTERNATIONAL ACADEMIC MULTIDISCIPLINARY RESEARCH CONFERENCE ICBTSOSLO2025 (pp. 92-98).
[Google Scholar] - Rabzelj, M., & Sedlar, U. (2025). Beyond the Leak: Analyzing the Real-World Exploitation of Stolen Credentials Using Honeypots. Sensors, 25(12), 3676.
[CrossRef] [Google Scholar] - Nawrocki, M., Wählisch, M., Schmidt, T. C., Keil, C., & Schönfelder, J. (2016). A Survey on Honeypot Software and Data Analysis. arXiv e-prints, arXiv-1608.
[Google Scholar] - Morić, Z., Dakić, V., & Regvart, D. (2025). Advancing Cybersecurity with Honeypots and Deception Strategies. In Informatics (Vol. 12, No. 1, p. 14). MDPI AG.
[CrossRef] [Google Scholar] - Priya, V. D., & Chakkaravarthy, S. S. (2023). Containerized cloud-based honeypot deception for tracking attackers. Scientific Reports, 13(1), 1437.
[CrossRef] [Google Scholar] - Patel, A., Qassim, Q., & Wills, C. (2010). A survey of intrusion detection and prevention systems. Information Management & Computer Security, 18(4), 277-290.
[CrossRef] [Google Scholar] - Kumar, C. M., Kumar, A., & Devi, B. K. (2025, March). Advance Threat Detection Using Machine Learning Techniques With Ssh Honeypot An Integrated Approach. In 2025 International Conference on Data Science, Agents & Artificial Intelligence (ICDSAAI) (pp. 1-6). IEEE.
[CrossRef] [Google Scholar] - Almohannadi, H., Awan, I., Al Hamar, J., Cullen, A., Disso, J. P., & Armitage, L. (2018, May). Cyber threat intelligence from honeypot data using elasticsearch. In 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA) (pp. 900-906). IEEE.
[CrossRef] [Google Scholar] - Doubleday, H., Maglaras, L., & Janicke, H. (2016). SSH honeypot: building, deploying and analysis. International Journal of Advanced Computer Science and Applications, 7(5).
[CrossRef] [Google Scholar] - Koniaris, I., Papadimitriou, G., & Nicopolitidis, P. (2013, July). Analysis and visualization of SSH attacks using honeypots. In Eurocon 2013 (pp. 65-72). IEEE.
[CrossRef] [Google Scholar] - Yang, X., Yuan, J., Yang, H., Kong, Y., Zhang, H., & Zhao, J. (2023). A highly interactive honeypot-based approach to network threat management. Future Internet, 15(4), 127.
[CrossRef] [Google Scholar] - Alatawi, E., & Albalawi, U. (2025). Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems. Symmetry, 17(5), 628.
[CrossRef] [Google Scholar] - Haffar, R., Domingo-Ferrer, J., & Sánchez, D. (2020, August). Explaining misclassification and attacks in deep learning via random forests. In International Conference on Modeling Decisions for Artificial Intelligence (pp. 273-285). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Choi, H., Kim, M., Lee, G., & Kim, W. (2019). Unsupervised learning approach for network intrusion detection system using autoencoders. The Journal of Supercomputing, 75(9), 5597-5621.
[CrossRef] [Google Scholar] - Anagnostopoulos, C. (2019). Weakly supervised learning: how to engineer labels for machine learning in cyber-security. In Data Science for Cyber-Security (pp. 195-226).
[CrossRef] [Google Scholar] - James, G., Witten, D., Hastie, T., Tibshirani, R., & Taylor, J. (2023). Unsupervised learning. In An introduction to statistical learning: with applications in Python (pp. 503-556). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Hachmi, F., Boujenfa, K., & Limam, M. (2019). Enhancing the accuracy of intrusion detection systems by reducing the rates of false positives and false negatives through multi-objective optimization. Journal of Network and Systems Management, 27(1), 93-120.
[CrossRef] [Google Scholar] - AbdulRaheem, M., Oladipo, I. D., Imoize, A. L., Awotunde, J. B., Lee, C. C., Balogun, G. B., & Adeoti, J. O. (2024). Machine learning assisted snort and zeek in detecting DDoS attacks in software-defined networking. International Journal of Information Technology, 16(3), 1627-1643.
[CrossRef] [Google Scholar] - Kelly, C., Pitropakis, N., Mylonas, A., McKeown, S., & Buchanan, W. J. (2021). A comparative analysis of honeypots on different cloud platforms. Sensors, 21(7), 2433.
[CrossRef] [Google Scholar] - Lucchese, M. (2024). Design, implementation and evaluation of a physics-aware honeynet for Industrial Control Systems.
[Google Scholar] - Alzahrani, R. J., & Alzahrani, A. (2021). Security analysis of ddos attacks using machine learning algorithms in networks traffic. Electronics, 10(23), 2919.
[CrossRef] [Google Scholar] - Lanka, P., Gupta, K., & Varol, C. (2024). Intelligent threat detection—AI-driven analysis of honeypot data to counter cyber threats. Electronics, 13(13), 2465.
[CrossRef] [Google Scholar] - Subhash, P., Qayyum, M., Likhitha Varsha, C., Mehernadh, K., Sruthi, J., & Nithin, A. (2023, October). A security framework for the detection of targeted attacks using honeypot. In International Conference on Computer & Communication Technologies (pp. 183-192). Singapore: Springer Nature Singapore.
[CrossRef] [Google Scholar] - Jaiswal, A., Sodhi, H. S., Muzamil H, M., Chandhok, R. S., Oore, S., & Sastry, C. S. (2021, October). Controlling BigGAN image generation with a segmentation network. In International Conference on Discovery Science (pp. 268-281). Cham: Springer International Publishing.
[CrossRef] [Google Scholar] - Ali, W., Sajid, A., Ghodke, T. A., Malik, R., Malik, N., & Kaushik, K. (2024, November). Honeypot Comparison of Attack Detection and Mitigation of SSH Attack. In 2024 3rd Edition of IEEE Delhi Section Flagship Conference (DELCON) (pp. 1-5). IEEE.
[CrossRef] [Google Scholar] - Sadasivam, G. K., Hota, C., & Anand, B. (2018). Honeynet data analysis and distributed SSH brute-force attacks. In Towards Extensible and Adaptable Methods in Computing (pp. 107-118). Singapore: Springer Singapore.
[CrossRef] [Google Scholar] - Arnob, A. K. B., Mridha, M. F., Safran, M., Amiruzzaman, M., & Islam, M. R. (2025). An Enhanced LSTM Approach for Detecting IoT-Based DDoS Attacks Using Honeypot Data. International Journal of Computational Intelligence Systems, 18(1), 19.
[CrossRef] [Google Scholar]
Cite This Article
TY - JOUR AU - Satpute, Abhishek AU - Nikam, Suraj AU - Gaikwad, Vishwajit AU - Kakade, Yash AU - Mhaske, Chhaya PY - 2025 DA - 2025/08/19 TI - AI-Driven Intrusion Detection System Using SSH Honeypots JO - ICCK Transactions on Cybersecurity T2 - ICCK Transactions on Cybersecurity JF - ICCK Transactions on Cybersecurity VL - 1 IS - 1 SP - 3 EP - 12 DO - 10.62762/TC.2025.521799 UR - https://www.icck.org/article/abs/TC.2025.521799 KW - intrusion detection system (IDS) KW - SSH Honeypot KW - machine learning KW - anomaly detection KW - cybersecurity AB - With the rapid evolution of cyber threats targeting critical services like SSH, traditional Intrusion Detection Systems (IDS) are often unable to handle zero-day attacks and advanced persistent threats. This work proposes an intelligent IDS powered by SSH honeypots combined with machine learning. The honeypots simulate vulnerable SSH services to capture attacker behavior, which is then analyzed using Random Forest classifiers and Autoencoders for accurate intrusion detection. Our AI-based framework shows robust detection rates across multiple attack vectors, offering dynamic adaptability to evolving threats. The proposed system demonstrates a promising defense mechanism, bridging the gap between traditional signature-based systems and modern AI-driven security solutions. SN - 3069-3349 PB - Institute of Central Computation and Knowledge LA - English ER -
@article{Satpute2025AIDriven,
author = {Abhishek Satpute and Suraj Nikam and Vishwajit Gaikwad and Yash Kakade and Chhaya Mhaske},
title = {AI-Driven Intrusion Detection System Using SSH Honeypots},
journal = {ICCK Transactions on Cybersecurity},
year = {2025},
volume = {1},
number = {1},
pages = {3-12},
doi = {10.62762/TC.2025.521799},
url = {https://www.icck.org/article/abs/TC.2025.521799},
abstract = {With the rapid evolution of cyber threats targeting critical services like SSH, traditional Intrusion Detection Systems (IDS) are often unable to handle zero-day attacks and advanced persistent threats. This work proposes an intelligent IDS powered by SSH honeypots combined with machine learning. The honeypots simulate vulnerable SSH services to capture attacker behavior, which is then analyzed using Random Forest classifiers and Autoencoders for accurate intrusion detection. Our AI-based framework shows robust detection rates across multiple attack vectors, offering dynamic adaptability to evolving threats. The proposed system demonstrates a promising defense mechanism, bridging the gap between traditional signature-based systems and modern AI-driven security solutions.},
keywords = {intrusion detection system (IDS), SSH Honeypot, machine learning, anomaly detection, cybersecurity},
issn = {3069-3349},
publisher = {Institute of Central Computation and Knowledge}
}
Article Metrics
Publisher's Note
ICCK stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.