Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems

Abstract

Anomaly detection is essential in cybersecurity for identifying abnormal activities, a requirement that has grown increasingly critical with the complexity of cyberthreats. This study leverages the BPF-Extended Tracking Honeypot (BETH) dataset, a comprehensive resource designed to benchmark robustness in detecting anomalous behavior in kernel-level process and network logs. The symmetry of the proposed system lies in its ability to identify balanced and consistent patterns within kernel-level process logs, which form the foundation for accurately distinguishing anomalies. This study focuses on anomaly detection in kernel-level process logs by introducing an enhanced Isolation Forest (iForest) model, which is integrated into a structured framework that includes exploratory data analysis (EDA), data pre-processing, model training, validation, and evaluation. The proposed approach achieves a significant performance improvement in the anomaly detection results, with an area under the receiver operating characteristic curve (AUROC) score of 0.917—an approximate 7.88% increase over the baseline model’s AUROC of 0.850. Additionally, the model demonstrates high precision (99.57%), F1-score (91.69%), and accuracy (86.03%), effectively minimizing false positives while maintaining balanced detection capabilities. These results underscore the role of leveraging symmetry in designing advanced intrusion detection systems, offering a structured and efficient solution for identifying cyberthreats.