Evaluation and Comparison of the Use of Reinforcement Learning Algorithms on SSH Honeypot

  • Marco Ariano Kristyanto Informatics Department, Universitas Surabaya, Surabaya, East Java
  • Maya Hilda Lestari Louk Informatics Department, Universitas Surabaya, Surabaya, East Java
Keywords: Honeypot, Reinforcement Learning, DQN, DDQN, Adaptive Honeypot


A honeypot is a tool or system used to record, redirect, and even lure hackers into penetrating and exploiting a system. The increasing development of technology causes cyber hackers to realize the existence of honeypots using various other software and tools. So, honeypots need a way to learn how hackers behave. The idea proposed is to combine honeypots with reinforcement learning algorithms so that honeypots become adaptive honeypots. This study suggests the concept by comparing the two Q learning-based RL algorithms, namely DQN and DDQN, to reach which algorithm is more optimal. The study results showed that the DDQN algorithm is more optimal in determining actions when compared to the DQN algorithm because using a double Q-value can help determine the action more accurately. Based on the result, the DDQN algorithm consumed less memory than the DQN Honeypot. The learning rate curve and the processing of DDQN algorithm commands can be used as an alternative algorithm that can be combined with honeypots because of the learning rate, which can make honeypots faster in the dynamic environment.


Download data is not yet available.


R. Vishwakarma and A. K. Jain, “A honeypot with machine learning based detection framework for defending IoT based botnet DDoS attacks,” Proc. Int. Conf. Trends Electron. Informatics, ICOEI 2019, no. Icoei, pp. 1019—1024, 2019, doi: 10.1109/ICOEI.2019.8862720.

F. Zhang and S. cheng Khoo, “An empirical study on clone consistency prediction based on machine learning,” Inf. Softw. Technol., vol. 136, Aug. 2021.

C. Yang, J. Zhang, and G. Gu, “A taste of tweets: Reverse engineering twitter spammers,” ACM Int. Conf. Proceeding Ser., vol. 2014-Decem, no. December, pp. 86—95, Dec. 2014, doi: 10.1145/2664243.2664258.

G. Wagener, R. State, T. Engel, and A. Dulaunoy, “Adaptive and self-configurable honeypots,” Proc. 12th IFIP/IEEE Int. Symp. Integr. Netw. Manag. IM 2011, pp. 345—352, 2011, doi: 10.1109/INM.2011.5990710.

D. Fraunholz, M. Zimmermann, and H. D. Schotten, “An adaptive honeypot configuration, deployment and maintenance strategy,” Int. Conf. Adv. Commun. Technol. ICACT, pp. 53—57, Mar. 2017, doi: 10.23919/ICACT.2017.7890056.

J. Wang, J. Liu, H. Guo, and B. Mao, “Deep Reinforcement Learning for Securing Software-Defined Industrial Networks With Distributed Control Plane,” IEEE Trans. Ind. Informatics, vol. 18, no. 6, pp. 4275—4285, 2022, doi: 10.1109/TII.2021.3128581.

K. Sethi, Y. V. Madhav, R. Kumar, and P. Bera, “Attention based multi-agent intrusion detection systems using reinforcement learning,” J. Inf. Secur. Appl., vol. 61, p. 102923, Sep. 2021, doi: 10.1016/J.JISA.2021.102923.

A. Pauna and I. Bica, “RASSH - Reinforced adaptive SSH honeypot,” IEEE Int. Conf. Commun., 2014, doi: 10.1109/ICCOMM.2014.6866707.

A. Pauna, A.-C. Iacob, and I. Bica, “QRASSH - A Self-Adaptive SSH Honeypot Driven by Q-Learning,” pp. 441—446, Oct. 2018, doi: 10.1109/ICCOMM.2018.8484261.

S. Suratkar et al., “An adaptive honeypot using Q-Learning with severity analyzer,” J. Ambient Intell. Humaniz. Comput., vol. 13, no. 10, pp. 4865—4876, Oct. 2022, doi: 10.1007/S12652-021-03229-2/TABLES/7.

S. Dowling, M. Schukat, and E. Barrett, “Using reinforcement learning to conceal honeypot functionality,” Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 11053 LNAI, pp. 341—355, 2019, doi: 10.1007/978-3-030-10997-4_21/COVER.

S. Touch and J.-N. Colin, “A Comparison of an Adaptive Self-Guarded Honeypot with Conventional Honeypots,” Appl. Sci., vol. 12, no. 10, p. 5224, May 2022, doi: 10.3390/APP12105224.

M. S. Zemene and P. S. Avadhani, “Implementing high interaction honeypot to study SSH attacks,” 2015 Int. Conf. Adv. Comput. Commun. Informatics, ICACCI 2015, pp. 1898—1903, Sep. 2015, doi: 10.1109/ICACCI.2015.7275895.

A. Shimoda, T. Mori, and S. Goto, “Sensor in the dark: Building untraceable large-scale honeypots using virtualization technologies,” Proc. - 2010 10th Annu. Int. Symp. Appl. Internet, SAINT 2010, pp. 22—30, 2010, doi: 10.1109/SAINT.2010.42.

M. A. Kristyanto et al., “SSH Bruteforce Attack Classification using Machine Learning,” 2022 10th Int. Conf. Inf. Commun. Technol. ICoICT 2022, pp. 116—119, 2022, doi: 10.1109/ICOICT55009.2022.9914864.

X. Bellekens et al., “From Cyber-Security Deception to Manipulation and Gratification Through Gamification,” Lect. Notes Comput. Sci. (including Subser. Lect. Notes Artif. Intell. Lect. Notes Bioinformatics), vol. 11594 LNCS, pp. 99—114, 2019, doi: 10.1007/978-3-030-22351-9_7/FIGURES/9.

M. Oosterhof, “Cowrie Documentation,” p. 1, 2022, [Online]. Available: https://readthedocs.org/projects/cowrie/downloads/pdf/latest/

S. Djanali, F. Arunanto, B. A. Pratomo, A. Baihaqi, H. Studiawan, and A. M. Shiddiqi, “Aggressive web application honeypot for exposing attacker’s identity,” 2014 1st Int. Conf. Inf. Technol. Comput. Electr. Eng. Green Technol. Its Appl. a Better Futur. ICITACEE 2014 - Proc., pp. 212—216, Mar. 2015, doi: 10.1109/ICITACEE.2014.7065744.

S. Touch and J. N. Colin, “Asguard: Adaptive Self-guarded Honeypot,” Int. Conf. Web Inf. Syst. Technol. WEBIST - Proc., vol. 2021-Octob, no. Webist, pp. 565—574, 2021, doi: 10.5220/0010719100003058.

C. Guan, H. Liu, G. Cao, S. Zhu, and T. La Porta, “HoneyIoT: Adaptive High-Interaction Honeypot for IoT Devices Through Reinforcement Learning,” WiSec 2023 - Proc. 16th ACM Conf. Secur. Priv. Wirel. Mob. Networks, vol. 11, pp. 49—59, May 2023, doi: 10.1145/3558482.3590195.

R. S. Sutton and A. G. Barto, “Reinforcement learning: An Introduction Second edition,” Learning, vol. 3, no. 9, p. 322, 2012.

G. Gupta and R. Katarya, “A Study of Deep Reinforcement Learning Based Recommender Systems,” ICSCCC 2021 - Int. Conf. Secur. Cyber Comput. Commun., pp. 218—220, May 2021, doi: 10.1109/ICSCCC51823.2021.9478178.

T. T. Nguyen and V. J. Reddi, “Deep Reinforcement Learning for Cyber Security,” IEEE Trans. Neural Networks Learn. Syst., vol. 34, no. 8, pp. 3779—3795, 2023, doi: 10.1109/TNNLS.2021.3121870.

P. Radoglou-Grammatikis et al., “Strategic Honeypot Deployment in Ultra-Dense Beyond 5G Networks: A Reinforcement Learning Approach,” IEEE Trans. Emerg. Top. Comput., 2022, doi: 10.1109/TETC.2022.3184112.

E. Suwannalai and C. Polprasert, “Network Intrusion Detection Systems Using Adversarial Reinforcement Learning with Deep Q-network,” in International Conference on ICT and Knowledge Engineering, 2020, vol. 2020-November. doi: 10.1109/ICTKE50349.2020.9289884.

D. Tagesson, N. Xiong, and S. Barua, “a Comparison Between Deep Q-Learning and Deep Deterministic Policy Gradient for an Autonomous Drone in a Simulated Environment,” 2021.

H. Alavizadeh, H. Alavizadeh, and J. Jang-Jaccard, “Deep Q-Learning Based Reinforcement Learning Approach for Network Intrusion Detection,” Computers, vol. 11, no. 3, 2022, doi: 10.3390/computers11030041.

O. Navarro Ferrer, “Analysis of reinforcement learning techniques applied to honeypot systems,” 2021, [Online]. Available: http://hdl.handle.net/10609/126948

J. S. López-Yépez and A. Fagette, “Increasing attacker engagement on SSH honeypots using semantic embeddings of cyber-attack patterns and deep reinforcement learning,” Proc. 2022 IEEE Symp. Ser. Comput. Intell. SSCI 2022, pp. 389—395, 2022, doi: 10.1109/SSCI51031.2022.10022206.

H. Van Hasselt, A. Guez, and D. Silver, “Deep Reinforcement Learning with Double Q-learning”.

M. A. Kristyanto, H. Studiawan, and B. A. Pratomo, “Evaluation of Reinforcement Learning Algorithm on SSH Honeypot,” Proceeding - 6th Int. Conf. Inf. Technol. Inf. Syst. Electr. Eng. Appl. Data Sci. Artif. Intell. Technol. Environ. Sustain. ICITISEE 2022, pp. 346—350, 2022, doi: 10.1109/ICITISEE57756.2022.10057816.

A. Pashaei, M. E. Akbari, M. Zolfy Lighvan, and A. Charmin, “Early Intrusion Detection System using honeypot for industrial control networks,” Results Eng., vol. 16, no. July, p. 100576, 2022, doi: 10.1016/j.rineng.2022.100576.

How to Cite
Kristyanto, M. A., & Louk, M. H. L. (2024). Evaluation and Comparison of the Use of Reinforcement Learning Algorithms on SSH Honeypot. Teknika, 13(1), 77-85. https://doi.org/10.34148/teknika.v13i1.763