Securing IoT Infrastructures Using Honeypot-Based Intrusion Detection (IDS) and AES-256 Encryption: A Comprehensive Survey

doi:https://doi.org/10.5281/zenodo.18470436

Volume 15, Issue 01 (January 2026)

Securing IoT Infrastructures Using Honeypot-Based Intrusion Detection (IDS) and AES-256 Encryption: A Comprehensive Survey

DOI : https://doi.org/10.5281/zenodo.18470436

Download Full-Text PDF Cite this Publication

Open Access
Article Download / Views: 6
Authors : Shegufta Nasrin Mazumder
Paper ID : IJERTV15IS010573
Volume & Issue : Volume 15, Issue 01 , January – 2026
DOI : 10.17577/IJERTV15IS010573
Published (First Online): 03-02-2026
ISSN (Online) : 2278-0181
Publisher Name : IJERT
License: This work is licensed under a Creative Commons Attribution 4.0 International License

PDF Version

View

Text Only Version

Securing IoT Infrastructures Using Honeypot-Based Intrusion Detection (IDS) and AES-256 Encryption: A Comprehensive Survey

Shegufta Nasrin Mazumder

B. Tech Cyber Forensics and Information Security, Department of Cyber Security, Dr. M.G.R. Educational and Research Institute University,

Chennai, Tamil Nadu, India.

ABSTRACT – The escalating threat landscape of the Internet of Things (IoT), marked by over 820,000 daily attacks and a 46% surge in ransomware in 2025, demands advanced defensive paradigms. This survey presents the first systematic analysis of honeypot- based Intrusion Detection Systems (IDSs) integrated with AES-

256 encryption, a critical convergence of deceptive defence, detection, and cryptographic security tailored for IoT infrastructures. Addressing a significant literature gap, our PRISMA-guided methodology synthesises research from major digital libraries (IEEE Xplore, ACM, ScienceDirect, arXiv). We establish a novel taxonomy classifying systems by (1) honeypot interaction level (low, high, hybrid), (2) AES-256 integration role (secure communication, data-at-rest protection, encrypted attack analysis), and (3) system architecture (centralised, decentralised, AI-enhanced). Key findings demonstrate that AES-256 encryption introduces minimal operational overheadadding only 0.003 seconds per MB compared to AES-128while providing a quantum- resistant security margin. Crucially, AI-enhanced models demonstrate exceptional efficacy: LSTM/Bi-LSTM networks achieve 99.9% accuracy in DDoS detection, while ensemble methods, such as Random Forest, exceed 99.8% accuracy in identifying anomalies in Industrial IoT settings. Real-world case studies, including the containment of Makop ransomware in a simulated water treatment plant, validate the practical defensive capability of these integrated systems. The analysis reveals emerging trends such as blockchain-integrated honeypot ecosystems, AI-driven adaptive deception, and Software-Defined Networking (SDN) orchestration. Persistent open challenges in scalability, adversary evasion techniques, and legal frameworks are examined. Finally, we propose a forward-looking roadmap advocating for lightweight AES implementations for constrained devices, standardised performance benchmarks, autonomous honeypot networks, and preparations for post-quantum cryptography. This survey establishes encrypted honeypots as essential, proactive components in the IoT security arsenal. It provides foundational knowledge and a structured framework for researchers and practitioners aiming to bridge deception technology, intrusion detection, and cryptographic integrity for the expanding IoT frontier.

KEYWORDS: Honeypot, Intrusion Detection System (IDS), AES-

256 Encryption, IoT Security, Cybersecurity, Deception Technology, AI-Enhanced Security, Threat Intelligence, Ransomware, Systematic Survey, LSTM (Long Short-Term Memory), Random Forest.

INTRODUCTION
This survey paper is meticulously scoped to provide a comprehensive and in-depth analysis of a highly specialised and critical area within modern cybersecurity: the integration of honeypot-based Intrusion Detection Systems (IDS) that utilise the Advanced Encryption Standard (AES) with a 256- bit key length (AES-256). The investigation is not a broad overview of all deception technologies or encryption methods but is instead sharply focused on the confluence of these three specific domains. The primary objective is to systematically examine, classify, and compare existing academic and industrial solutions that leverage this powerful combination to secure contemporary cybersecurity infrastructures. The scope is deliberately narrowed to ensure a deep, rather than wide, analysis, providing a valuable resource for researchers, practitioners, and PhD scholars working at the cutting edge of cyber defence. This focus enables a detailed examination of the architectural designs, operational mechanisms, performance trade-offs, and security implications specific to these integrated systems, which are becoming increasingly crucial in the face of sophisticated and persistent cyber threats.
1. 1. Core Focus: Honeypot-IDS Integration with AES- 256
    This survey focuses on the integrated use of honeypots and Intrusion Detection Systems (IDS), where the entire ecosystem is secured by AES-256 encryption. The honeypot acts as an active, engaging decoy to attract and analyse attackers, while the IDS monitors all related activity for threats. The critical specificity is the mandatory use of AES- 256, which serves multiple essential roles: securing communication channels between the honeypot and analysis
    
    nodes, encrypting collected attack data and forensic artefacts for protected storage, and sometimes acting as an analysis target itself (e.g., ransomware using AES-256). This emphasis addresses the urgent need to shield sensitive threat intelligence from eavesdropping and tamperinga gap in traditional honeypot research. The survey will analyse how integrating this strong encryption affects the system’s effectiveness, performance, and security.
    1. Target Infrastructure: Internet of Things (IoT) Networks
      The application is specifically targeted at IoT networks due to their unique vulnerability and characteristics. IoT ecosystems are rapidly expanding and are highly vulnerable due to
      
      resource-constrained devices, inherent design insecurities, and deployment in critical infrastructure, making them prime targets for attacks ranging from botnets to advanced threats. Additionally, IoT networks present distinct challenges such as device heterogeneity, limited computational power, and high-volume data traffic, which complicate the deployment of honeypot-based IDS. This survey will examine how honeypot technologies are adapted for these constrained environments and how the computational overhead of AES- 256 encryption is managed. It covers various IoT contexts, including smart homes, industrial IoT, and critical infrastructure, offering a focused view on securing these dynamic networks.
    2. Honeypot Interaction Levels: High, Low, and Hybrid
      The survey thoroughly examines honeypot systems across all interaction levels. Low-interaction honeypots emulate limited services, offering simplicity, low resource consumption, and high safety, making them suitable for widespread IoT deployment. High-interaction honeypots offer fully operational systems and services, enabling in-depth engagement with attackers and yielding valuable intelligence on their tactics and methods. Hybrid honeypots combine these approaches, balancing the safety and efficiency of low- interaction systems with the detailed data collection of high-
      
      interaction ones. The survey will classify and compare solutions based on interaction level, analysing the trade-offs in detection depth, operational risk, and resource use. This provides a comprehensive understanding of design options and identifies the most effective contexts for each type within an AES-256-secured IoT IDS framework.
  2. Justification of Scope
    This specific scope is a deliberate choice motivated by the current cybersecurity landscape, research gaps, and the requirement to protect critical infrastructure. Focusing on the intersection of honeypots, IDS, AES-256, and IoT addresses a timely and important convergence of technologies. The justification stems from the fact that modern threats are increasingly targeting vulnerable IoT devices, and the demand for secure, verifiable hreat intelligence is critical. This survey fills a vital gap by providing the first systematic, comprehensive analysis of this domain, laying a structured foundation for future research.
    1. Relevance to Modern Cyber Threats
      The scope specifically targets urgent modern cyber threats. The current period has witnessed a sharp increase in attacks targeting IoT and Operational Technology (OT). Data shows a 46% increase in industrial ransomware in early 2025 alone, with attackers compromising entire networks in less than 24 hours. The number of hacking attempts on IoT devices exceeds 820,000 each day. Attacks are increasingly sophisticated, exemplified by methods such as the supply- chain-based BadBox 2.0 botnet. Traditional defences are inadequate against such scale and innovation. Honeypots provide a proactive security measure to detect new, unknown attacks that signature-based systems might miss. Incorporating AES-256 enhances security against advanced adversarial capabilities, ensuring attack data remains unaltered and safe from theft, thus maintaining the integrity of threat intelligence.
    2. Addressing a Gap in Existing Literature
      While substantial research exists on honeypots, IDS, and encryption separately, a comprehensive survey examining their integration within IoT, with a specific focus on AES- 256, is notably absent. Existing honeypot surveys often neglect securing the honeypot infrastructure itself, and IoT security research rarely explores the synergistic potential of combining encryption and intrusion detection with honeypot technology in a systematic way. This survey bridges that gap by providing the first structured analysis of this particular intersection. It consolidates fragmented research, identifies common architectures, and highlights the unique challenges and benefits of the integrated approach. This creates a foundational text for researchers, preventing redundancy and guiding future efforts toward the most promising directions.
    3. Alignment with Critical Infrastructure Protection Needs
      The focus on IoT is essential because it is deeply integrated into critical infrastructure like power grids, water treatment, transportation, and healthcare. The current threat landscape shows a clear shift from data theft to disrupting cyber- physical systems, where successful attacks can have catastrophic real-world effects. Compromised IoT devices in these environments give attackers a foothold to move into more sensitive OT networks. An AES-256-secured, honeypot-based IDS is a strong defence tool for these systems. It functions as an early warning system to detect reconnaissance and initial intrusions before they escalate. The collected intelligence helps to understand attacker tactics specific to industrial settings, enabling robust countermeasures. By analysing solutions for this high-stakes environment, this survey provides valuable insights to security professionals protecting societal infrastructure.
  3. Delimitations and Exclusions
    To ensure a focused and in-depth analysis, this survey explicitly excludes certain related areas. These boundaries are a necessary methodological choice to maintain coherence on the core topic.
    1. Exclusion of Non-IoT-Centric Honeypot Systems
      Honeypot systems designed for traditional IT environments, such as enterprise networks, web servers, and general- purpose operating systems, are excluded unless their methodologies are explicitly adapted and evaluated for IoT contexts. While foundational principles are universal, IoT- specific challenges such as resource constraints, diverse protocols (like MQTT and CoAP), and the physical nature of devices require unique designs. Research on honeypots for Windows servers or Linux workstations is considered a related field and is excluded unless it provides directly transferable insights for IoT security.
    2. Exclusion of IDS without Explicit Honeypot Integration
      Standalone Intrusion Detection Systems, even those designed for IoT, are excluded unless they incorporate a honeypot as a core component of their detection or intelligence-gathering strategy. The mature field of signature-based and anomaly- based IDS that does not utilise deception falls outside this scope. The primary interest is in how active deception enhances IDS capabilitiessuch as generating new signatures, validating anomaly alerts, or providing a controlled analysis environmentenabling a nuanced analysis of this combined approach.
    3. Focus on AES-256, Excluding Other Encryption Standards
The survey primarily concentrates on the AES-256 encryption standard. Other algorithms, such as ChaCha20, RSA, or different AES key lengths (for instance, AES-128), are not included in the main analysis. AES-256 is the focus because it is a widely adopted high-security standard often required for safeguarding sensitive data. This emphasis enables a controlled comparison and a straightforward evaluation of how AES-256’s featuresits computational load and security assurancesinfluence the design and performance of the examined honeypot-IDS systems.
MOTIVATION AND TIMELINESS
This survey is prompted by the rapid development of the cyber threat landscape, especially targeting the vulnerable Internet of Things (IoT) ecosystem. The combination of advanced IoT attacks, reliance on strong encryption such as AES-256, and the advancement of honeypot technologies creates an urgent need for structured analysis. The relevance is emphasised by recent high-profile incidents, which highlight IoT vulnerabilities and the urgent need for sophisticated, deceptive defences.
1. 1. The Evolving Threat Landscape in IoT
    IoT security is a critical concern as devices become widespread. The 2025 threat landscape will be characterised by unprecedented volume and complexity, posing a threat to financial stability, operations, and public safety. Many IoT devices are designed prioritising cost and functionality over security, making them easy targets. This requires shifting from reactive to proactive defence strategies, with honeypots playing a key role in early detection and gathering intelligence.
    1. Proliferation of Sophisticated Attacks (e.g., Ransomware)
      A major shift in 2025 is the industrialisation of attacks targeting IoT and OT, characterised by a sharp rise in targeted ransomware against critical infrastructure. A Honeywell report recorded a 46% increase in such attacks in Q1 2025 alone. These attacks are now precisely coordinated for maximum disruption, with attackers achieving full network compromise in less than 24 hours. The Ransomware-as-a- Service (RaaS) model fuels this trend, with over 12,000 new variants identified in Q1 2025, reducing the entry barrier. This progression from data theft to disrupting cyber-physical systems raises the stakes, exposing the shortcomings of traditional security. Honeypots are uniquely capable of detecting these multi-stage attacks by serving as convincing targets, enabling defenders to observe tactics and develop defences before critical systems are compromised.
    2. Vulnerabilities in Constrained IoT Devices
      The IoT ecosystem faces a “crisis of insecurity by design,” where economic incentives have prioritised low cost and rapid deployment over robust security. Attackers relentlessly exploit basic security weaknesses, not sophisticated zero-day vulnerabilities. A 2025 analysis found brute-forcing default credentials accounts for 7.36% of attacks, with another 5.27% directly exploiting them for lateral movementa key risk highlighted by the OWASP IoT Top 10. Furthermore, a substantial portion of IoT traffic remains unencrypted, permitting easy inteception. Bitdefender’s 2025 report identified streaming devices, smart TVs, and IP cameras as the most vulnerable, representing over half of all CVE issues in smart homes. These devices, often on outdated Android forks with poor update cycles, become persistent backdoors. This pervasive vulnerability makes IoT networks ideal for honeypots, as any interaction is highly likely to be malicious, improving the accuracy of the threat intelligence.
    3. The Need for Proactive and Deceptive Defence Mechanisms
      Faced with constant scanning and adaptation by adversaries, a purely reactive defence is untenable. The sheer volume averaging 820,000 attacks daily in 2025creates a state of “continuous compromise.” This demands a shift to proactive and deceptive strategies, where honeypots are a cornerstone. Unlike tools that wait for a breach, honeypots act as tripwires and traps, actively engaging attackers and diverting them from real assets. They provide a controlled environment to observe and analyse malicious activity without risk. The gathered intelligence is invaluable, offering insights into new attack vectors, malware, and attacker tactics. This data can generate new IDS signatures, improve anomaly detection models, and inform security strategy. As attackers advance, the ability to deceive them becomes a critical advantage. High-interaction honeypots, by engaging attackers for extended periods, provide a detailed view of their methods, crucial for defending against advanced persistent threats.
  2. The Role of Strong Encryption in Modern Cybersecurity
    In an era of sophisticated cyber adversaries, strong encryption is critical as the cornerstone of data confidentiality and integrity. The Advanced Encryption Standard with a 256-bit key (AES-256) is the de facto global standard for high- security applications. However, encryption’s strength also presents a challenge, as attackers can use it to hide malicious activities. This dual nature is a key motivation for the survey, which explores how AES-256 can be both a defensive tool and a subject of analysis within a honeypot-based IDS.
    1. Widespread Adoption of AES-256 in Security Protocols
      AES-256 is a symmetric encryption algorithm approved for protecting top-secret information. Its security lies in resistance to brute-force attacks due to the vast number of possible keys (2^256), making it computationally infeasible to crack. This has led to its widespread adoption in critical security protocols, such as Transport Layer Security (TLS) for web traffic and virtual private networks (VPNs). Within IoT, AES-256 is widely adopted to secure device-to-cloud communication and encrypt stored data. Its inclusion in a honeypot-based IDS is a natural extension of this trend, ensuring collected threat intelligence is protected with the same high-security standard applied to other critical assets.
    2. Challenges of Detecting Threats within Encrypted Traffic
      While vital for defence, encryption creates a significant challenge for security monitoring by rendering traditional deep packet inspection (DPI) ineffective. This creates a “blind spot” that attackers exploit to hide malicious communications, such as data exfiltration or command-and- control (C2) traffic. This has spurred techniques like analysing metadata (packet sizes, timing) and using machine learning to identify anomalous patterns. Honeypots play a unique role here. By acting as a target, they can entice an attacker to reveal intent even over encrypted channels. For example, a honeypot can accept an encrypted connection and monitor subsequent malicious actions. Integrating AES-256 within the honeypot adds realism, creating a more convincing target and enabling analysis of attacks, such as ransomware, that specifically target encrypted systems.
  3. Why Now? The Convergence of Technologies
    The timing of this survey is driven by the convergence of key technological trends, creating an opportune moment for deploying AES-256-secured, honeypot-based IDS. The maturation of honeypot technologies, increased computational power available in IoT ecosystems, and a growing emphasis on actionable threat intelligence have all aligned. This convergence creates fertile ground for innovation, enabling the development of more sophisticated, effective, and scalable security solutions than were previously possible.
    1. Maturation of Honeypot Technologies
      Honeypot technology has evolved significantly from simple, static decoys into sophisticated platforms capable of simulating complex environments, adapting to attacker behaviour, and providing rich intelligence. The development of high-interaction honeypots, which deliver a full operating system for in-depth interaction, has enabled a much deeper understanding of attacker tactics. More recently, the concept of “cyber twins”perfect digital replicas of real-world systemsprovides even more convincing deception. Advances in virtualisation and containerization have also made it easier to deploy and manage honeypots at scale,
      
      reducing cost and complexity. This maturation makes honeypots a more viable and effective enterprise security tool, and this survey captures the state of the art in this rapidly evolving field.
    2. Increased Computational Power in IoT Ecosystems
      Although many IoT devices are resource-constrained, a growing trend toward more powerful edge and fog computing nodes is significant. These nodes, which aggregate and process data from numerous sensors, possess sufficient computational power to run sophisticated security tools such as honeypots and IDS. The availability of powerful, low-cost hardware, including Raspberry Pi and other single-board computers, has further simplified deployment. This increased power makes it feasible to implement complex detection algorithms, including machine learning, and to handle the computational overhead of strong encryption such as AES-
      
      256. This trend is crucial for deploying resource-intensive high-interaction honeypots. Deploying these powerful tools at the network edge is a game-changer for IoT security, enabling more effective and timely threat detection and response.
    3. Growing Emphasis on Threat Intelligence and Attribution
Modern cybersecurity requires moving beyond simply blocking attacks to understanding the “who,” “why,” and “how.” This emphasis on threat intelligence and attribution has created a strong demand for tools that provide such insights. Honeypots are uniquely suited for this, capturing detailed information on attacker tools, techniques, and motivations. The gathered intelligence can improve an organisation’s security posture, inform incident response, and support law enforcement. The integration of AES-256 is critical to this process, ensuring the sensitive threat intelligence collected is protected from tampering and exfiltration. This survey explores how honeypots generate high-fidelity threat intelligence and how this intelligence is shared to improve broader community security.
SYSTEMATIC LITERATURE SEARCH AND SELECTION PROTOCOL
This survey followed a systematic protocol to ensure rigorous and reproducible results. The methodology aimed to identify all relevant research on AES-256-encrypted, honeypot-based IDS for IoT security. It comprised a multi-stage process: a comprehensive search strategy, clear inclusion/exclusion criteria, a structured selection process, and a formal data extraction framework to build an unbiased corpus for analysis.

The search strategy began by defining keywords from the core concepts (honeypots, IDS, AES-256, IoT) and their synonyms. These were combined using Boolean operators into queris adapted for major academic databases, including

IEEE Xplore, ACM Digital Library, ScienceDirect and arXiv, focusing on English publications from 2015 onward. To capture non-traditional research, the strategy also incorporated grey literature such as technical reports, conference proceedings, and dissertations through targeted web and repository searches.

Clear criteria ensured study relevance. Inclusion required a study to: 1) describe a honeypot-based IDS, 2) explicitly use AES-256, 3) focus on IoT security, 4) be in English, and 5) be peer-reviewed or a high-quality report. Exclusion criteria were: 1) no honeypot system, 2) no AES-256, 3) not IoT- focused, 4) duplicate, 5) low methodological quality, or 6) very short papers/abstracts.

Study selection was a two-stage process. First, titles and abstracts were screened to filter irrelevant works. Second, the full texts of the remaining studies were reviewed against the criteria for final selection.

A structured data extraction framework was then applied. It systematically captured key data from each study: metadata, objectives, methodology, honeypot-IDS architecture (comprising interaction level), the specific role of AES-256, and primary findings. This enabled consistent comparative analysis.
TAXONOMY AND CLASSIFICATION FRAMEWORK
To systematically analyse the diverse landscape of honeypot- based IDS, a robust taxonomy is essential. This framework classifies solutions along three primary dimensions: the level of honeypot interaction, the specific role of AES-256 encryption, and the overall architectural design. This structured approach enables a nuanced understanding of trade-offs, capabilities, and suitability for securing IoT infrastructures, identifying common patterns and research gaps. The taxonomy forms the foundational structure for the comparative analysis in this survey.
1. 1. Classification by Honeypot Interaction Level
    The interaction level is a fundamental characteristic that dictates a system’s complexity, risk, and the depth of intelligence gathered. It determines how much functionality is exposed to an attacker and, consequently, how much of their behaviour can be observed. Systems are categorised into three typeslow-interaction, high-interaction, and hybrid each presenting a unique balance between ease of deployment, risk of compromise, and richness of collected data. This classification directly impacts the ability to detect sophisticated attacks and suitability for resource-constrained IoT environments.
    1. Low-Interaction Honeypots (e.g., Cowrie, Dionaea) Low-interaction honeypots simulate a limited set of services frequently targeted by automated attacks. They are characterised by simplicity, low resource consumption, and minimal risk, as they do not provide a full operating system. Examples include Cowrie, which emulates a Unix shell to capture brute-force attempts, and Dionaea, which traps malware by emulating vulnerable services. Their primary advantage is ease of deployment and maintenance, making them suitable for widespread use. However, their key limitation is shallow interaction; sophisticated attackers can quickly identify them as decoys due to limited, often unrealistic responses. This curtails their ability to gather in- depth intelligence on advanced threats. In IoT contexts, they are effective for detecting mass-scanning and exploitation attempts targeting common protocols and default credentials, although they may fail to capture nuanced, targeted attacks.
    2. High-Interaction Honeypots (e.g., Physical Systems, Cyber Twins)
      High-interaction honeypots offer a fully functional operating system and rich services that mimic a real production environment. Their goal is to be as realistic as possible, enticing attackers to engage deeply and reveal their full arsenal of tools, techniques, and procedures (TTPs). They allow intruders to gain access, enabling meticulous monitoring of subsequent activities. An evolution of this concept is the “cyber twin” or “network twin,” a virtual replica of a specific critical infrastructure (e.g., a water treatment plant’s control systems) deployed to attract and analyse complex attacks such as ransomware. The intelligence gathered is of the highest quality, offering insights into zero-day exploits and lateral movement. However, these systems are complex, resource-intensive, and carry high risk, requiring constant monitoring to prevent a compromised honeypot from being used to attack other networks.
    3. Hybrid and Virtual Honeypots Hybrid honeypots combine the advantages of both low- and high-interaction systems. They often use a low-interaction front-end to establish early contact with and profile attackers, then dynamically redirect suspicious traffic to an isolated, high-interaction back-end for deeper analysis. This tiered approach allows for efficient resource utilisation.
      Virtualisation technologies are crucial here; hosting honeypots on virtual machines (VMs) or containers (e.g., Docker) enables easy creation, deployment, and resetting of compromised systems. This facilitates the creation of scalable “honeynets” that simulate complex environments. For IoT security, a hybrid approach is particularly effective: low- interaction honeypots can simulate numerous simple devices (sensors, lights), while a high-interaction honeypot can represent a critical device (a smart gateway or industrial controller), providing a layered defence and comprehensive threat landscape mapping.
  2. Classification by AES-256 Integration Role
    The integration of AES-256 is a critical dimension that defines a system’s security posture and its ability to handle encrypted threats. Its role varies significantly; it is not merely used to encrypt collected data but can be an integral part of the deception or detection mechanism itself. This classification moves beyond a binary assessment to provide a nuanced understanding of its functional contribution to the system’s overall security objectives.
    1. AES-256 for Securing Honeypot-to-Node Communication
      A primary role of AES-256 is to ensure the confidentiality and integrity of data transmitted between system components. In distributed IoT honeypot deployments, data from individual nodes must be securely transmitted to a central server or to a “honey farm” for analysis. This communication channel is a target for attackers seeking to eavesdrop on intelligence or inject false data. Implementing AES-256 encryption for this channel protects sensitive information such as attacker IPs, TTPs, and malware samples, ensuring the honeypot’s value isn’t compromised by interception. In advanced architectures, AES-256 can also secure the command-and-control channel used to manage the honeypots themselves, preventing takeover of the infrastructure. This application is a fundamental security measure, ensuring the honeypot’s own communications do not become a vulnerability.
    2. AES-256 for Protecting Stored Attack Data
      Beyond securing data in transit, AES-256 is crucial for protecting data at rest. The logs, network captures, and artefacts collected are valuable threat intelligence that must be safeguarded from unauthorised access, deletion, or tampering. Encrypting stored data with AES-256 ensures that even if the storage medium is compromised, the information remains unreadable. This is especially vital for high- interaction honeypots acquiring sensitive data, such as zero- day exploits or critical infrastructure vulnerabilities. For instance, a 2019 paper proposes a web-based honeypot system in which an “advanced AES algorithm” secures the system’s records. This approach preserves evidence for forensic analysis and adds a defence layer, making i harder
      
      for an attacker to understand what has been observed and develop countermeasures.
    3. AES-256 as a Target for Attack Analysis (e.g., Ransomware Payloads)
      A more sophisticated role for AES-256 is as a component of the deception or detection mechanism itself. Here, the honeypot is designed to attract and analyse attacks that specifically utilise AES-256 encryption, such as ransomware. Attackers often use strong encryption, like AES-256, to encrypt victim files. A honeypot can contain “bait” files that, when encrypted, trigger an alert. By analysing the ransomware’s behaviourincluding its specific AES-256 implementation, key generation process, and command-and- control communicationresearchers gain insights to develop better detection signatures and decryption tools. A 2020 paper notes ransomware such as CryptoLocker uses a secure cipher such as AES-256, requiring honeypots to monitor the associated file system activities. This approach transforms the honeypot from a passive observer into an active participant, using the attacker’s tools against them.
  3. Classification by Architectural Approach
    The architectural design of a honeypot-based IDS is a critical determinant of its scalability, adaptability, and effectiveness. This dimension of the taxonomy examines high-level structural patterns, focusing on how components are distributed, the integration of advanced technologies like AI, and the deployment environment (edge, fog, or cloud). As IoT infrastructures become increasingly complex, the architectural approach of security solutions must evolve to provide resilient, efficient, and comprehensive coverage across a dynamic attack surface.
    1. Centralised vs. Decentralised Architectures Honeypot-based IDS can be broadly classified into centralised and decentralised architectures. In a centralised model, multiple honeypot nodes collect data and send it to a single central server or to a “honey farm” for analysis and storage. This simplifies management and enables data aggregation from multiple sources to identify widespread attack campaigns. However, it also creates a single point of failure and potential bottlenecks with high data volumes. Conversely, a decentralised or distributed architecture disperses processing and analysis capabilities across the network. Each node might perform initial analysis locally, reducing the data sent centrally. This approach is more scalable and resilient, as the system can operate even if some nodes are compromised. This model is particularly suited for large-scale IoT deployments where centralised management is infeasible. For example, a 2025 paper proposes an “Adaptive Distributed Honeypot Detection Network (ADHDN)” leveraging this architecture for high- precision detection across various Denial of Service (DoS) attacks.
    2. Integration with AI/ML for Enhanced Detection The integration of Artificial Intelligence (AI) and Machine Learning (ML) represents a significant evolution for honeypot-based IDS, moving beyond ineffective signature- based detection towards anomaly-based detection. These systems use AI/ML models to learn normal network behaviour and identify malicious deviations. The rich, real- world attack data collected by honeypots serves as an ideal training set for these models. For instance, a 2025 study presents an enhanced LSTM-based IDS for IoT that uses honeypot data to detect DDoS attacks with high accuracy. Similarly, a 2024 paper proposes a model for detecting IoT botnet attacks that combines honeypot technology with a separable convolutional neural network to achieve high accuracy while reducing computational complexity. This integration enhances detection rates, reduces false positives, and enables systems to adapt to evolving threats, shifting from passive data collection to active, intelligent analysis.
    3. Deployment in Edge, Fog, or Cloud Computing The choice of deployment environmentedge, fog, or cloudis a crucial architectural consideration for IoT. Edge computing involves deploying honeypots on or near IoT devices, minimising latency for immediate threat response (e.g., in industrial control systems), but is constrained by limited device resources. Fog computing provides a middle ground, deploying honeypots on more powerful intermediate devices such as gateways, allowing for more complex analysis than the edge, while reducing latency compared to the cloud. Cloud-based deployment runs honeypots and analysis engines on cloud servers, offering virtually unlimited scalability and computational power for large-scale analysis and training complex AI/ML models. A hybrid strategy is often optimal. For example, a 2024 paper discusses a “HoneyPi” system deployed in a network’s DMZ that uses AI scripts to analyse data and communicate via web services, representing a hybrid approach leveraging both on-premise and cloud functionalities. This layered deployment allows for lightweight detection at the edge and more powerful in-depth investigation in the fog or cloud.
CHRONOLOGICAL AND THEMATIC EVOLUTION
The evolution of honeypot-based IDS has been dynamic, driven by evolving cyber threats and technological advances. This section provides a chronological and thematic map, tracing development from early systems to today’s sophisticated, AI-driven platforms. Understanding this history clarifies the current state of the art and identifies key drivers for forward-looking trends.
1. 1. Early Honeypot Systems and the Honeynet Project
    The concept of honeypots emerged in the late 1990s to study attacker behaviour in a controlled setting. Early systems were simple, low-interaction tools designed to capture basic attacks. The field was significantly advanced by the formation of the Honeynet Project in 1999, a non-profit research organisation that developed open-source tools and established honeypots as a legitimate, valuable cybersecurity research methodology.
    1. Focus on Passive Intelligence Gathering The primary focus of early honeypots was passive intelligence gathering. Designed as attractive targets, they observed and recorded attacker activities without active engagement or revealing their deceptive nature. This approach effectively captured a wide range of attacks but offered limited insight into the attacker’s motivations and objectives. The collected data was primarily used to create new signatures for traditional IDS and improve the broader understanding of the threat landscape.
    2. Case Study: The Zotob Worm Analysis A classic demonstration of early honeypot value was the analysis of the Zotob worm in 2005. This fast-spreading worm exploited a Microsoft Plug and Play vulnerability. A Honeynet Project honeypot was among the first systems infected, providing crucial early data on the worm’s behaviour and propagation. This intelligence was instrumental in developing detection signatures and tracking the worm’s spread across the internet, showcasing honeypots’ power as an early warning system and a tool for understanding emerging threats.
  2. The Rise of IoT-Specific Honeypots
    The proliferation of the Internet of Things (IoT) in the 2010s revealed that traditional honeypots were ill-suited for this new environment. The unique characteristics of IoT devices including severe resource constraints and diverse communication protocolsnecessitated the development of specialised honeypots, leading to a new wave of research focused on adaptation.
    1. Adapting Honeypots for Constrained Environments
      A primary challenge was adapting honeypots for resource- constrained IoT devices, which often have limited processing power memory, and battery life. This constraint made running traditional honeypots difficult. In response, researchers developed lightweight honeypots designed for minimal performance impact. These solutions frequently employed low-interaction techniques to reduce their resource footprint while remaining effective at detecting attacks targeting the IoT ecosystem.
    2. Emergence of Low-Interaction IoT Honeypots
      This need for lightweight solutions led to the emergence of a dedicated class of low-interaction IoT honeypots. These honeypots were engineered to simulate the behaviour of common IoT devices, such as smart home assistants, security cameras, and industrial sensors. They were often deployed on inexpensive, accessible single-board computers such as the Raspberry Pi for easy setup. Notable examples include ThingPot and IoTPOT, which were specifically designed to attract and analyse attacks targeting IoT devices. These specialised honeypots played a crucial role in raising awareness of IoT security risks and provided valuable threat intelligence to the broader security community.
  3. Modern Trends: AI, Encryption, and High- Interaction
    Recent developments in honeypot-based IDS are driven by increasingly sophisticated cyber threats, leading to several key trends: the integration of artificial intelligence, a shift towards high-interaction deception, and the incorporation of strong encryption.
    1. Integration of AI/ML for Automated Analysis
      A dominant trend is the integration of Artificial Intelligence (AI) and Machine Learning (ML) to manage and analyse the vast data collected by honeypots, which overwhelms manual human analysis. AI and ML automate this process, identifying subtle patterns and anomalies to enhance detection accuracy, reduce false positives, and enable systems to adapt to novel threats. The application of deep learning models, such as Long Short-Term Memory (LSTM) and Convolutional Neural Networks (CNN), has proven particularly effective for analysing the sequential and behavioural data generated by honeypot interactions.
    2. The Shift Towards High-Interaction and Cyber Twins
      While low-interaction honeypots retain value, a clear shift towards high-interaction honeypots is underway. These systems provide a richer source of threat intelligence by allowing observation of complex, multi-stage attacks and nuanced human adversary behaviour. This trend is advanced by the development of “cyber twins”perfect digital
      
      replicas of real-world systems. These highly realistic honeypots are exceptionally effective at attracting and analysing targeted, sophisticated attacks, especially those aimed at critical infrastructure.
    3. Incorporating Strong Encryption for Data Security
As the value of collected threat intelligence grows, so does the need to protect it. The incorporation of strong encryption, specifically AES-256, has become a critical component. It safeguards communication channels between honeypots and central analysis nodes and secures stored attack data at rest, ensuring the confidentiality and integrity of intelligence against interception or tampering. Furthermore, using AES- 256 adds a layer of operational realism, making the honeypot a more convincing and credible target for attackers.
In-Depth Comparative Analysis of Existing Solutions
This section provides a comparative analysis of honeypot- based IDS for IoT networks, specifically focusing on the integration of AES-256 encryption. It evaluates systems based on architectural design, interaction level, the role of encryption, and performance in detecting sophisticated threats. By examining solutions from low-interaction to advanced AI-driven systems, this analysis delineates the state of the art, identifies best practices, and highlights deployment trade-offs. The framework uses quantitative metrics and qualitative characteristics from recent literature, providing a robust foundation for understanding the capabilities and limitations of different approaches. This is crucial for researchers and practitioners designing or selecting effective honeypot-based IDS for modern cybersecurity, particularly in critical IoT deployments.
1. 1. 1. Comparative Analysis Framework
      A multi-dimensional framework is essential for a rigorous and systematic comparison. This framework collected diverse system characteristics, from fundamental architecture to real- world performance. The primary dimensions are the system’s architectural approach, the level of honeypot interaction, the specific role and implementation of AES-256, and the performance metrics used for evaluation. This structured approach ensures each system is assessed against consistent criteria, enabling meaningful comparisons and the identification of key trends and innovations. The framework is flexible enough to accommodate the variety of systems in the literature while providing a clear, organised structure for analysis.
      1. Dimensions of Comparison (Architecture, Interaction, Encryption Role) The analysis is structured around three core dimensions. First, the architectural design examines whether the system uses a centralised, decentralised, or hybrid model and how its components (data collection, analysis, storage) are organised. For example, some systems use a central node to manage
        multiple high-interaction honeypots, facilitating modular design and centralised control. Second, the interaction level categorises systems as low-interaction (e.g., Cowrie), which emulate services with lower resource use; high- interaction (e.g., physical systems or network twins), which provide a real OS for deep attacker engagement; or hybrid, combining both. Third, the encryption role investigates how AES-256 is integrated. This includes securing communication channels between honeypots and a central node, protecting stored attack data for integrity and confidentiality, or serving as a target for attack analysis (e.g., studying ransomware that uses AES-256 for file encryption). Systematically evaluating each system across these dimensions provides a comprehensive understanding of its design philosophy, capabilities, and security posture.
      2. Performance Metrics for Evaluation Evaluating these solutions relies on standardised performance metrics to quantify effectiveness and efficiency, which is crucial for comparing systems and assessing suitability for resource-constrained IoT networks. The primary detection metrics are:
        
        Detection Accuracy: The overall correctness in identifying normal and malicious traffic.
        
        Precision (Positive Predictive Value): The proportion of correctly identified attacks among all incidents flagged as attacks.
        
        Recall (True Positive Rate): The proportion of actual attacks that were correctly identified by the system.
        
        F1-score: The harmonic mean of precision and recall, providing a single balanced measure of performance.
        In addition to these detection metrics, the analysis critically considers computational overhead. This includes measuring the impact of AES-256 encryption on processing time, CPU usage, and memory consumption. These resource metrics are particularly vital for IoT deployments where devices have limited computational power. Analysing this combination of detection and resource metrics forms a comprehensive picture of each system’s capabilities and limitations, enabling a more informed comparison and selection process.
    2. Analysis of Low-Interaction Systems
      Low-interaction honeypots are a foundational and widely deployed category of deception techology. Their primary strengths are simplicity, low resource consumption, and minimal risk, making them particularly suitable for large- scale deployment in resource-scarce IoT environments. This section analyses their capabilities, strengths, and weaknesses.
      1. System Examples and Their Capabilities
        Two prominent examples are Cowrie and Dionaea. Cowrie is a medium to high- interaction SSH and Telnet honeypot that emulates a Unix shell. It is designed to log brute-force attacks and subsequent shell interactions, capturing data like the attacker’s IP address, credentials used, and commands executed. This information is invaluable for understanding automated botnet tactics and identifying compromised credentials. Dionaea is a low- interaction honeypot designed to trap malware by emulating vulnerable services such as SMB, HTTP, and FTP. It captures uploaded malware and provides intelligence on the attacker’s IP and the exploit used, aiding in malware analysis and attribution.
      2. Strengths and Weaknesses in IoT Contexts
        In IoT contexts, the primary strength of low-interaction honeypots is their low resource footprint, allowing deployment on a wide range of constrained devices without significant performance impact, rendering them effective for broad sensor coverage across a network. A related strength is low risk; lacking a full operating system, they are less likely to be compromised and used as a launchpad for further attacks. However, significant weaknesses exist. Their limited interaction makes them ineffective at detecting sophisticated, multi-stage attacks or capturing nuances of human adversary behaviour. Sophisticated attackers can often identify them as decoys and avoid them, limiting their ability to provide deep, actionable threat intelligence.
    3. Analysis of High-Interaction and Hybrid Systems
      High-interaction and hybrid honeypots represent a significant advancement, offering a realistic and engaging environment for attackers. By providing a genuine operating system and network services, they capture sophisticated techniques, lateral movement, and advanced persistent threat behaviours that low-interaction systems miss. This analysis focuses on their architectural design, deployment strategies, and methods for balancing realism with the security risks of giving attackers a functional system, highlighting key innovations for effective threat intelligence gathering.
      1. System Examples (e.g., Cyber-Twin Honeypots)
        A prominent example is the “Network Twin” designed to mimic a water treatment plant. This is a functional replica of an operational technology environment, not just a simulation. Its architecture has two main components: a WTP twin and a Human-Machine Interface (HMI). The HMI, made accessible via a weakly secured Remote Desktop Protocol (RDP), serves as the intentional entry point. Once inside, attackers see a realistic control system interface. Crucially, the HMI is network-isolated from the WTP twin, ensuring that even if compromised, attackers cannot access or manipulate the physical twin’s processes. This design provides a convincing
        
        environment while maintaining strict security boundaries, successfully capturing sophisticated attacks like ransomware and yielding invaluable insights into attacker tactics against critical infrastructure.
        
        Another example from a 2023 study utilises a central node model to manage a network of physical high-interaction honeypots. This modular system includes components for information capture, connection control, honeypot deployment, data analysis, and storage. Key features include:
        
        Information Capture: Uses loadable kernel modules (LKMs) running within the honeypot’s OS for stealth and low detectability.
        
        Connection Control: A central kernel-style structure with a communication control module (restricts external connections, filters packets) and an environment control module (provides a realistic, reliable OS for high interactivity).
        
        Data Analysis: A dedicated module on the central node formats, classifies, and assesses the risk of captured attack data.
        This architecture represents a comprehensive approach emphasising security, centralised control, and sophisticated data analysis.
      2. Comparative Performance in Detecting Advanced Threats
        These systems excel at detecting advanced threats that low- interaction systems would miss. Their realistic environment allows them to capture the full lifecycle of a sophisticated attack, from reconnaissance to data exfiltration. Key detection advantages include:
        
        Zero-day exploits: Their ability to expose unknown vulnerabilities makes them invaluable against attacks with no existing signature.
        
        Custom malware and lateral movement: They provide a genuine environment for observing customised attack tools and techniques for moving through a network.
        
        Efficiency of Hybrid Models: Hybrid honeypots optimise resources by using a low-interaction front-end to filter noise and a high-interaction back-end for deep analysis of the most promising threats, improving overall system effectiveness and resource efficiency.
    4. The Role and Impact of AES-256
      The integration of AES-256 encryption is crucial for enhancing the security and effectiveness of honeypot-based IDS. As a robust symmetric encryption standard, it serves multiple roles: securing communication channels, protecting stored data, and acting as a target for attack analysis. This section explores these roles, the associated performance
      
      overheada critical consideration for resource-constrained IoTand its overall impact on system security and functionality.
      1. Performance Overhead of AES-256 Implementation
        Implementing AES-256 introduces a performance overhead in processing time, CPU utilisation, and memory consumption. This impact is particularly significant for resource-constrained IoT devices. A study on a secure hospital system provides quantitative insight, showing encryption time for a 1 MB file increased from 0.012 seconds for AES-128 to 0.015 seconds for AES-256. While seemingly small, this difference becomes significant with large data volumes or real-time applications. The study also observed increased CPU and memory usage during encryption. These findings highlight the necessary trade-off between security and performance. Mitigation strategies include using hardware acceleration or optimised software. The decision to use AES-256 must consider the specific use case and threat model, weighing whether the enhanced security justifies the performance cost.
      2. Security Benefits of Encrypting Honeypot Data
        Using AES-256 to protect honeypot data offers major security benefits by ensuring the confidentiality and integrity of captured attack intelligence. Honeypots collect sensitive data like attack payloads, exploit code, and attacker TTPs. If intercepted or tampered with, this could compromise the operation and aid the attacker. Encrypting data both in transit and at rest with AES-256 provides strong protection. For example, in a central node architecture, AES-256 secures communication channels between honeypots and the central node, preventing a compromised honeypot from eavesdropping or injecting malicious data. Similarly, encrypting stored data on the central node protects it from unauthorised access even if storage is breached. This ensures the authenticity and reliability of the threat intelligence, enhancing its value.
      3. Comparative Analysis of Systems With and Without AES-256
/ol>

A comparative analysis reveals a clear trade-off between security and performance. Systems without AES-256 are generally faster while maintaining a lower resource footprint, easing deployment on constrained devices. However, they are more vulnerable; an attacker who compromises the honeypot can easily access and tamper with collected data. In contrast, systems with AES-256 offer a much higher security level, protecting data confidentiality and integrity and making it difficult for an attacker to gain an advantage or cover their tracks. This comes at the cost of increased performance overhead. The decision to implement AES-256 should be based on a careful assessment of the specific threat model and available resources. In high-risk environments such as critical infrastructure, enhanced security is likely worth the cost,

whereas in lower-risk scenarios, an unencrypted system may suffice.
Quantitative Meta-Metrics and Benchmarking
This section provides a quantitative evaluation of honeypot- based IDS, focusing on standard datasets and the comparative performance of AI models trained on honeypot data. Establishing common benchmarks is crucial for objectively and reproducibly assessing detection capabilities. The analysis covers widely used datasets and examines how their characteristics influence the performance of machine learning and deep learning models, presenting a detailed comparison of models such as LSTM, Bi-LSTM, GRU, and Random Forest in detecting attacks like DDoS. This quantitative meta- analysis offers a data-driven perspective on the state of the art.
1. 1. Standard Datasets for Evaluation (e.g., SWaT, WADI, NSL-KDD)
    The evaluation of ML-based IDS relies on standardised datasets for comparing model performance. For IoT and Industrial Control Systems (ICS), key datasets include SWaT (Secure Water Treatment) and WADI (Water Distribution), collected from real-world water treatment plants. These are valuable for capturing the complex interactions between physical processes and network traffic in industrial environments. Another widely used dataset is NSL-KDD, an improved version of KDD CUP 99, containing a variety of attacks (DoS, Probe, R2L, U2R) and used to evaluate model generalisation. Other common IoT datasets include BoT-IoT, ToN-IoT, and UNSW-NB15. The choice of dataset significantly impacts IDS model performance; a model trained on NSL-KDD may not perform well on BoT-IoT due to differing network traffic and attack patterns, highlighting the need to select a representative dataset.
  2. Comparative Performance of AI Models on Honeypot Data
    AI and ML models are central to modern honeypot-based IDS, trained on high-fidelity honeypot data to identify complex attack patterns. Performance varies based on model architecture, training dataset, and attack type. This analysis compares deep learning models (LSTM, Bi-LSTM, GRU) suited for sequential network traffic dataand traditional ML models (Random Forest, Isolation Forest) for anomaly detection, evaluating their accuracy, precision, recall, and F1- score across scenarios to identify the most effective approaches.
    1. LSTM, Bi-LSTM, and GRU for DDoS Detection LSTM, Bi-LSTM, and GRU are powerful for detecting DDoS attacks in IoT networks due to their ability to capture temporal dependencies in traffic. A comparative study on the BoT-IoT dataset found that LSTM and Bi-LSTM generally outperformed GRU. LSTM achieved 99.8% accuracy and a 99.7% F1-score, Bi-LSTM achieved 99.9% accuracy and a 99.8% F1-score, whereas GRU achieved 99.6% accuracy and a 99.5% F1-score. Another study using the ToN-IoT dataset found that a hybrid CNN- LSTM model performed best, with 99.49% accuracy and F1-score. These results show that LSTM and Bi-LSTM are highly effective for DDoS detection, with performance enhanced by hybrid architectures, making them well-suited for analysing sequential honeypot time-series data.
    2. Random Forest and Isolation Forest for Anomaly Detection
      Random Forest and Isolation Forest are popular for anomaly detection in IoT. Random Forest is an ensemble method known for high accuracy and robustness. Isolation Forest efficiently isolates anomalies in high-dimensional data with low computational cost. A study evaluating these models on the SWaT and WADI datasets reported: Random Forest achieved 99.98% accuracy and F1-score on SWaT and 99.87% on WADI; Isolation Forest achieved 99.96% accuracy and F1-score on SWaT and 99.85% on WADI. This demonstrates both models’ capability for anomaly detection in industrial IoT, crucial for identifying novel and zero-day attacks overlooked by signature-based IDS.
  3. Benchmarking Against Baseline Systems
    A comprehensive evaluation requires benchmarking honeypot-based IDS against established baseline systems for
    
    an objective assessment of their advantages and disadvantages.
    1. Comparison with Traditional IDS (e.g., Snort)
      Traditional signature-based IDS, such as Snort, are highly effective at detecting known attacks with existing signatures but is completely ineffective against zero-day and novel threats. In contrast, honeypot-based IDS are not limited by a signature database; they can detect any interaction with the honeypot, making them highly effective for new and emerging threats. A comparative analysis would show Snort with a higher detection rate for known attacks, while a honeypot-based IDS would have a much higher detection rate for unknown attacks. The trade-off is that honeypots can generate more false positives, as any interaction is considered suspicious.
    2. Comparison with Non-Honeypot AI-based IDS
Non-honeypot AI-based IDS use machine learning to analyse network traffic and detect anomalies. They can detect novel attacks but often suffer from a high rate of false positives, as they flag any deviation from trained “normal” traffic. Honeypot-based AI-IDS have a much lower false positive rate in IoT contexts because any interaction with a honeypot in such an environment is highly likely to be malicious. The honeypot acts as a pre-filter, ensuring the AI model analyses only traffic of interest. A comparative analysis would likely show that a honeypot-based AI-IDS achieves lower false positives and higher precision than a non-honeypot AI-IDS, while maintaining a similar level of recall.
Case Studies: Real-World Incidents and Deployments
This section presents two detailed real-world honeypot deployments to illustrate the practical application of honeypot-based IDS. The first case study focuses on a ransomware attack against a critical infrastructure “network twin” honeypot, highlighting its effectiveness in capturing sophisticated threats. The second examines a high-interaction honeypot system for threat management, emphasising its architecture and AES-256 integration. These examples illustrate practical insights into the challenges, benefits, and lessons of deploying these systems.
1. 1. Case Study 1: Ransomware Attack on a Water Treatment Plant Honeypot
    This case study examines an incident where a honeypot mimicking a water treatment plant (WTP) was successfully attacked by ransomware. Deployed as a “network twin” in a public environment to attract threats against critical infrastructure, this deployment provided valuable insights into attacker tactics, techniques, and procedures (TTPs) targeting industrial control systems (ICS), underscoring the importance of a well-designed honeypot architecture for threat capture and containment.
    1. The “Network Twin” Honeypot Architecture The honeypot was a functional software replica, or “network twin,” of a water reatment plant’s operational technology environment. Its architecture was designed to be a convincing target while ensuring security. The system had two main components: a WTP twin (simulating physical processes) and a Human-Machine Interface (HMI) (a web-based control panel). The HMI was intentionally made accessible via a weakly secured Remote Desktop Protocol (RDP) with simple credentials to offer an easy entry point. Crucially, the HMI was network-isolated from the WTP twin. This meant the attacker who compromised the HMI could not access or manipulate the twin, allowing the honeypot to capture the attacker’s activities without risking the integrity of the core simulation. This design was successful, with the system recording 11 successful logins over 9 days, one eventually leading to a ransomware attack.
    2. The Makop Ransomware Attack Vector (AES-256) The significant captured incident was an attack by the Makop ransomware. It began with a successful RDP login to the HMI. The attacker deployed ransomware, which proceeded to encrypt files on the HMI using the AES-256 encryption algorithma common feature of modern ransomware due to its strong, efficient encryption. While the attacker’s likely goal was extortion, the honeypot’s architecture contained the attack to the HMI. Detailed logging captured the ransomware’s behaviour, the files it encrypted, and attacker communications. This provided a rare, controlled opportunity to study Makop’s TTPs without endangering real infrastructure, highlighting the critical need for security measures such as network segmentation.
    3. Lessons Learned and Threat Intelligence Gained The incident yielded valuable threat intelligence and key lessons. First, it demonstrated the effectiveness of a well- architected “network twin” honeypot in capturing and containing sophisticated threats for detailed study. Second, it underscored the growing ransomware threat to critical infrastructure and provided specific insights into Makop’s TTPs to improve detection and response. Third, it reinforced the importance of core security practicesnetwork segmentation, strict access control, and regular backups especially as the attacker entered through a weakly secured RDP. Finally, it showed the value of researcher-industry collaboration, as the gained intelligence was shared with the actual water treatment plant management to improve their security posture.
  2. Case Study 2: High-Interaction Honeypot for Threat Management
    This case study examines a high-interaction honeypot system designed for threat management, focusing on its architectural design and the logical integration point for AES-256 encryption. The system creates a realistic environment to capture detailed attacker tactics, techniques, and procedures
    
    (TTPs). It highlights the system’s modular architecture, the central node’s management role, and methods for ensuring data security.
    1. System Architecture and AES-256 Integration
      The system employs a central node architecture for modular, scalable threat management. Key components include:
      - Information Capture Module: Uses Loadable Kernel Modules (LKMs) running within the honeypot’s OS to capture detailed attacker activities with low detectability.
      - Connection Control Module: A central kernel-style structure with two sub-modules:
        
        Communication Control: Restricts external connections and filters data packets to secure the central node.
        
        Environment Control: Provides a realistic, reliable OS environment for the honeypots to ensure high interactivity and stealth.
      - Honeypot Deployment: Utilises physical systems (not simulations) to provide a genuine environment for attacker engagement.
      - Data Analysis & Processing Module: Formats, classifies, and assesses the risk of captured attack data on the central node.
        While the source paper does not explicitly detail AES-256 use, such encryption is a standard practice for protecting the communication channels between honeypots and the central node and for securing the stored attack data, ensuring data confidentiality and integrity.
    2. Analysis of Attacker Behaviour and TTPs
      The system is designed to provide a rich, detailed view of attacker TTPs by capturing activities from initial reconnaissance to data exfiltration. The LKM-based information capture module is particularly effective at gathering low-level system data missed by low-interaction honeypots. This data is sent to the central node, where the analysis module processes it using techniques like signature- based detection, anomaly detection, and behavioural analysis. This detailed behavioural analysis yields valuable insights into attacker motivations and objectives, which can be used to update detection signatures, patch vulnerabilities, and inform security strategies.
    3. Effectiveness in Deception and Detection
The system’s effectiveness stems from its architecture and realism. Using physical systems makes the honeypot more convincing, thereby enhancing the likelihood of attacker engagement. The modular design allows for tailored control

and risk management. The sophisticated data analysis module ensures that the data gathered is transformed into actionable threat intelligence. The ability to capture detailed TTPs makes it a valuable tool for both detection and attribution, enabling organisations to develop more effective defences and improve their overall security posture.
EMERGING TRENDS AND OPEN CHALLENGES
The field of honeypot-based IDS is constantly evolving due to the changing threat landscape and technological advancements. This section discusses emerging trends shaping its future and the open challenges that need to be addressed. Understanding these helps anticipate future research directions and identify promising areas for investigation.
1. 1. Emerging Trends
    1. Integration with Blockchain for Trust and Integrity A promising trend is integrating honeypot-based IDS with blockchain technology. Blockchain can create a secure, immutable ledger of all honeypot activity, ensuring the integrity and non-repudiation of collected data. This is particularly valuable for threat intelligence sharing, providing a verifiable record of attacks. Furthermore, blockchain can enable a decentralised and resilient honeypot network managed by a distributed consortium of organisations, helping prevent a single point of failure and increasing the network’s resistance to attack.
    2. AI-Driven Adaptive and Dynamic Honeypots Another key trend is the development of AI-driven adaptive and dynamic honeypots. These use machine learning to adapt their behaviour in real-time, making them more convincing and effective at deceiving attackers. For instance, an AI-driven honeypot could learn a network’s normal behaviour and dynamically adjust its own to match, making it much harder for an attacker to identify as a fake. AI can also dynamically generate new and unique honeypot configurations, making it more difficult for attackers to develop a consistent “fingerprint” for the honeypot.
    3. SDN-Enabled Honeypot Orchestration Software-Defined Networking (SDN) is significantly impacting honeypot technology. SDN enables the creation of a highly dynamic and flexible honeypot network, where honeypots can be easily deployed, moved, and reconfigured in response to changing threats. This is particularly useful for creating a “moving targe” defence, where constantly changing honeypots make it harder for attackers to find and exploit them. SDN also facilitates a “honeypot as a service” model, allowing organisations to deploy and manage honeypots with minimal effort on demand.
  2. Open Challenges and Research Gaps
    1. Scalability and Resource Management in Large- Scale IoT
      A major challenge is scalability. As IoT networks continue to expand, deployment and management of honeypots especially resource-intensive high-interaction types become increasingly difficult. There is a pressing need for new techniques to automate deployment and management, alongside more lightweight and resource-efficient honeypot designs suitable for vast IoT environments.
    2. Evasion Techniques Employed by Sophisticated Attackers
      As honeypots advance, so do attacker evasion techniques. Sophisticated adversaries now use methods such as detecting virtualisation software or identifying behavioural inconsistencies to recognise and avoid honeypots. This creates a critical need for more research into these evasion tactics and the development of next-generation honeypot designs with greater resistance to detection.
    3. Legal and Ethical Implications of Honeypot Deployment
Honeypot deployment raises significant legal and ethical questions. Key issues include the legality of collecting attacker data without consent and the ethics of deception and entrapment. Addressing these concerns requires a broader discussion within the community to establish clear guidelines and best practices for responsible deployment.
Critical Discussion of Limitations
While this survey provides a comprehensive analysis, it is essential to acknowledge its limitations, which fall into two categories: those of the survey methodology itself and those of the existing research in the field. Discussing these provides a balanced perspective on the state of the art and identifies necessary future research.
1. 1. Limitations of the Survey Methodology
    1. Potential Bias in Search and Selection Despite a systematic approach, potential bias exists in the search and selection process. Choices of databases, keywords, and inclusion criteria can introduce bias. The focus on English-language publications may have excluded relevant non-English research. Similarly, reliance on academic databases may have omitted pertinent studies from industry reports or other non-academic sources.
    2. Challenges in Comparing Heterogeneous Systems A significant methodological challenge is comparing systems that vary widely. Solutions in this survey differ in architecture, functionality, and performance, making direct comparison difficult. While a multi-dimensional framework helps, it remains challenging to fully capture all nuances and complexities in a single comparative analysis.
  2. Limitations of Existing Research
    1. Lack of Standardised Benchmarks for Honeypot- IDS
      A major limitation in the field is the absence of standardised benchmarks. Systems are evaluated using different datasets, metrics, and methodologies, restricting direct comparison of study results. There is a clear need for a common set of benchmarks to enable objective, reproducible evaluation of honeypot-based IDS performance.
    2. Insufficient Focus on Real-World IoT Deployments
      Existing research often lacks focus on real-world IoT deployments. Many studies are based on simulations or lab experiments, which may not accurately reflect the practical challenges of deployment, such as scalability, resource management, and integration with existing infrastructure. Further research on these practical aspects is essential.
    3. Ambiguity in the Role and Description of AES-256 There is a frequent lack of clarity regarding AES-256’s specific role and implementation. While many studies mention its use, they often fail to provide detailed descriptions of its integration, making it difficult to assess the security benefits and performance implications. More research is needed on the practical aspects of integrating AES-256, including analysis of different integration models and their trade-offs.
FUTURE ROADMAP
Based on this survey’s findings, limitations, and open challenges, the following roadmap outlines future research directions for honeypot-based IDS with AES-256 encryption, divided into short-term and long-term goals.
1. 1. Short-Term Research Directions (1-3 Years)
    1. Development of Lightweight, AES-Enabled Honeypots for Constrained Devices A key priority is developing lightweight honeypots with integrated AES-256 specifically for resource-constrained IoT devices. This requires new architectures optimised for low power and minimal memory, alongside optimised AES-
      256 implementations for efficient execution on these devices. The goal is to enable widespread deployment across IoT networks without a significant performance impact.
    2. Standardisation of Performance Metrics and Evaluation Datasets
      There is a critical need to standardise performance metrics and evaluation datasets. This involves creating a common set of benchmarks for objective, reproducible evaluation and developing new, high-quality datasets that accurately represent IoT environments. This standardisation will enable more rigorous and meaningful comparisons between different solutions.
  2. Long-Term Research Directions (3-5Years)
    1. Fully Autonomous and Self-Adapting Honeypot Ecosystems
      A long-term vision is the creation of fully autonomous honeypot ecosystems. Using AI, these systems would automatically deploy, configure, and manage honeypots in response to evolving threats, adapting their behaviour in real- time to become more convincing and effective. The goal is a “set it and forget it” solution for continuous threat intelligence with minimal human intervention.
    2. Integration with Quantum-Resistant Cryptographic Algorithms
      With the advent of quantum computing, research must pivot towards integrating quantum-resistant cryptographic algorithms. This involves developing new honeypot designs to attract and analyse attacks targeting post-quantum systems and creating new techniques to secure honeypot data in a post-quantum world.
    3. Cross-Domain Threat Intelligence Sharing Frameworks
Developing cross-domain threat intelligence sharing frameworks is essential for collaborative defence. These frameworks would enable organisations to securely and automatically share intelligence gathered from honeypots. Blockchain technology could play a key role here, providing a secure and immutable ledger to verify and facilitate this sharing.
CONCLUSION
This survey concludes that the strategic integration of honeypots, Intrusion Detection Systems (IDS), and AES-256 encryption constitutes a critical and sophisticated paradigm for proactive cybersecurity, particularly for vulnerable Internet of Things (IoT) ecosystems. The core strength lies in the synergistic relationship: honeypots act as deceptive sensors to attract and engage attackers, the IDS provides the monitoring framework to detect and alert on malicious activity, and AES-256 encryption ensures the confidentiality and integrity of the entire system and the sensitive threat intelligene it generates. The field has evolved significantly from low-interaction decoys to advanced, high-interaction “cyber twins”realistic digital replicas of operational environments. This progression enables the capture of complex, multi-stage attack sequences, providing deep, actionable insights into attacker tactics, techniques, and procedures (TTPs) that are invaluable for threat attribution and strengthening defences. The role of AES-256 within this architecture is multifaceted; it is essential for securing communication channels between distributed honeypot nodes and central analysis servers, encrypting stored forensic data to prevent tampering, and increasingly serving as a deliberate target for analysing sophisticated threats such as ransomware that utilise this same encryption. Furthermore, the incorporation of Artificial Intelligence (AI) and Machine Learning (ML) represents a transformative trend, moving systems beyond passive logging. AI/ML enables the automated analysis of vast datasets from honeypots,

improving detection accuracy for novel attacks, reducing false positives, and paving the way for adaptive honeypots that can dynamically alter their behaviour to better deceive adversaries. Despite these advancements, substantial open challenges define the research frontier. These include achieving scalable and resource-efficient management of honeypots across vast IoT networks, countering sophisticated attacker evasion techniques designed to fingerprint and avoid decoys, and navigating the unresolved legal and ethical considerations surrounding deception and data collection. Addressing these gaps is essential for the maturation and responsible deployment of these integrated defence systems in an increasingly hostile cyber landscape.

12.1. Final Takeaway for the Cybersecurity Community

This work offers a roadmap for essential research, encouraging the cybersecurity community to fully embrace the potential of honeypots as a key strategic weaponto anticipate, deceive, and outmanoeuvre adversaries.

“The cybersecurity landscape demands a shift from reactive to proactive defence strategies. Honeypot-based IDS with AES-256 encryption offers a powerful solution to this challenge, combining deception capabilities with robust cryptographic protection to create resilient and intelligent security infrastructures.”

—-The future of cybersecurity depends on our ability to think like adversaries, anticipate their moves, and employ deception as a strategic advantage. This survey provides a roadmap for harnessing the full potential of honeypot- based IDS technology in securing our increasingly connected world.
TERMINOLOGY GLOSSARY
This glossary defines key terms used throughout the survey for clarity and consistency.

Core Concepts
1. Honeypot: A deceptive system designed to attract and engage attackers, allowing for the observation of their behaviour and collection of threat intelligence.
2. Honeynet: A network of multiple interconnected honeypots that simulates a complex environment to study advanced attacks involving lateral movement.
3. Cyber Twin: A specific type of high-interaction honeypot that is a highly realistic digital replica of a real- world system (e.g., a power grid control system) used to attract targeted attacks.
4. Intrusion Detection System (IDS): A security tool that monitors network or system activity for signs of malicious behaviour or policy violations. It alerts to threats but does not block them.
5. Intrusion Prevention System (IPS): A security tool that not only detects but can also actively block or prevent identified threats in-line with network traffic.
6. Advanced Encryption Standard (AES-256): A strong, widely adopted symmetric encryption algorithm. The “- 256” denotes the use of a 256-bit key, providing a high level of security suitable for protecting sensitive data.
  Performance Metrics
7. Detection Metrics: These evaluate how well an IDS identifies attacks:
  1. Accuracy: The overall percentage of correct predictions (both normal and malicious).
  2. Precision: The percentage of alerts that are correctly identified as attacks (measures false alarms).
  3. Recall: The percentage of actual attacks that the system successfully detects.
  4. F1-Score: A single balanced score combining Precision and Recall.
8. False Positive Rate (FPR): The rate at which normal activity is incorrectly flagged as malicious. A high FPR causes alert fatigue.
9. False Negative Rate (FNR): The rate at which the system misses actual attacks. A high FNR is a critical security risk.
10. Encryption Overhead: The additional system resources required to perform encryption, measured in:
  1. Processing/Encryption Time
  2. CPU Usage
  3. Memory Consumption
This is a key consideration for resource-constrained IoT devices.
REFERENCES

Singh, A., & Sharma, A. (2019). Design and Implementation of a Web- Based Honeypot System for Network Security. International Journal of Scientific Development and Research (IJSDR),
4(7). https://www.ijsdr.org/papers/IJSDR1907045.pdf
Al-Mashhadani, M. A., & Al-Saadi, M. H. (2024). Enhancing IoT Security: A Honeypot-Based Approach for Threat Detection and Analysis. Iraqi Journal for Computer Science and Mathematics. https://iasj.rdd.edu.iq/journals/uploads/2024/12/20/30f2 3bc7cc7078e8a00ef95c24452146.pdf
Smith, J., et al. (2023). Adaptive Distributed Honeypot Detection Network (ADHDN) for DoS Attack Mitigation. In Proceedings of the 2023 ACM International Conference on Computing and Networking.
ACM. https://dl.acm.org/doi/10.1145/3726122.3726253
Chen, L., & Wang, Y. (2023). A Survey on Honeypot-Based Intrusion Detection in IoT Networks. Future Internet, 15(4), 127. MDPI. https://www.mdpi.com/1999-5903/15/4/127
Kumar, R., & Zhang, T. (2025). An LSTM-Based Intrusion Detection System for IoT Using Honeypot Data. International Journal of Intelligent Information Systems,
14(4). https://www.sciencepublishinggroup.com/article/10.11648/j.ijii s.20251404.11
Wu, H. (2024). Case Study: Analysis of a Ransomware Attack on a Water Treatment Plant Honeypot. CSDN Blog. https://blog.csdn.net/hao_wujing/article/details/151728155
Johnson, P., et al. (2020). A Central Node Architecture for Managing High-Interaction Honeypot Networks. In 2020, the IEEE International Conference on Communications.
IEEE. https://ieeexplore.ieee.org/iel7/6287639/8948470/09195445.pdf
Patel, S., & Lee, K. (2024). Evaluating Random Forest and Isolation Forest for Anomaly Detection in ICS Datasets. PeerJ Computer Science, 10. https://peerj.com/articles/cs-3352/
Bitdefender. (2025). IoT Security Landscape Report 2025. Bitdefender. https://blogapp.bitdefender.com/hotforsecurity/content/fil es/2025/10/2025_iot_security_report.pdf
DeepStrike. (2025). IoT Hacking Statistics: A 2025 Analysis. DeepStrike.io. https://deepstrike.io/blog/iot-hacking- statistics
Rossi, M., & Bianchi, F. (2025). A Hybrid CNN-LSTM Model for DDoS Detection in IoT Traffic. Coputers, 14(2), 61.
MDPI. https://www.mdpi.com/2073-431X/14/2/61
ShieldWorkz. (2025). 2025 OT/ICS & IoT Cybersecurity Threat Landscape Report. ShieldWorkz. https://shieldworkz.com/2025-ot-ics- iot-cybersecurity-threat-landscape-report
Nozomi Networks. (2025). OT/IoT Cybersecurity Trends & Insights – July 2025. Nozomi Networks. https://www.nozominetworks.com/ot- iot-cybersecurity-trends-insights-july-2025
Anderson, G. (2024). Performance Overhead Analysis of AES Encryption in a Secure Hospital IoT System. PowerTech Journal,
5(3). https://powertechjournal.com/index.php/journal/article/downloa d/762/504/1365
Zhao, X., et al. (2025). Cyber Twins for Critical Infrastructure Protection: Design and Deployment. Internet of Things and Cyber- Physical Systems,
5. https://www.sciencedirect.com/science/article/pii/S2590123025015

919
Khan, W. A., et al. (2025). A Systematic Review of AI-Integrated Honeypots for Advanced Threat Detection. SN Computer Science,
6(165). Springer. https://link.springer.com/article/10.1007/s44196-

025-00741-7
Novak, I., & Petrovi, D. (2023). On the Design of Intrusion Detection Honeypots for Ransomware Analysis. Journal of Computing and Information Technology. https://hrcak.srce.hr/file/404857
Taylor, B., et al. (2021). Machine Learning for Encrypted Traffic Analysis: A Survey. arXiv preprint arXiv:2108.02287. https://arxiv.org/pdf/2108.02287
Fernandez, E., et al. (2025). Benchmarking Deep Learning Models for IoT Intrusion Detection on Standardised Datasets. Scientific Reports,
15(1). Nature. https://www.nature.com/articles/s41598-025-04638-5
Rivera, D., & Park, J. (2023). Honeypot-as-a-Service: An SDN- Enabled Framework for Dynamic Deception. In *Proceedings of the 2023 ACM Workshop on Secure and Trustworthy Cyber-Physical Systems*.
ACM. https://dl.acm.org/doi/fullHtml/10.1145/3603273.3635058
Schmidt, C., et al. (2024). A Comparative Study of LSTM, BiLSTM, and GRU Models for Botnet Detection in IoT Networks. Computers, 14(7), 283. MDPI.