Sherif Mohamed

Amr Khaled

Ahmed Mohamed

Mostafa Khaled

Publishing Date

January 5, 2022


Attacks on the internet keep on increasing and it causes harm to our security system. In order to minimize this threat, it is necessary to have a security System that has the ability to detect every day attacks and prevent them. “Honeypot is one of the proactive defense technologies, in which resources placed in a network with the aim to observe and capture new attacks”. This proposal introduces a honeypot-based model for intrusion detection systems (IDS) which enable the system to monitor attacker behavior. The capabilities and the limitations of honeypots will be introduced and needed improvement will be identified, we aim to use this trend for early attack prevention so that pre-emptive action is taken before unexpected harm to our security system. The majority of IT security teams will benefit from this project because it will assist them in making their systems more safe. Honeypots, as previously noted, are an important component of today’s cyber security arsenals. The success of this project will be determined by whether or not the script works, the number of threats it prevents, and the amount of information gained about attackers using this Honeypot.

1.1 Purpose of this document

This document’s aim is to define the document’s details. Also, the documentation acts as a developer reference as well as a record of product approval for the required function. The software implementation will also be explained in this document. The methods and functions utilized are covered by the software implementation. Honeypot is a protective tactic for tracking suspicious activity and documenting proof of crime. Honeypot (IDS) is a computer security solution that protects our privacy and sensitive data by preventing attacks. Furthermore, a honeypot is a ruse designed to fool attackers into thinking it is a real system.

1.2 Scope of this document

Our system is mainly designed to detect, prevent, and recover from attacks. The purpose of detection is to determine whether the user is a valid user or an attacker. Prevention betrays the attacker into believing the responses he is receiving are from the real system. Finally, one of the most important functions is to restore the system’s ability to capture and record new attacks. In recovery mode, the system is utilized to determine the attacker’s tools and strategies. Intrusion detection and prevention systems employ this data to construct heuristic-based rules.

1.3 System Overview

1. The system shall monitor the network traffic.

2. The system shall determine any malicious attack.

3. The system shall prevent the attackers from getting in our real system or our data.

4. The system shall give the administrators the access to see the attackers collected information (IP,

name, location,…).

5. The system shall divert the attackers to a fabricated data.

6. The system shall monitor the attackers behavior while tracing.

1.4 System Scope

Our scope will be focused on four phases:

1. Monitoring the network traffic:

Our system will monitor all devices exists in the same network to see their activities, time and monitor

them if any external device tries to connect to our network.

2. Determine malicious traffic:

After monitoring all traffic, we need to determine if there is any device trying to access the data that

is unauthorized, or devices that is working in a time that it doesn’t have the permission to work in.

3. Divert attacker to fabricated data:

If our system detect that there is an attack, Then it will divert the attacker automatically to fabricated


4. Monitor attacks behavior:

While the attacker is in the fabricated data zone, Our system will determine his behavior to get our

security issue or hole in our system.