{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:59:03Z","timestamp":1776074343673,"version":"3.50.1"},"reference-count":40,"publisher":"Springer Science and Business Media LLC","issue":"2","license":[{"start":{"date-parts":[[2026,2,20]],"date-time":"2026-02-20T00:00:00Z","timestamp":1771545600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,2,20]],"date-time":"2026-02-20T00:00:00Z","timestamp":1771545600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001538","name":"Victoria University of Wellington","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100001538","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>Honeypots in computer security have been used as effective security solutions to lure attackers, capture their interactions with the honeypot systems and study their behaviour. Attackers interacting with honeypots may use Artificial Intelligence (AI)-based techniques to detect the presence of honeypots leading to evasion by the attackers. This paper discusses the application of Reinforcement Learning (RL) to address these issues by improving response generation in honeypots. We propose \u201cQ-Cowrie\u201d, a honeypot that is built upon customising a medium interaction server honeypot, that is, Cowrie, to increase the honeypot\u2019s deception. RL capabilities have been integrated into the honeypot to support adaptive behaviour while interacting with attackers. Two experimental studies have been conducted in which Cowrie and Q-Cowrie honeypots were used, respectively. First, we deployed a Cowrie honeypot to capture cyber attacks and identify attackers\u2019 goals and techniques. This allowed us to create a probabilistic model, that is, the Markov Decision Making Process (MDP), to understand the decision-making process of attackers in different situations. Learning from attackers\u2019 unique patterns and applying RL techniques, Q-Cowrie was able to actively interact with attackers, making adaptive decisions.<\/jats:p>","DOI":"10.1007\/s10207-026-01221-5","type":"journal-article","created":{"date-parts":[[2026,2,20]],"date-time":"2026-02-20T12:36:09Z","timestamp":1771590969000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Q-Cowrie: An adaptive honeypot to analyse attackers\u2019 behaviour"],"prefix":"10.1007","volume":"25","author":[{"given":"Maryam","family":"Var Naseri","sequence":"first","affiliation":[]},{"given":"Ian","family":"Welch","sequence":"additional","affiliation":[]},{"given":"Junaid","family":"Haseeb","sequence":"additional","affiliation":[]},{"given":"Masood","family":"Mansoori","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,2,20]]},"reference":[{"key":"1221_CR1","unstructured":"Yuen, J.: Automated cyber red teaming. Cyber And Electronic Warfare Division, Defence Science And Technology Organisation, Edinburgh South Australia, Australia, Tech. Rep. (2015)"},{"key":"1221_CR2","doi-asserted-by":"publisher","first-page":"8176","DOI":"10.1016\/j.egyr.2021.08.126","volume":"7","author":"Y Li","year":"2021","unstructured":"Li, Y., Liu, Q.: A comprehensive review study of cyber-attacks and cyber security; Emerging trends and recent developments. Energy Rep. 7, 8176\u20138186 (2021)","journal-title":"Energy Rep."},{"key":"1221_CR3","doi-asserted-by":"crossref","unstructured":"Javadpour, A., Ja\u2019fari, F., Taleb, T., Shojafar, M., Benza\u00efd, C. A.: comprehensive survey on cyber deception techniques to improve honeypot performance. Computers & Security. pp. 103792 (2024)","DOI":"10.1016\/j.cose.2024.103792"},{"key":"1221_CR4","doi-asserted-by":"publisher","first-page":"27","DOI":"10.5120\/ijca2023922624","volume":"184","author":"W Ahmad","year":"2023","unstructured":"Ahmad, W., Raza, M., Nawaz, S., Waqas, F.: Detection and analysis of active attacks using honeypot. International Journal Of Computer Applications. 184, 27\u201331 (2023)","journal-title":"International Journal Of Computer Applications."},{"key":"1221_CR5","doi-asserted-by":"publisher","first-page":"2465","DOI":"10.3390\/electronics13132465","volume":"13","author":"P Lanka","year":"2024","unstructured":"Lanka, P., Gupta, K., Varol, C.: Intelligent threat detection-AI-driven analysis of honeypot data to counter cyber threats. Electronics 13, 2465 (2024)","journal-title":"Electronics"},{"key":"1221_CR6","doi-asserted-by":"publisher","first-page":"1","DOI":"10.2306\/scienceasia1513-1874.2013.39S.001","volume":"39","author":"W Zakaria","year":"2013","unstructured":"Zakaria, W., Kiah, M.: A review of dynamic and intelligent honeypots. ScienceAsia 39, 1\u20135 (2013)","journal-title":"ScienceAsia"},{"key":"1221_CR7","doi-asserted-by":"crossref","unstructured":"Liu, S., Feng, P., Cao, J., He, X., Chin, T., Sun, K., Li, Q.: Consistency is All I Ask: Attacks and Countermeasures on the Network Context of Distributed Honeypots. International Conference On Detection Of Intrusions And Malware, And Vulnerability Assessment. pp. 197-217 (2022)","DOI":"10.1007\/978-3-031-09484-2_11"},{"key":"1221_CR8","doi-asserted-by":"publisher","first-page":"273","DOI":"10.1016\/j.arcontrol.2022.01.001","volume":"53","author":"Y Huang","year":"2022","unstructured":"Huang, Y., Huang, L., Zhu, Q.: Reinforcement learning for feedback-enabled cyber resilience. Annu. Rev. Control. 53, 273\u2013295 (2022)","journal-title":"Annu. Rev. Control."},{"key":"1221_CR9","doi-asserted-by":"publisher","first-page":"2351","DOI":"10.1109\/COMST.2021.3106669","volume":"23","author":"J Franco","year":"2021","unstructured":"Franco, J., Aris, A., Canberk, B., Uluagac, A.: A survey of honeypots and honeynets for internet of things, industrial internet of things, and cyber-physical systems. IEEE Communications Surveys & Tutorials. 23, 2351\u20132383 (2021)","journal-title":"IEEE Communications Surveys & Tutorials."},{"key":"1221_CR10","first-page":"59","volume":"138","author":"H Mohammadzadeh","year":"2013","unstructured":"Mohammadzadeh, H., Mansoori, M., Welch, I.: Evaluation of fingerprinting techniques and a windows-based dynamic honeypot. Proceedings Of The Eleventh Australasian Information Security Conference-Volume 138, 59\u201366 (2013)","journal-title":"Proceedings Of The Eleventh Australasian Information Security Conference-Volume"},{"key":"1221_CR11","doi-asserted-by":"crossref","unstructured":"Pauna, A., Iacob, A., Bica, I.: Qrassh-a self-adaptive ssh honeypot driven by q-learning. 2018 International Conference On Communications (COMM). pp. 441-446 (2018)","DOI":"10.1109\/ICComm.2018.8484261"},{"key":"1221_CR12","volume-title":"Bandits for Cybersecurity: Adaptive Intrusion Detection Using Honeypots","author":"M Gutierrez","year":"2016","unstructured":"Gutierrez, M., Kiekintveld, C.: Bandits for Cybersecurity: Adaptive Intrusion Detection Using Honeypots. Artificial Intelligence For Cyber Security, AAAI Workshop (2016)"},{"key":"1221_CR13","doi-asserted-by":"publisher","first-page":"3906","DOI":"10.1109\/JSYST.2017.2762161","volume":"12","author":"W Fan","year":"2017","unstructured":"Fan, W., Du, Z., Fern\u00e1ndez, D., Villagr\u00e1, V.: Enabling an anatomic view to investigate honeypot systems: A survey. IEEE Syst. J. 12, 3906\u20133919 (2017)","journal-title":"IEEE Syst. J."},{"key":"1221_CR14","doi-asserted-by":"crossref","unstructured":"Thom, J., Shah, Y., Sengupta, S.: Correlation of cyber threat intelligence data across global honeypots. 2021 IEEE 11th Annual Computing And Communication Workshop And Conference (CCWC). pp. 0766-0772 (2021)","DOI":"10.1109\/CCWC51732.2021.9376038"},{"key":"1221_CR15","doi-asserted-by":"publisher","first-page":"1508","DOI":"10.3390\/math12101508","volume":"12","author":"L Wang","year":"2024","unstructured":"Wang, L., Deng, J., Tan, H., Xu, Y., Zhu, J., Zhang, Z., Li, Z., Zhan, R., Gu, Z.: AARF: Autonomous Attack Response Framework for Honeypots to Enhance Interaction Based on Multi-Agent Dynamic Game. Mathematics. 12, 1508 (2024)","journal-title":"Mathematics."},{"key":"1221_CR16","unstructured":"Li, Y.: Reinforcement learning in practice: Opportunities and challenges. ArXiv Preprint ArXiv:2202.11296. (2022)"},{"key":"1221_CR17","doi-asserted-by":"crossref","unstructured":"Ding, Z., Dong, H.: Challenges of reinforcement learning. Deep Reinforcement Learning: Fundamentals, Research And Applications. pp. 249-272 (2020)","DOI":"10.1007\/978-981-15-4095-0_7"},{"key":"1221_CR18","doi-asserted-by":"publisher","first-page":"965","DOI":"10.4218\/etrij.2019-0155","volume":"42","author":"S Dowling","year":"2020","unstructured":"Dowling, S., Schukat, M., Barrett, E.: New framework for adaptive and agile honeypots. ETRI J. 42, 965\u2013975 (2020)","journal-title":"ETRI J."},{"key":"1221_CR19","unstructured":"Puterman, M.: Markov decision processes: discrete stochastic dynamic programming. (John Wiley & Sons,2014)"},{"key":"1221_CR20","doi-asserted-by":"crossref","unstructured":"Ding, Z., Huang, Y., Yuan, H., Dong, H.: Introduction to reinforcement learning. Deep Reinforcement Learning: Fundamentals, Research And Applications. pp. 47-123 (2020)","DOI":"10.1007\/978-981-15-4095-0_2"},{"key":"1221_CR21","doi-asserted-by":"crossref","unstructured":"Guan, C., Liu, H., Cao, G., Zhu, S., La Porta, T.: HoneyIoT: Adaptive High-Interaction Honeypot for IoT Devices Through Reinforcement Learning. Proceedings Of The 16th ACM Conference On Security And Privacy In Wireless And Mobile Networks. pp. 49-59 (2023)","DOI":"10.1145\/3558482.3590195"},{"key":"1221_CR22","unstructured":"L\u00f3pez, P., P\u00e9rez, M., Nespoli, P.: Cyber Deception: State of the art, Trends and Open challenges. ArXiv Preprint ArXiv:2409.07194. (2024)"},{"key":"1221_CR23","doi-asserted-by":"crossref","unstructured":"Abdou, A., Sheatsley, R., Beugin, Y., Shipp, T., McDaniel, P.: HoneyModels: Machine learning honeypots. MILCOM 2021-2021 IEEE Military Communications Conference (MILCOM). pp. 886-891 (2021)","DOI":"10.1109\/MILCOM52596.2021.9652947"},{"key":"1221_CR24","doi-asserted-by":"publisher","first-page":"221","DOI":"10.1007\/s11416-010-0150-4","volume":"7","author":"G Wagener","year":"2011","unstructured":"Wagener, G., State, R., Dulaunoy, A., Engel, T.: Heliza: talking dirty to the attackers. J. Comput. Virol. 7, 221\u2013232 (2011)","journal-title":"J. Comput. Virol."},{"key":"1221_CR25","doi-asserted-by":"crossref","unstructured":"Dowling, S., Schukat, M., Barrett, E.: Using reinforcement learning to conceal honeypot functionality. Machine Learning And Knowledge Discovery In Databases: European Conference, ECML PKDD 2018, Dublin, Ireland, September 10\u201314, 2018, Proceedings, Part III 18. pp. 341-355 (2019)","DOI":"10.1007\/978-3-030-10997-4_21"},{"key":"1221_CR26","unstructured":"Navarro Ferrer, O.: Analysis of reinforcement learning techniques applied to honeypot systems. (Universitat Oberta de Catalunya (UOC) (2021)"},{"key":"1221_CR27","first-page":"159","volume":"22","author":"O Hayatle","year":"2013","unstructured":"Hayatle, O., Otrok, H., Youssef, A.: A markov decision process model for high interaction honeypots. Information Security Journal: A Global Perspective. 22, 159\u2013170 (2013)","journal-title":"Information Security Journal: A Global Perspective."},{"key":"1221_CR28","doi-asserted-by":"publisher","DOI":"10.1016\/j.rineng.2022.100576","volume":"16","author":"A Pashaei","year":"2022","unstructured":"Pashaei, A., Akbari, M., Lighvan, M., Charmin, A.: Early Intrusion Detection System using honeypot for industrial control networks. Results In Engineering. 16, 100576 (2022)","journal-title":"Results In Engineering."},{"key":"1221_CR29","doi-asserted-by":"crossref","unstructured":"Cabral, W., Valli, C., Sikos, L., Wakeling, S.: Review and analysis of cowrie artefacts and their potential to be used deceptively. 2019 International Conference On Computational Science And Computational Intelligence (CSCI). pp. 166-171 (2019)","DOI":"10.1109\/CSCI49370.2019.00035"},{"key":"1221_CR30","doi-asserted-by":"crossref","unstructured":"Hetzler, C., Chen, Z., Khan, T.: Analysis of ssh honeypot effectiveness. Future Of Information And Communication Conference. pp. 759-782 (2023)","DOI":"10.1007\/978-3-031-28073-3_51"},{"key":"1221_CR31","doi-asserted-by":"publisher","first-page":"554","DOI":"10.3390\/make3030029","volume":"3","author":"X Xiang","year":"2021","unstructured":"Xiang, X., Foo, S.: Recent advances in deep reinforcement learning applications for solving partially observable markov decision processes (pomdp) problems: Part 1-fundamentals and applications in games, robotics and natural language processing. Machine Learning And Knowledge Extraction. 3, 554\u2013581 (2021)","journal-title":"Machine Learning And Knowledge Extraction."},{"key":"1221_CR32","doi-asserted-by":"publisher","first-page":"1125","DOI":"10.1109\/TSMC.2013.2294155","volume":"44","author":"S Doltsinis","year":"2014","unstructured":"Doltsinis, S., Ferreira, P., Lohse, N.: An MDP model-based reinforcement learning approach for production station ramp-up optimization: Q-learning analysis. IEEE Transactions On Systems, Man, And Cybernetics: Systems. 44, 1125\u20131138 (2014)","journal-title":"IEEE Transactions On Systems, Man, And Cybernetics: Systems."},{"key":"1221_CR33","doi-asserted-by":"crossref","unstructured":"Huang, L., Zhu, Q.: Adaptive honeypot engagement through reinforcement learning of semi-Markov decision processes. International Conference On Decision And Game Theory For Security. 196\u2013216 (2019)","DOI":"10.1007\/978-3-030-32430-8_13"},{"issue":"10","key":"1221_CR34","doi-asserted-by":"publisher","first-page":"4865","DOI":"10.1007\/s12652-021-03229-2","volume":"13","author":"S Suratkar","year":"2022","unstructured":"Suratkar, S., Shah, K., Sood, A., Loya, A., Bisure, D., Patil, U., Kazi, F.: An adaptive honeypot using Q-learning with severity analyzer. Journal Of Ambient Intelligence And Humanized Computing. 13(10), 4865\u20134876 (2022)","journal-title":"Journal Of Ambient Intelligence And Humanized Computing."},{"issue":"3","key":"1221_CR35","doi-asserted-by":"publisher","first-page":"41","DOI":"10.3390\/computers11030041","volume":"11","author":"H Alavizadeh","year":"2022","unstructured":"Alavizadeh, H., Alavizadeh, H., Jang-Jaccard, J.: Deep Q-learning based reinforcement learning approach for network intrusion detection. Computers. 11(3), 41 (2022)","journal-title":"Computers."},{"key":"1221_CR36","doi-asserted-by":"crossref","unstructured":"Amin, M., Othman, M.: Re-exploration of $$\\varepsilon $$-greedy in deep reinforcement learning. RiTA 2020: Proceedings Of The 8th International Conference On Robot Intelligence Technology And Applications. pp. 264-272 (2021)","DOI":"10.1007\/978-981-16-4803-8_27"},{"key":"1221_CR37","doi-asserted-by":"crossref","unstructured":"Kaloev, M., Krastev, G.: Tailored Learning Rates for Reinforcement Learning: A Visual Exploration and Guideline Formulation. 2023 7th International Symposium On Innovative Approaches In Smart Technologies (ISAS). pp. 1-7 (2023)","DOI":"10.1109\/ISAS60782.2023.10391644"},{"key":"1221_CR38","unstructured":"MITRE, T. ATT&CK Matrix for Enterprise. Available at:. (https:\/\/attack.mitre.org\/), Accessed: September 10 (2024)"},{"key":"1221_CR39","doi-asserted-by":"publisher","first-page":"75","DOI":"10.1080\/23742917.2018.1495375","volume":"2","author":"S Dowling","year":"2018","unstructured":"Dowling, S., Schukat, M., Barrett, E.: Improving adaptive honeypot functionality with efficient reinforcement learning parameters for automated malware. Journal Of Cyber Security Technology. 2, 75\u201391 (2018)","journal-title":"Journal Of Cyber Security Technology."},{"key":"1221_CR40","doi-asserted-by":"publisher","first-page":"2271","DOI":"10.1109\/COMST.2015.2459015","volume":"17","author":"W Khan","year":"2015","unstructured":"Khan, W., Khan, M., Muhaya, F., Aalsalem, M., Chao, H.: A comprehensive study of email spam botnet detection. IEEE Communications Surveys & Tutorials. 17, 2271\u20132295 (2015)","journal-title":"IEEE Communications Surveys & Tutorials."}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01221-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-026-01221-5","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01221-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:17:47Z","timestamp":1776071867000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-026-01221-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,2,20]]},"references-count":40,"journal-issue":{"issue":"2","published-online":{"date-parts":[[2026,4]]}},"alternative-id":["1221"],"URL":"https:\/\/doi.org\/10.1007\/s10207-026-01221-5","relation":{},"ISSN":["1615-5270"],"issn-type":[{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,2,20]]},"assertion":[{"value":"3 August 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"12 January 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 February 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors do not have any financial or non-financial interests to declare that could have appeared to influence the work reported in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflicts of Interest"}},{"value":"The authors declare no competing interests.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"60"}}