IMPROVING IOT INTRUSION DECEPTION THROUGH NAF-ENHANCED Q-LEARNING-BASED ADAPTIVE HONEYPOTS

Abstract

The rapid growth of Internet of Things (IoT) en vironments has increased the vulnerability of connected devices to malware, botnets, credential abuse, and distributed attacks. Honeypots are widely used to monitor attacker behavior and collect threat intelligence; however, many existing solutions re main static, are vulnerable to fingerprinting, or provide limited interaction realism. This paper presents an adaptive SSH-based honeypot framework for IoT-oriented deception environments using Q-learning with a Normalized Advantage Function (NAF) enhanced action-value formulation. The proposed system models attacker behavior at the command level and dynamically selects deception actions such as allowing, blocking, delaying, or gen erating fake outputs. To support efficient operation and forensic analysis, the framework employs a dual-layer storage design consisting of lightweight XML event logs and extended MySQL session records. The prototype was implemented in Python and evaluated in a controlled environment using simulated adversarial SSH interactions. Experimental results show that the system sup ports scalable deployment and sustained up to 28 simultaneous honeypot instances on the tested hardware configuration, while also enabling adaptive command handling and reverse-Turing test-oriented interaction logic. The main contribution of this work is a practical command-level adaptive deception mechanism for SSH honeypots that moves beyond static or rule-based decoy models. The findings provide a basis for future work on real world validation, anti-fingerprinting strategies, and coordinated multi-honeypot deployment for IoT security.