Papers
Topics
Authors
Recent
Search
2000 character limit reached

MURHCAD: Multi-Regional Cloud Honeynet Dataset

Updated 27 June 2026
  • The dataset provides a reproducible snapshot of 132,425 cyberattack events across public cloud infrastructures via multi-honeypot deployment.
  • MURHCAD includes detailed event enrichment with ASN, geo-location, and temporal features to support advanced threat intelligence and analytics.
  • It enables practical applications in anomaly detection, protocol misuse studies, and machine learning using globally distributed, high-resolution event data.

The Multi-Regional Cloud Honeynet Dataset (MURHCAD) is a high-resolution, globally distributed honeynet corpus capturing cloud-scale cyberattack events across multiple protocols and geographies. Designed to empower reproducible analysis of emergent cyberthreats, temporal activity, and adversarial actor characterization, MURHCAD encompasses comprehensive event records, contextual enrichment for threat intelligence, and actionable analytical features to support a wide spectrum of cybersecurity research and operational analytics (Feito-Casares et al., 9 Jan 2026, Haikal et al., 6 Dec 2025).

1. Dataset Objectives and Scope

MURHCAD was constructed to provide a reproducible, high-resolution “snapshot” of global cyber-probing and attack activity within public-cloud infrastructure. Over a contiguous 72-hour interval (June 9–11, 2025), 132,425 individual attack events were captured using three distinct low-interaction honeypot systems—Cowrie (SSH/Telnet emulator), Dionaea (SMB/MSSQL/MySQL/TFTP/MQTT emulation), and SentryPeer (SIP honeypot)—each running under T-Pot Community Edition. Sensors were deployed as virtual machines (VMs) on Microsoft Azure, stratified by region: Central India, Central US, Spain Central, and South Africa North, with a central aggregation VNet (East US) to support robust telemetry collection and orchestration.

The primary objectives are:

  • Capture a multi-protocol, multi-regional corpus suitable for anomaly detection, protocol-misuse analysis, and threat intelligence.
  • Enrich event logs with detailed provenance: ASN, source organization, geolocation, standardized protocol classification, and fine-grained temporal features.
  • Deliver a reusable, standalone dataset supporting reproducible research and operational benchmarking in cybersecurity.

2. Infrastructure and Data Collection Methodology

Honeypot VMs were configured in a mirrored deployment, exposing only the necessary service ports and hosting identical instances of each honeypot. Event telemetry (in JSON format) was funneled via Azure’s private backbone to the central hive for storage and indexing.

A multi-stage enrichment and preprocessing pipeline was applied:

  • Raw event parsing: JSON batches were parsed by a Jupyter notebook (DataPreprocessingNotebook.ipynb).
  • Metadata enrichment: Each record received ASN and organization lookup, MaxMind-style IP geolocation, standardized port-to-service mapping, and imputation for missing values.
  • Temporal feature derivation: UTC timestamps tt (seconds since epoch) mapped to hour-of-day H=(tmod86400)/3600H = (t \bmod 86400)/3600 and weekday D=(t+Z)/86400mod7D = \lfloor (t+Z)/86400 \rfloor \bmod 7 (using date offset ZZ for alignment), as well as MM/DD/YY grouping for human interpretation.
  • Dataset export: Events persisted as one record per row in HoneyNetEvents_Clean.csv.

3. Metadata Schema

The event schema encodes both raw and derived fields, facilitating high-dimensional analytics. Each record includes:

Feature Name Description
timestamp_utc Original ISO 8601 timestamp (UTC)
date Calendar-formatted date (MM/DD/YY)
weekday, day, hour Weekday label, day of month, hour-of-day (0–23)
srcIp, srcPort Attacker’s public IP and ephemeral source port
srcOrg, srcASN Source organization (via ASN lookup)
srcCountryName Source country (IP geolocation)
srcLat, srcLon Latitude/longitude of srcIp
dstIp, dstPort Honeypot’s public IP and target port
dstHostname Host identifier (e.g., vm-centralindia)
dstCountryName Region of honeypot
dstLat, dstLon Honeypot geolocation coordinates
protocol Standardized protocol label (e.g., sip, telnet)
attackType Honeypot system (Cowrie, Dionaea, SentryPeer)

This comprehensive schema supports flexible group-by, filtering, and aggregation for downstream analysis.

4.1 Event Distribution

The dataset captures N=132,425N = 132,425 attack events from 2,438 distinct source IPs originating in 95 countries and 522 ASNs. The observed attacker distribution is heavy-tailed: the top 1% of source IPs (≈24 addresses) generate 15% of all events, as quantified by

Share(P)=iPcount(i)N0.15at ρ=0.01\text{Share}(P) = \frac{\sum_{i \in P} \text{count}(i)}{N} \approx 0.15\quad\text{at } \rho=0.01

where PP is the highest-activity ρ\rho fraction of IPs.

4.2 Protocol Spectrum

Thirteen protocols were targeted, but the event landscape is dominated by three:

  • SIP: 55,060 events (41.6%), almost exclusively via SentryPeer.
  • Telnet: ~29,000 events (21.9%), monitored by Cowrie.
  • SMBD: ~36,000 events (27.2%), captured by Dionaea.

HTTP, MySQL, MSSQL, MQTT, and other protocols collectively constitute less than 15% of total traffic.

4.3 Temporal and Geospatial Patterns

Attack volume A(h)A(h), defined as the count of events with hour=hhour = h, shows clear diurnal peaks at 07:00 and 23:00 UTC, with notable lulls between 02:00–04:00; these are punctuated by sawtooth drops corresponding to scheduled VM maintenance (resulting in event gaps). Platform-specific rush-hour effects include a Dionaea surge at 07:00 (H=(tmod86400)/3600H = (t \bmod 86400)/36000), SentryPeer holding a plateau from 06:00–13:00, and Cowrie maintaining a relatively uniform hourly distribution.

Spatially, attack origins are skewed toward the United States (38,600 events, ~31%). The deployed honeypots' locations (India, US, Spain, South Africa) drive local attack visibility and bias service profile observations. Geospatial visualization reveals SentryPeer SIP floods in North America and SE Asia, Cowrie Telnet/SSH scanning from Western Europe and the US, and Dionaea SMB exploits clustered in Europe.

5. Applications and Research Utility

MURHCAD’s structure and enrichment enable a range of research and practical applications:

  • Anomaly detection: As a benchmark for burst-detection, heavy-tailed sequence modeling, and time series analytics.
  • Protocol misuse: Forensic studies of VoIP denial-of-service (SIP INVITE floods), legacy remote-login abuse, and SMB/file-sharing exploits.
  • Threat intelligence: ASN-level campaign mapping, coordinated probe detection, and early-warning indicator derivation.
  • Defensive policy design: Development and simulation of geographically-aware, protocol- and port-specific firewall rules using empirically observed attack patterns.
  • Machine learning: Supervised and generative modeling using high-dimensional, spatiotemporal event features and labels.

The dataset directly supports these research vectors by virtue of its temporal granularity, protocol spectrum, and global coverage.

6. Dataset Limitations and Sources of Bias

Several factors constrain the generalizability and interpretation of MURHCAD:

  • Scheduled VM restarts: Maintenance operations induce temporal gaps; these should be represented as missing intervals, not periods of zero attack.
  • Honeypot platform bias: Each system preferentially attracts specific attack vectors (SentryPeer→SIP, Cowrie→Telnet/SSH, Dionaea→SMB/Malware).
  • Geographical and peering effects: Azure regional routing and local internet exchange topologies affect observed source/destination patterns.
  • Temporal window: With only 72 hours of observation, MURHCAD does not capture long-term or evolving campaigns, in contrast to datasets such as the HoneyTrap corpus (24 days, 60M+ events) (Haikal et al., 6 Dec 2025).

A plausible implication is that operational security policy recommendations derived from MURHCAD should be corroborated with longer-term and cross-platform telemetry.

MURHCAD is distributed with an open directory structure, code, and infrastructure-as-code templates:

  • Root directory includes: README.md (overview, usage), requirements.txt (Python dependencies), preprocessing notebook (DataPreprocessingNotebook.ipynb).
  • /RawData: Raw JSON event batches.
  • /PreprocessedData: HoneyNetEvents_Clean.csv (clean, enriched, one-row-per-event aggregate).

All code and supporting templates are MIT-licensed (Zenodo DOI: 10.5281/zenodo.15716735), with a stepwise cloud deployment tutorial (Zenodo DOI: 10.5281/zenodo.15716265). The accompanying Jupyter notebook fully parses, enriches, and exports the data with no undocumented steps, ensuring transparency and repeatability.

Compared to the HoneyTrap framework-based MURHCAD variant (Haikal et al., 6 Dec 2025), which adopted Dockerized multi-cloud deployment, pseudonymized IP storage, and Parquet-based analytics at larger scale, the Azure-based MURHCAD emphasizes enriched cyberattack event visibility, temporal labeling, and protocol/ASN context within a smaller, tightly bounded high-resolution window.

References

Definition Search Book Streamline Icon: https://streamlinehq.com
References (2)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Multi-Regional Cloud Honeynet Dataset (MURHCAD).