Deep reinforcement learning for building honeypots against runtime DoS attack

Honeypot is a network environment utilized to protect proper network sources from attacks. Honeypot makes an environment that attracts the attacker to pay their operations to steal sources. Denial of Service (DoS) attacks are efficiently noticed using the proposed honeypot method. The issues of the previous technique are that the DoS attack is a malicious act with the goal of interrupting the access to a computer network. The result of the DoS attack can cause the computers on the network to squander their resources to serve illegitimate requests that result in a disruption of the network's services to legitimate users. To overcome these challenges this method is proposed. In this manuscript, the Deep Adaptive Reinforcement Learning for Honeypots (DARLH) is proposed. Here, honeypot environment, the proposed DARLHs system implements Deep Adaptive Reinforcement Learning (DARL) with Intrusion Detection System (IDS) agents and Deep Recurrent Neural Network (DRNN) with IDS agent for observing multiruntime DoS attack. In the next level, the system creates DRNN and DARL IDS agent integration modules for effective runtime attack detections. The Knowledge Data Discovery data set pattern, UNSW‐NB20, and Bot‐IoT data sets are used to the scenario of DoS attack. The method is executed in Python 3.7. The experimental outcomes are likened through different existing methods, such as Game and Naïve‐Bayes Honeypot, Block Chain Honeypot, and Recurrent Neural Network‐based Signature Generation and Detection. The proposed method is compared with External DoS Attack, Internal DoS attack, Brute‐force attack, DoS attack, Web attack, and Botnet attacks with the existing methods. From the comparison, the proposed method offers 5%–10% better outcomes than another existing method. Lastly, the test results determine that the proposed method performance is most efficient with another existing system.

sufficient level of trained data set provide additional intelligence to honeypot systems. This improves the detection rate of attacks. The honeypot network will affect the problem, such as influence of disturbances, modeling errors, and various uncertainties in the real systems which will decrease the robustness of the system and reduce the security due to various attacks entering into the system. The attacks that are deception attacks, DoS attacks, and false information injection attacks are the frequently happened phenomena done with honeypot networks. These attacks must consider adequately through system analysis/synthesis to prevent involuntary behaviors (e.g., degradation, divergence, and instability). In addition, in practical applications (real systems), several factors can cause uneven changes in communication networks topology, for example, communication link instability among filters, obstacle blocking, network-induced factors, and adding new nodes due to application supplies. In recent years, various attainments have been made on problem. [14][15][16][17][18][19] Some of the papers are explained below to improve the robustness of the Honeypot network and to enhance the security.
Impulsive reaction-diffusion neural networks (NN) input-to-state stability through infinite dispersed delay utilizing an impulsive stochastic fuzzy class delayed Cohen-Grossberg neural networks (C-GNNs) with distributed infinite transmission delay. Through Razumikh in method as well as difference disparity, some sufficient conditions ensuring the mean-square exponential input-to-state stability of consider C-GNN is attained. These methods provide less security in forensic applications. 13 In Nonlinear Dynamics a robust PD-type of learning control for unique systems through multi delays is subject to poly topic uncertain as well as limited frequency-domain. The multiscale hybrid nanocomposite (MHC) disk (MHCD) is examined inactive on an elastic base subject to nonlinear temperature gradient as well as the mechanical load for nonlinear frequency analysis. This method is limited due to hackers entered into the system and authentication is enabling, allowing a remote attacker to control the user accounts existence. The limitation of this method is that it only secures a limited attack, 14 Multidimensional Systems and Signal processing. In this manuscript, new processor algebra depends on techniques for test the n − D discrete linear systems structural stability (with n ≥ 2). This method has the limitation due to highly expensive and less security, 15 Fuzzy Fault Detection for Markov Jump Systems through Partly Accessible Hidden Information. This study explores the error detection of asynchronous filtering for homogeneous Markov jump systems through discrete-time piecewise. By resort to a double hidden Markov system, an asynchronous fault detection filter is provided that can follow system methods. This method has a limitation of less security. 16 The event-triggered tracking regulator second-order error multi agent systems in system non-linearity considered is examined through using dispersed sliding-mode control (SMC) approach. The event-triggered tracking regulator second-order error multiagent system in system nonlinearity considered is examined through using dispersed sliding-mode control (SMC) approach. An eventtriggered strategy is to reduce the frequency of the controller model and store network communication resources; the trigger state is established with the following multiple agent system for a leader. This method has a limitation of the more attacks involved in the system and this method does not provide security against attacks, 17 Adaptive Optimization Algorithm for Nonlinear Markov Jump Systems through Partial Unknown Dynamics. In this manuscript, an online adaptive optimal control error of a continuous-time class Markov jump linear system (MJLS) is examined by utilizing a parallel reinforcement learning (RL) algorithm by completely unknown dynamics. Before collect as well as learned information from subsystems of states with inputs, the exploration sound is first added to define the actual control input. 18 This manuscript explores the global control error for a nonlinear system class thru output feedback. The system nonlinearity unknown growth rate meets the homogeneous growth state. First, a homogeneous observer is built to assess the system position. In a power integrator method, a new dynamic output feedback controller is built to solve the problem of adaptive output control for the system (1) subject to a homogeneous growth state through an unknown growth rate. This method does not provide security against Brute-force attacks. 19 The problem of the previous technique is that DoS attack, Brute-force attacks, and Brute-force dictionary attacks received access to the system, but did not carry out any activates after they succeeded. More probably it has been performed through automatic tools. Attackers carry out activates after they succeeded in break into the system. Further probably step has achieved through human. These attacks are malicious and interrupt the access to a computer network. The result of DoS attack can cause the computers on the network to squander their resources to serve illegitimate requests that result in a disruption of the network's services to legitimate users. With a sophisticated DoS attack, it becomes difficult to distinguish malicious requests from legitimate requests. Since a network layer DoS attack can cause interruptions to a network while causing collateral damage, it is vital to understand the measures to militate against such attacks.
The proposed Deep Adaptive Reinforcement Learning for Honeypot (DARLH) system contributes to protected honeypot implementation against DoS attacks. This DARLH system monitors both internal and external attacks using multilevel deep learning (DL) techniques. It uses protected poison distribution for an event management system. In addition, it extends the contribution of implement, event distribution and supervision practices, and DARLHs models (Level-1 and Level-2) creation. In Level-1, the proposed DARLHs system creates secure deep RL networks for monitoring both events and clients. In the next level, the system creates Deep Recurrent Neural Network (DRNN) and Deep Adaptive Reinforcement Learning (DARL) IDS agents integration modules for effective runtime attack detections. The Knowledge Data Discovery (KDD) data set pattern is used to DoS attack scenario.
The main contributions are given below: • The remaining section of this manuscript is designed as follows: Section 2 delineates the related works and their motivation. Section 3 illustrates the proposed DARLHs system. Section 4 demonstrates the experimental results and discussion. Finally, Section 5 concludes the manuscript.

| RELATED WORKS
Honeypot implementation and security provisioning play a key role in any enterprise network systems. Even though many attack detection procedures emerge around the world, the DL-based honeypot implementation is really needful to construct dynamic NIDS agents. Attacks can inflict a variety of attacks that can be detrimental to network performance. Attackers are those who steal or harm the resources. The attacks, like, DoS, Spoofing, Wormhole, Black hole, and identity theft, are known as serious attacks in the network world. Among the attacks, DoS is an active attack category which degrades overall network performance.
Many research works contributed to DoS detection procedures and honeypot security schemes. They delivered various designs and implementation setups on detecting DoS in different network natures. Al-Nafjan et al. 6 presented an automated honeypot system for providing security features. Here, focused on automated network administration strategies in honeypot and honeynet are too similar to real systems, making it difficult to detect with a single feature. The system has multiple Local Area Networks (LANs) and resources with several attackers. The attacker events and real-time activities of honeypot unit were monitored by systematic procedures. The presented work performs base-level-automated functions in honeypot scenario without making any ML or DL systems.
Thu 20 established IDS agents and Intrusion Prevention System (IPS) implementations for cloud-based honeypot systems. The system mainly focused on malicious activities and malicious users in the cloud honeypot environment. Moreover, a new type of the honeypot system was implemented which diverts malicious attacks through different isolated paths. However, it was not more active against runtime attacks and it has lack of deep attack analysis techniques. The benefits of the method are 100% detect accuracy for limited attacks in the database. The disadvantage was zero-day and rule out attacks cannot be detected.
Banday and Sheikh 21 suggested captcha and timestamp-based honeypot security techniques. Here, it explored about text-based security provisions for protecting honeypots. Moreover, the data mining and data processing techniques were used to evaluate temporal data features. The advantages of the method are low overhead and computational cost. The disadvantage was little differences in attacks signature can simply bypass IDS agents.
Singh et al. 22 introduced fingerprint evaluation schemes for detecting DoS attacks in networks. Here, fingerprint detection techniques were evaluated using image processing procedures for identifying malicious activities. Both techniques were performing better in attack detection with conventional properties. The advantages of the method are small differences in attacks signature can simply bypass IDS agents. The disadvantage was High False Positive Rate.
Tsiropoulou et al. 23 have presented Mitigation of Interference Imposed through Intruders in networks. Here, a distributed iterative and low-complexity algorithm was presented. The advantages of the method are IDS agents' detection accuracy improves with time. The drawback was that detection was affected in the factors presence, such as low transfer power, collision, partial packet drop, false misbehavior, ambiguous collision, and so forth.
Vamvakas et al. 24 have presented a novel resource management framework to confirm efficient, wireless network smooth operation, supported through an unmanned aerial vehicle VELUCHAMY AND KATHAVARAYAN | 3985 (UAV), operational below nonorthogonal multiple access (NOMA) process, normal with malicious risk-awareness users. The advantages of this method are the 100% detection of high DR. The disadvantage was it consumes more energy.
Shrivastava and Hota 25 and Shi et al. 26 have introduced DoS attacks honeypot systems. Initially, the game theory and Naïve-Bayes techniques were used for detecting DoS attacks at runtime. Then the system used ML logics in finding DoS using training sets. It used basic ML techniques, not DL approaches. The block chain-based DoS attack detection in honeypot systems was introduced. Here, the technique was executed in distributed network environments. The introduced method shows effective performance in terms of security. But, the technique was not suitable for more active or centralized systems. The advantages of the method are capable of detecting known and unknown attacks. The disadvantage was the High Computational Cost.
Kaur and Singh 27 suggested a DRNN-based signature generation procedure to find attacks in honeypots. As DRNN was an effective Deep Neural Network (DNN), it creates more complex signatures for all events raised in honeypots. At the same time, this study implemented DRNN for signature generation procedures only. Here, DRNN could be extended for monitoring the events and attacks. Several techniques provided well-defined ML and DL-based attack detection procedures in honeypot systems. Yet they assumed the internal events were legitimate. This leads to internal honeypots. Particularly, internal DoS attacks were complicated to be identified and isolated. The method that benefits the database contains 100% detection accuracy of defined attacks. Disadvantage zero-day and rule cannot be detected outside of attacks.
Khan et al. 28 established multilevel botnet detection techniques using ML classifiers, such as Naïve Bayes, SVM, and Self-Organizing Maps. Here, the network domains, web events, and the conversations of network elements were evaluated. The advantages of this method are detecting capable dual zero-day, known attacks. The disadvantage was a defect that adds an additional module to the detection structure, which may lead to an additional delay in its improper hiring, a lower detection. Srihari Rao et al. 29 and Sharma and Kaul 30 have presented various security techniques and DoS types. Here, vast network principles, attack problems, and cybercrimes in cloud-based systems were delivered. In addition, both works provide useful information about attack nature and motives at various vulnerable points of the network. The information gathered from these works was really useful for designing the proposed system. The advantages of the method are high DR. The disadvantage was that degrades the increase in high mobility of efficiency and performance.
Huang and Huang 31 designed the system using RL-based IDS agents. The system presents adaptive honeypot principles using RL and mark-over process structures. It gives a more costeffective honeypot management system in terms of Quality of Service (QoS). However, the system dealt with QoS factors not with security credentials. At the same time, the designed system used the ML approach, not DL methodologies. The advantages of the method are low to no cost of maintenance as IDS agents learn, train itself utilizing network behavior, and network profiles created. The disadvantage was the high overhead and computational cost.
Kotey et al. 32 clarified various attack schemes and procedures that affect network resources. The method benefits the database that contains 100% detection accuracy of defined attacks. The disadvantage was zero-day and the rule attacks could not be detected out. From the vast analysis of related research work, the proposed system finds the lack of DL adaptations in runtime DoS detection. The proposed system solves the issues and complexities in the DL-based honeypot security system.

| Motivation of the research work
The existing techniques provide optimal support to honeypot, they lack complex activity validations. An intelligent attacker can perform some decent cryptanalysis techniques and compromised activities at the exposed point. These ML-based honeypots are not monitoring the changes inside the network. This is taken as a research problem which motivates the proposed system to develop deep RL engines to build bidirectional honeypots. Therefore, the RL enabled bidirectional honeypots monitor both internal and external attackers. In this regard, these honeypot systems are implemented in Virtual Local Area Network (VLAN) which seems to be a directly connected physical LAN. It provides all types of data that look like legitimate to both internal and external users. By this trap, the proposed honeypots protect the strong security layer between the data and the attackers.

| DEEP ADAPTIVE REINFORCEMENT LEARNING FOR HONEYPOTS SYSTEM
The proposed DARLH system is designed and executed to observe both internal and external attackers. This attacker may inject a DoS attack into any system deployed in a honeypot environment. This environment has one or more monitoring resources (Servers and Clients), which are enabled with active IDS agents. The IDS agent is running inside the monitoring resources to scrutinize each and every network activity (traffics). On the basis of the network condition or screen resolution, the client decides which media segment should be downloaded. The signaling data of DASH are characterized as content-level information, period-level information, adaptation information, and mapping information. Due to heterogeneous nature of the mobile network and the unpredictable channel with optimization in terms of resource and technology are useful. The proposed DARLHs contain the following technical aspects for building more reactive honeypots. The secure honeypot traffic model helps distribute the events from the server to parallel clients. Clients monitor the events and send reports to the server. The server supervising model is used to monitor the client's activities. DARLH Level-1 and DARLH Level-2 models are implemented for carrying DoS attack detection activities using DARL and Deep Recurrent Neural NIDS agents. To analyze the complexity of the network, first makes the followed definitions. Let Nfb denotes the count of frequent traffic found, Nd denotes the total count of dimensions, and Nd fb ( ) denotes the total count of dimensions. In other words, if there are n dimensions in feature space then frequent baskets are founded in m dimensions, then Nd fb m ( ) = . Consider Nd ≥ Nd fb ( ). Here, µ as the average number of frequent traffic, so μ NfbNd fb = ( ) and µ ≥ 1.

| Secure honeypot traffic distribution model
The proposed honeypot traffic model is implemented for building traffic collection methodology. Honeypot environment contains a database, database server, communication devices VELUCHAMY AND KATHAVARAYAN | 3987 (switches and routers), and monitoring nodes. The monitoring nodes are the collection of servers and client machines. Client monitoring machines run their IDS agents unit to monitor the activities injected from any side of the network. The IDS has been equipped with the proposed procedures. The attacker database is attached with each client machine independently to make attacker identification. The reports and alert messages are delivered from client machines to servers. The monitoring servers evaluate the reports delivered from various monitoring nodes. The servers in the honeypot are implemented with supervised IDS agents. This agent monitors the activities of client machines and the attack reports. In addition, the network traffic is injected into honeypot queues. 33,34 Then, the server distributes the network traffics among the clients connected to it. The honeypot traffic model follows the authentic poison distribution model and the protected queuing model. Definition 1. In Honeypot, H (P) contains n similar-monitoring servers and m client machines. In this system, n server collects the network events at the rate T e and R μ generates the attack reports at the rate U i . At time τ, the monitoring resources of the honeypot are utilized by the events at the rate U i . As the client machines are connected to servers, U i implies the aggregated utilization rate. Equations (1) and (2) illustrate traffic models and utilization factors, respectively.
where U i -honeypot utilization factor, T e -average traffic rate at honeypot event queues, R μ -average response rate of each server, n-total number of monitoring servers, S i -utilization factor of honeypot server, C i -utilization factor of honeypot client machines, Equation (3) denotes the individual utilization rate of honeypot clients. In each client machine, traffic queues are available to get the network events continuously. There are two types of events queues implemented inside each machine. This queue setup is common to servers and client machines. The types of queues are given below, • Internal Traffic Queues, • External Traffic Queues.
In each server traffic-queue (internal or external), eXn traffic events wait for server response. At the same time, server distributes the traffic events to the client machines. In each client traffic-queue (internal or external), e Xm i i traffic events wait for the completion of monitoring process, m i denotes the client machine identifiers. e i denotes the distributed network events to each client machine in honeypot.
In this case, e SE E let take on Q Q and e e I E , the number of internal and external traffic queues in each client machine, respectively. The number of internal and external traffic queues in each monitoring server indicates Q Q and SI SE , respectively. Now, the honeypot traffic arrival and distribution models are given in Equation (4). The honeypot poison model is determined as follows: where l-total number of traffic event arrivals, b-event behavior factor. The poison model used for honeypot traffic distribution uses secure procedures which are incorporated in IDS agent modules. Algorithm 1 describes the credentials-based poison distribution. In this technique, the events and the sources are validated before the event distribution. This kind of validation is completed at honeypot monitoring servers.
In this honeypot circumstance, the servers and clients maintain multiple parallel queues. The queuing processes are defined by the honeypot multisystem queuing model, M/M/ n, n τ > e . This is determined for all the finite number of internal and external traffic events. Therefore, the queuing model becomes,  M M n l / / / / with the rate of eXn ( ) at servers. At the same time, this rate is determined the clients as e i Xm i . The honeypot traffic distribution model is used to distribute the internal and external events into honeypot servers and clients, respectively. Section 3.2 describes about the server distribution and supervising model.  queue as e i . Honeypot servers validate m i client credentials before the event distribution process. Algorithm 2 denotes server distribution and supervising model procedures.
The secret shared key communication between the clients and servers is enabled using shared secret key S K .

Begin
Step 1: Get internal and external events, e I and e E at Q SI and Q SE , respectively Step 2: Check for client monitoring requests, ReQ C T S C C ( , , , , ) Step 5: Client gives response to server with Q A status Step 6: Call H P based on Q A status Step 7: Complete the event distribution That is, Q SI to Q eI and Q SE to Q eE Step 8: Enable Client Supervision Mode (CSM) Step 9: Request the clients to put them in Promiscuous Mode (PRM) End The CSM helps the servers to monitor their associated clients when the clients put themselves in open promiscuous mode for appropriate servers. Servers are attached with the main attacker database (DoS) and the client activity control system. The client activity control system validates each and every action of client machines based on preconfigured rules (rule-based classification). This helps identify and supervise the legitimate activities of client machines. In addition, the server keep master DoS database (KDD Data set) in the safe zone for supervising fault DRs.

| Honeypots with DARLHs Level-1 model
DARLHs functions are implemented using DARL techniques. DARL approaches are designed with the help of event-based reward functions as portrayed in Figure 1. Figure 1 demonstrates the DARL-based IDS agents execute actions against DoS attacks injected in honeypot environment. The environment provides rewards (positive or negative) for each action taken by IDS agents. On the basis of the statewise rewards provided to IDS agent, it trains itself to handle next action against DoS. In this figure both internal and external attackers inject DoS attacks into honeypot environment. 35 Figure 2 shows the Specific Event Distribution and Client Control Model The servers located in the monitoring section of honeypot distribute the events to clients as described in Algorithms 1 and 2. In case, the attack is effectively detected, the environment generates positive reward to DARL IDS agent. Otherwise, it generates negative notifications. Algorithm 3 gives DARLHs Level-1 functions and DARL agent activities in honeypot environment. In the environment, DoS monitoring system, data resources, and other devices are deployed.
Step 6: Call procedure DoS (Data items_KDD) for all e I and e E on various states Step Step 10: Create internal and external alert reports, Report IA and Report EA for all m i Step 11: Deliver, Report IA and Report EA to servers Step 12: Server generates rewards to each action at different states and sends to clients Step 13: Clients' RL Intrusion Detection System agent receives reward, R S .
Step 14: Train the RL Intrusion Detection System agent function depend on received R S End VELUCHAMY AND KATHAVARAYAN Figure 3 shows the DARLH Level-2 Model. The DARLH agent runs in each client machine. This agent follows deep RL structure that contains multiple layers of hidden layers and complex event analysis functions to detect DoS. In addition, the DoS detection results are forwarded to supervisor server units deployed in honeypot environment. Particularly, these deep IDS agents follow the Markov process for finding sequential observations. In this proposed system, the deep Q values are used to specify each event's particulars. At the same time, the events are predicted using current Q values of events, which are shown in Equation (10).
here EC S a ( , ) Equations (11) and (12) describe reward functions and the action taken after getting a server-side reward, ω specifies the reward variation factor. In Equation (12), Q e ( ) O is event action on reward and σ is an action bias.
The DARL IDS agent functions are effectively utilizing the server reward function and event attributes for finding DoS patterns. At the same time, this DARL has well-trained DNN and deep Q values. However, the DARLHs Level-1 model uses only DARL IDS agent against dynamic DoS attacks. This leads a technical problem for more dynamic events. To solve this issue, the proposed method implements the DARLH Level-2 mechanism.

| Honeypots with DARLH Level-2 models
DARLH Level-2 mechanism helps integrate both DRNN and DARL-based IDS agents to monitor DoS attacks in honeypot. The dual DNNs are connected in a pipeline manner to accomplish more accurate detections. In this case, both networks are feedback structured networks. These dual DNNs are implemented with IDS agent of the honeypot system. Figure 4 depicts the DNNs connectivity of DARLHs Level-2 Model. Though DARL supports for dynamic arrival of network event, it lacks at more uncertain conditions. To solve this problem DRNN is required against real-time uncertainties.
Algorithm 4 illustrates DRNN and DARL combinations for detecting DoS attacks in honeypot. Here, DRNN is a Level-1 DNN and DARL is a Level-2 DNN. DRNN generates the decisions on DoS using KDD training sets and the rule-based classifications. The events and Algorithm 4 describes the steps involved in DRNN and DARL networks to detect DoS attack detection. The proposed honeypot environment creates more complex DL techniques for enquiring both internal and external DoS attacks. In this regard, it deals with separate event queues in client and server units. In the proposed DARLHs system, client machines are monitoring DoS events on both sides parallel. The event distribution and reward management functions are controlled by server units. This is a completely protected environment against DoS attacks. Section 4 describes implementation details and results produced for evaluating the performance of the proposed system.

Equations (6) and (7)
Step 2: Call procedure DoS (Data items_KDD) for all e I and e E on various states ( ) )==KDD DoS ) Then set action as "Alert" Else action as "Allow" Step 5: Collect and store RNN observations as Level-1 events Step 6: Call DARLH Level-1 procedures (Algorithm 3) End

| EXPERIMENTAL SETUP AND RESULTS
An intelligent attacker can execute several decent cryptanalysis techniques and compromised activities. The changes inside the network may not be monitored by these ML-based honeypots. The proposed system contributes to protected honeypot implementation against attacks of DoS. The proposed DARLH system is executed with 10 server units and a generic database. Each server in the honeypot controls 25 client machines. The proposed DARL and DRNN IDS agents are implemented in servers and clients. At the same time, the event distribution model and client control principles are deployed in servers only. For detecting DoS attacks, the IDS agents run rule-based classification procedures and signature mapping techniques. In this environment, the KDD' 99, UNSW-NB20, and Bot-IoT data sets are deployed at server points and client points. Server points have the main data set but client machines have training data sets and test data sets.

| Key parameter
Selecting maximum suitable parameters for the model is the model training necessary part. The random forest algorithm that determines the accuracy of model classification has two main parameters. They are n estimators " -" and max depth " -". Here, n estimators " -" is the count of DRNN as well as max depth " -" is the maximal permissible depth of every iteration. If n estimators " -" is too big, outcomes possibly over fitting. However, if n estimators " -" is too small, outcomes possibly under fitting. So, an n estimators " -" suitable value for the predicted final model classification accuracy is important. {100, 120, 200, and 300} is ready for n estimators " -", {96.2 to 100} ready for max depth " -". It tested these two collections separately to choose the most suitable value for these two parameters. Table 1 shows the simulation parameter. By using Weka 3.0 and Python 3.7 tools, this experiment is generated. From three data sets, unwanted data are removed the missing data from original data set. To implement the proposed DARLHs technique Python 3.7 is used. The performance of the proposed system is evaluated using metrics, such as DR, FAR, true negative rate (TNR), and ACC. This is evaluated for both internal and external DoS attacks. Then the results are compared with the existing schemes, like, GNBH, BCH, and RNSG.
GNBH technique uses game-theoretical schemes and Naïve-Bayes schemes for detecting DoS attacks in honeypot systems. From the overall events this technique classifies and isolates DoS. Here, the ML techniques are used to delivered significant outcomes Out. Moreover, the techniques are conventional tactics against runtime attacks, like, DoS. In the same manner, BCH is used to construct a secure and distributed honeypot system. To provide authentic transaction in community networks block chain technology is used. The complicated cryptography techniques are used to protect the data and also building protected honeypot systems. This method does not evaluate attack scenarios in the experimental setup. However, this system evaluated security aspects in the performance evaluation.
RNSG is a DL-based signature generation system to protect the network against attacks. A complicated signature pair provides more security in network transactions. The signature credentials are created using DRNN structures for detecting intrusions. This system utilized signature-based pattern recognition techniques for intrusion detection, also implemented signature generation and pattern recognition techniques using DRNN. This is an effective technique for detecting intrusion detection. But, it has limitations related to runtime dynamics, such as traffic variations and parallel monitoring complications.

| Data set description
In this method three types of data set are organized at server points and client's points. Server points have the main dataset but client machines have training datasets and test datasets. for example, KDD data set, UNSW-NB20, and Bot-IoT data sets.

| KDD' 99 data set
The KDD' 99 data set is created by Cyber Range Lab of Australian Centre for Cyber Security (ACCS). 36 A partition of the full data set is provided, separated into a training set, a test set. For training 125,920 records are taken and 22,342 records for testing with a total of 148,262 records. The number of features is 43 with the class label. Different attacks that are present in KDD' 99 are shown in Table 2.

| UNSW-NB20 data set
This data set is created by Cyber Range Lab of ACCS. 37 It represents new modern normal activities containing contemporary attacks. A full data set partition is provided, separated into a training set, a test set. For training 83,057 records are taken and 20,764 records for testing with a total of 103,821 records. The number of features is 43 with the class label. There are 10 categories in total, one for normal class representing no attacks and nine attacks: shellcode, backdoor, exploits, worms, reconnaissance, generic, analysis, DoS, and fuzzers. This data set is more complex than KDD' 99 because it contains features where the attacks and normal classes have similar behaviors. Different attacks that are present in UNSW-NB20 are shown in Table 3.

| Bot-IoT data set
The Bot-IoT data set is introduced by Cyber Range Lab of Centre of UNSW Canberra Cyber. 38 The main characteristic of this data set is that it represents a realistic network environment with more attacks and network traffic in a realistic setting with its respective labels. The data set has normal IoT-related as well as other network traffic, with several categories of attack traffic commonly utilized through botnets. The attack categories in the data set include Key logging, Data exfiltration, DDoS, DoS, OS, and Service Scan. The dataset has 4 components: network platforms, simulated IoT services, extracting features and forensics analytics. For training 1,149,388 records are taken and 639,205 records for testing with a total of 1,788,593 records. Different attacks that are present in Bot-IoT data set are shown in Table 4.

| Performance metrics
The performance metrics of TNR, DR, FAR, and ACC are required for true and wrong classification.

| Performance comparison of various data sets
The performance metrics are DR, FAR, TNR, and ACC of various data sets are given below: (a) KDD' 99 data set Tables 5 and 6 show the ACC, FAR, DR, TNR of various methods. Table 5 shows the ACC and FAR of UNSW-NB20 Data set. In this the proposed method shows high accuracy while comparing to other methods, such as GNBH, BCH, and RNSG. In Brute-force attack the accuracy of the proposed DARLH is 76.11%, 73.11%, and 74.11% higher than that of the existing methods. In DoS attack the accuracy of the proposed DARLH is 86.11%, 73.11%, and 64.11% higher than that of the existing methods. In Web attack the accuracy of the proposed DARLH 43.11%, 63.11%, and 56.11% is higher than that of the existing methods In Botnet attack the accuracy of the proposed DARLH is 66.11%, 53.11%, and 84.11% higher than that of the existing methods.
In Brute-force attack the FAR of the proposed DARLH is 6.11%, 3.11%, and 7.11% higher than that of the existing methods. In DoS attack the FAR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods In Web attack the FAR of the proposed DARLH 3.11%, 13.11%, and 15.11% is higher than that of the existing methods In Botnet attack the FAR of the proposed DARLH is 16.11%, 13.11%, and 14.11% higher than that of the existing methods. Table 6 shows the DR and TNR of UNSW-NB20 Data set. In this the proposed method shows high TNR and DR while comparing to other methods. The existing methods, such as GNBH, BCH, and RNSG. In Brute-force attack the TNR of the proposed DARLH is 16.11%, 13.11%, and 9.11% higher than that of the existing methods. In DoS attack the TNR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods In Web attack the TNR of the proposed DARLH 13.11%, 3.11%, and 6.11% is higher than that of the existing methods. In Botnet attack the TNR of the proposed DARLH is 46.11%, 13.11%, and 14.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG.
In Brute-force attack the DR of the proposed DARLH is 6.11%, 3.11%, and 7.11% higher than that of the existing methods. In DoS attack the DR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods. In Web attack the DR of the proposed DARLH 3.11%, 13.11%, and 15.11% is higher than that of the existing methods. In Botnet attack the DR of the proposed DARLH is 16.11%, 13.11%, and 14.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG.
(b) UNSW-NB20 Data set Tables 7 and 8 show the ACC, FAR, DR, TNR of various methods. Table 7 shows the accuracy and FAR of UNSW-NB20 Data set. In this the proposed method shows high accuracy while comparing to other methods, such as GNBH, BCH, and RNSG. In Brute-force attack the accuracy of the proposed DARLH is 76.11%, 73.11%, and 74.11% higher than that of the existing methods. In DoS attack the accuracy of the proposed DARLH is 86.11%, 73.11%, and 64.11% higher than that of the existing methods. In Web attack the accuracy of the proposed DARLH 43.11%, 63.11%, and 56.11% is higher than that of the existing methods. In Botnet attack the accuracy of the proposed DARLH is 66.11%, 53.11%, and 84.11% higher than that of the existing methods. In Brute-force attack the FAR of the proposed DARLH is 6.11%, 3.11%, and 7.11% higher than that of the existing methods. In DoS attack the FAR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods. In Web attack the FAR of the proposed DARLH 3.11%, 13.11%, and 15.11% is higher than that of the existing methods. In Botnet attack the FAR of the proposed DARLH is 16.11%, 13.11%, and 14.11% higher than that of the existing methods. Table 8 shows the DR and TNR of UNSW-NB20 Data set. In this the proposed method shows high TNR and DR while comparing to other methods. The existing methods such as Game and Naïve Bayes Honey pot (GNBH), Block chain Honey pot (BCH) and RNN based Signature Generation and Detection (RNSG) respectively. In Brute-force attack the TNR of the proposed DARLH is 16.11%, 13.11%, and 9.11% higher than that of the existing methods. In DoS attack the TNR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods. In Web attack the TNR of the proposed DARLH 13.11%, 3.11%, and 6.11% is higher than that of the existing methods. In Botnet attack the TNR of the proposed DARLH is 46.11%, 13.11%, and 14.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG.
In Brute-force attack the DR of the proposed DARLH is 6.11%, 3.11%, and 7.11% higher than that of the existing methods. In DoS attack the DR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods. In Web attack the DR of the proposed DARLH 3.11%, 13.11%, and 15.11% is higher than that of the existing methods. In Botnet attack the DR of the proposed DARLH is 16.11%, 13.11%, and 14.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG.
(c) Bot-IoT Data set Tables 9 and 10 show the ACC, FAR, DR, TNR of various methods. Table 9 shows the accuracy and FAR of Bot-IoT Data set. In this the proposed method shows high accuracy while comparing to other methods, such as GNBH, BCH, and RNSG. In Brute-force attack the accuracy of the proposed DARLH is 76.11%, 73.11%, and 74.11% higher than that of the existing methods. In DoS attack the accuracy of the proposed DARLH is 86.11%, 73.11%, and 64.11% higher than that of the existing methods. In Web attack the accuracy of the proposed DARLH 43.11%, 63.11%, and 56.11% is higher than that of the existing methods. In Botnet attack the accuracy of the proposed DARLH is 66.11%, 53.11%, and 84.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG.
In Brute-force attack the FAR of the proposed DARLH is 5.11%, 4.11%, and 3.11% higher than that of the existing methods. In DoS attack the FAR of the proposed DARLH is 7.11%, T A B L E 9 Accuracy and FAR of Bot-IoT data set 6.11%, and 8.11% higher than that of the existing methods. In Web attack the FAR of the proposed DARLH 7.11%, 23.11%, and 14.11% is higher than that of the existing methods. In Botnet attack the FAR of the proposed DARLH is 16.11%, 14.11%, and 15.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG. Table 10 shows the DR and TNR of Bot-IoT Data set. In this the proposed method shows high TNR and DR while comparing to other methods. The existing methods such as Game and Naïve Bayes Honey pot (GNBH), Block chain Honey pot (BCH) and RNN based Signature Generation and Detection (RNSG) respectively. In Brute-force attack the TNR of the proposed DARLH is 16.11%, 13.11%, and 9.11% higher than that of the existing methods. In DoS attack the TNR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods. In Web attack the TNR of the proposed DARLH 13.11%, 3.11%, and 6.11% is higher than that of the existing methods. In Botnet attack the TNR of the proposed DARLH is 46.11%, 13.11%, and 14.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG.
In Brute-force attack the DR of the proposed DARLH is 6.11%, 3.11%, and 7.11% higher than that of the existing methods. In DoS attack the DR of the proposed DARLH is 8.11%, 7.11%, and 6.11% higher than that of the existing methods. In Web attack the DR of the proposed DARLH 3.11%, 13.11%, and 15.11% is higher than that of the existing methods. In Botnet attack the DR of the proposed DARLH is 16.11%, 13.11%, and 14.11% higher than that of the existing methods, such as GNBH, BCH, and RNSG. Figure 5 illustrates the comparison between the proposed DARLHs and existing techniques. The proposed method is compared with GNBH, BCH, and RNSG. Here, the true positive rate is taken as a measurement against a number of attacks raised in the honeypot. The comparison results show that the DARLHs are more efficient than the other existing systems. As DARLHs maintain a multilevel monitoring system (DARL and DRNN), it effectively detects DoS. The other existing systems use only standard techniques against runtime DoS dynamics. Here, the proposed DARLHs achieve 1.6% better performance compared with other existing methods. In the existing systems, RNSG is the only technique that provides a better true positive rate against the higher rate of attacks. GNBH and BCH are delivering distorted performances against dynamic honeypot traffics. Figure 6 shows the internal and external DoS attacks. The graph represents the external attack is higher than the internal attacks. The external attack is 50% higher than the internal attacks.  Figure 7 shows the honeypot monitoring and utilization rate of server and client. In both server and client the internal utilization rate is lower than the external utilization rate. Here, the system utilization rate of the server is higher than the system utilization rate of the client. Figures 8 and 9 show the details of internal and external DoS detection rates. Here, the number of internal and external DoS attacks increased between 100 and 600. In both cases, the proposed DARLHs system detects the attacks effectively. Since it has individual event management queues, the events of the honeypot are efficiently distributed and monitored. In addition, both internal and external attacks are identified using appropriate authentication schemes. In existing systems, RNSG technique provides a closer performance rate in the proposed system than other systems because RNSG is a kind of DL approach. In overall performance comparisons, the proposed system produces optimal and effective results against runtime attacks in honeypot systems. 39,40 Table 11 displays the execution time of the proposed and existing methods. On clearly observing the table, the execution time of the proposed method is low likened to the other four existing methods.  In this manuscript, the DARLHs system was proposed and implemented for detecting runtime DoS attacks on a honeypot environment. The proposed method is developed by secure event distribution techniques, server-side monitoring techniques, DARL-based Level-1 DoS detection techniques, and DARL and DRNN-based Level-2 DoS detection techniques. These techniques were implemented and compared with the existing techniques, such as GNBH, BCH, and RNSG. The comparison results demonstrate that the proposed DARLHs outperformed other techniques in all aspects against the DoS attack. These DARLHs methods provide better security against the External DoS Attack, Internal DoS attack, Brute-force attack, DoS attack, Web attack, and Botnet attack. Honeypot can be utilized as IDS that repeated some or all server activities, efficiently observer potential attackers, thereby allowing server admins to detect as well as service attacks avoid potential denial to confirm a reliably with continuous service to their proposed users. But it has the limitation in real-time applications, such as multiple attack detection strategies, corruption as well as information disclosure, to gain authority, subversion, and User Datagram Protocol (UDP) flooding. So, that an attacker can move laterally to infiltrate the real production network. To prevent this, future work is suggested.
To improve the security operations, in the future work the security operation is performed by combining honeypots with other techniques. This can be improved in the future for multiple attack detection strategies, corruption as well as information disclosure, to gain authority, subversion, and UDP flooding.