Cognitive Deception Infrastructure
From Theoretical Specification to Deployable Asset
Chronos is a high-fidelity honeypot framework designed to solve the "state hallucination" problem in cyber deception. Unlike traditional honeypots that emulate services via scripts, Chronos implements a fully consistent FUSE Filesystem backed by a Redis State Hypervisor, allowing it to behave exactly like a real Linux system while intercepting and analyzing every attacker interaction.
- State Consistency: A "State Hypervisor" ensures filesystem operations are atomic and persistent. If an attacker creates a file, it stays there. No more disappearing artifacts.
- FUSE Interface: Intercepts system calls at the kernel-user boundary. Supports standard tools (
ls,cat,rm,vi,gcc) without modification. - Cognitive Intelligence: Integrated Persona Engine generates content for files on-the-fly using LLMs (OpenAI/Anthropic) only when accessed, creating an infinite, realistic depth.
- Multi-Protocol Gateway: SSH and HTTP honeypot servers that capture credentials and exploitation attempts.
- Real-Time Analysis: Command analyzer detects attack techniques using MITRE ATT&CK framework patterns.
- Threat Intelligence: Built-in library of known attack signatures and threat patterns.
- Skill Profiling: Automatically classifies attacker skill level from script kiddie to expert APT.
- Audit Streaming: Real-time event processing and pattern detection across attack sessions.
- Layer 0 Routing: High-performance Rust-based traffic analysis for initial threat tagging.
- Forensic Logging: Complete audit trail in PostgreSQL for incident response and threat hunting.
Chronos implements a layered architecture:
-
Gateway Layer (Entry Points):
- SSH Honeypot: Accepts any credentials, provides interactive shell on port 2222
- HTTP Honeypot: Simulates vulnerable web apps, captures exploits on port 8080
- All entry points log to the audit system for analysis
-
Core Layer (State & Logic):
- State Hypervisor: Ensures filesystem consistency via Redis atomic operations
- FUSE Interface: Intercepts kernel VFS calls, translates to database operations
- Hot State: Redis 7.0 for sub-millisecond metadata access
- Cold Storage: PostgreSQL 15 for forensic audit logs
-
Intelligence Layer (Cognitive):
- Persona Engine: Injects realistic personality into generated content
- LLM Integration: OpenAI/Anthropic/Mock providers for lazy content generation
- Generates files on first access, persists forever (consistency guarantee)
-
Analysis Layer (Skills & Watcher):
- Command Analyzer: Detects 50+ attack techniques (MITRE ATT&CK)
- Threat Library: Database of known attack signatures and IOCs
- Skill Detector: Profiles attacker from script kiddie → expert APT
- Event Processor: Real-time pattern detection and correlation
- Audit Streamer: Pub-sub event streaming for external SIEM integration
-
Layer 0 (Rust Performance):
- High-speed protocol classification and noise filtering
- Circuit breakers and adaptive degradation under load
- Direct integration with Python via PyO3
- Docker & Docker Compose
- (Optional) OpenAI/Anthropic API Key for intelligence features
-
Clone & Build:
git clone https://github.com/Rizzy1857/Apate.git chronos cd chronos docker compose up --build -d -
Verify Status:
docker compose logs -f core-engine
-
Interact (Simulate Attack): Enter the container to experience the FUSE filesystem:
docker exec -it chronos_core /bin/bash cd /mnt/honeypot
Run verification tests to confirm all components:
# Run all verification phases
make verify
# Or individually
python3 verify_phase1.py # Core: State & FUSE
python3 verify_phase2.py # Persistence & Lua
python3 verify_phase3.py # Intelligence & Persona
python3 verify_phase4.py # Gateway, Watcher, SkillsRun the interactive demo:
# Standalone demo (no infrastructure needed)
python3 demo_standalone.pyThis simulates a complete APT attack session and shows:
- Real-time command analysis
- Threat signature matching
- Attacker skill profiling
- Attack phase detection
- Risk scoring and reporting
| Component | Purpose | Status |
|---|---|---|
| State Hypervisor | Filesystem consistency engine | ✅ Complete |
| FUSE Interface | Kernel VFS interception | ✅ Complete |
| Persona Engine | Content generation AI | ✅ Complete |
| SSH Gateway | Interactive shell honeypot | ✅ Complete |
| HTTP Gateway | Web app honeypot | ✅ Complete |
| Command Analyzer | Attack technique detection | ✅ Complete |
| Threat Library | Signature database (12 threats) | ✅ Complete |
| Skill Detector | Attacker profiling | ✅ Complete |
| Event Processor | Pattern correlation | ✅ Complete |
| Audit Streamer | Real-time event streaming | ✅ Complete |
| Layer 0 (Rust) | Traffic analysis | ✅ Complete |
- System Architecture - Deep dive into technical design
- Developer Onboarding - Get started contributing
Environment variables in docker-compose.yml:
| Variable | Description | Default |
|---|---|---|
REDIS_HOST |
Hostname of Redis service | redis-store |
POSTGRES_HOST |
Hostname of Postgres service | db-store |
LLM_PROVIDER |
openai, anthropic, or mock |
mock |
OPENAI_API_KEY |
Key for OpenAI (if used) | - |
- System Architecture
- Developer Guide (Coming Soon)
MIT License. See LICENSE for details.