Ghost-Net: Containerized Threat Intelligence System

Why just block attacks when you can learn from them? Ghost-Net is a sandboxed IoT honeypot system that baits attackers to build a smarter, automated defense using containerized threat intel.

Comment 1

Inspiration

Traditional reactive security measures often fail to provide deep visibility into attacker behavior beyond simply dropping unauthorized packets. We were inspired to move toward a "Deception-First" defense strategy. Our goal was to transform the high-performance Raspberry Pi 5 platform into a sophisticated threat intelligence node that doesn't just block attacks but actively studies them in a controlled, sandboxed environment.

What it does

Ghost-Net is a high-interaction, containerized deception system. It lures unauthorized actors into a sandboxed Cowrie SSH honeypot, capturing their terminal commands, exploited credentials, and malware payloads without exposing the host operating system. The system uses a custom ELK Stack (Elasticsearch, Logstash, Kibana) pipeline to perform real-time data enrichment, transforming static IP addresses into geospatial intelligence visualized on a centralized dashboard. Additionally, an automated Intrusion Prevention System (IPS) dynamically blocks persistent brute-force actors, while a Telegram-based Watchdog provides the Lead Architect with instantaneous health telemetry.

How we built it

We architected the system on Ubuntu 24.04 LTS running on a Raspberry Pi 5 (16GB RAM). To handle high-speed log indexing, we integrated an M.2 SSD (457GB) via a PCIe HAT to mitigate standard SD-card I/O bottlenecks. We utilized Docker-Compose for microservices isolation, deploying four core containers: Elasticsearch, Logstash, Kibana, and Cowrie. Our custom Logstash ETL pipeline performs real-time lookups against a MaxMind GeoIP database to map attack vectors globally. All administrative traffic is explicitly isolated through a private Tailscale Mesh VPN tunnel

Challenges we ran into

The most significant hurdle was "The Memory Wall." Running a full enterprise-grade ELK stack on a single-board computer is highly resource-intensive. We encountered high memory pressure that initially led to service failures. We resolved this by applying aggressive resource caps to individual Docker containers and offloading data indexing to high-speed NVMe storage to ensure 24/7 operational stability.

Accomplishments that we're proud of

Zero-Host Compromise: Maintaining total isolation between malicious actors and the physical hardware using Docker sandboxing.

Geospatial Intelligence: Successfully building a real-time data pipeline that maps global brute-force clusters to specific cities and countries.

High-Fidelity Deception: Customizing the HoneyFS filesystem to mimic sensitive financial records, significantly increasing "stickiness" for attackers.

What we learned

We gained deep technical experience in container orchestration, log normalization, and real-time ETL processes. We also learned the critical importance of hardware-level optimization when deploying high-interaction security tools at the network edge.

What's next for Ghost-Net: Containerized Threat Intelligence System

Our next phase focuses on Multi-Vector Deception, specifically adding Web-Decoy modules to capture SQL injection and HTTP exploits. We also plan to integrate machine learning models to classify attacker sophistication levels based on captured command-line behaviors

Built With

Share this project:

Updates