Autonomous Just-In-Time Deception Security System
Sentinel-JIT is a cybersecurity prototype that studies attackers instead of immediately blocking them.
Traditional systems block threats instantly, which prevents defenders from understanding attacker intent. Sentinel-JIT deploys a controlled decoy environment when suspicious activity is detected, allowing the attacker to continue interacting while their behavior is logged and analyzed.
The system then generates structured intelligence reports describing the attacker’s activity and objectives.
The system simulates a modern cyber-defense workflow.
- System monitoring detects suspicious activity.
- A risk scoring engine evaluates the severity of the behavior.
- If the behavior is highly suspicious, a decoy system is launched.
- The suspicious actor is redirected into the decoy.
- The system immediately sends an alert to security personnel.
- The attacker interacts with the decoy system.
- All actions are recorded and analyzed.
- A security intelligence report is generated.
- The decoy environment is destroyed.
This approach prioritizes threat intelligence collection rather than immediate blocking.
| File | Description |
|---|---|
| app.py | Main entry point for the Sentinel-JIT system. |
| risk_engine.py | Calculates risk scores for suspicious events. |
| alert_engine.py | Sends alerts when high-risk activity is detected. |
| ai_analysis.py | AI-based analysis of attacker commands and logs. |
| attack_simulator.py | Simulates attacker behavior for testing. |
| live_sim.py | Runs live interaction between attacker simulation and system. |
| run_demo.py | Demonstrates the full attack detection workflow. |
| run_dashboard.sh | Starts the monitoring dashboard. |
| UNDERSTANDING.md | Documentation explaining system architecture. |
The Streamlit dashboard provides:
• Threat Overview Displays source IP, failed login count, command activity, risk score, and decoy trigger status.
• Command Timeline Interactive table showing attacker commands and classified attack stages.
• AI Attack Analysis Narrative report describing attacker behavior.
• Incident Report Export Downloadable report summarizing the attack session.
Sentinel-JIT continuously monitors suspicious activity, calculates a risk score, and automatically deploys a decoy environment when the risk threshold is exceeded.
The following screenshots demonstrate the system behavior during different stages of an attack.
|
System Status
When the risk score is below the threshold, the system remains in monitoring mode and no decoy is deployed. |
|
Automated Response When suspicious activity increases:
|
|
Threat Intelligence Generated The system analyzes attacker behavior and produces:
Attack stages identified may include:
|
Possible directions for extending the system:
- Real SSH or web-server log ingestion
- Real-time monitoring dashboard
- Geo-IP attacker location mapping
- Multi-attacker session tracking
- Automated PDF incident reports
Sentinel-JIT demonstrates how deception-based cybersecurity can provide valuable threat intelligence instead of immediately blocking attackers. By combining risk scoring, behavioral monitoring, and AI-assisted analysis, the system observes attacker activity inside a controlled decoy environment and generates meaningful incident reports. This prototype highlights the potential of integrating automated analysis and interactive dashboards to better understand attacker strategies and improve defensive decision-making.