To demonstrate the effectiveness of the rules generated by our workflow in the wild, we deploy a honeypot to safely attract and capture security event logs from real-world attacks.

We mainly collect the web application security logs to demonstrate the generalization effectiveness of diverse types of security logs/events. 

Specifically, we follow the DShield, which uses a Cowrie honeypot on an Amazon Web Service (AWS) server with the 3-month free plan, to attract the general web attacks in the wild.

In summary, our honeypot collects web application logs with a total of 64,185 events for three months from 22nd Jul-22nd Oct 2024.