CANARY TOKENS FABRICATION AND IDENTIFICATION

Abstract

Cybersecurity threats have become increasingly sophisticated, rendering traditional preventive systems insufficient for early-stage intrusion detection. This paper proposes and validates a Canary Token Fabrication and Identification system that uses lightweight deception artifacts— including URL, file, credential, and DNS tokens—to detect unauthorized access in real time. Built on a Python/Flask monitoring server with SQLite persistence and SMTP-based alerting, the system captures the IP address, timestamp, and access metadata of every token interaction and dispatches administrator notifications within one second. Nine structured test cases were executed across all system modules, achieving 100% functional correctness. Comparative analysis demonstrates that the proposed system reduces false positives by approximately 94% relative to signature-based IDS while achieving significantly higher insider-threat detection capability. The modular architecture supports seamless integration with SIEM platforms and requires minimal infrastructure investment, making it suitable for organisations of all sizes.