HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot

Wenjun Fan; Zichen Yang; Yuanzhen Liu; Lang Qin; Jia Liu

doi:10.1007/978-981-97-8801-9_13

HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot

Wenjun Fan^*, Zichen Yang^*, Yuanzhen Liu, Lang Qin, Jia Liu

^*Corresponding author for this work

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

Abstract

Honeypot is a sort of deception defense tool and deliberately created for capturing malicious behaviors. The trade-off between security risk and data availability often incurs arduous efforts. Since a high-interaction honeypot (HIH) can capture much deeper system-level data while it has to disclose the full operating system, which absolutely leads to a higher security risk. In contrast, a low-/medium-interaction honeypot (LIH/MIH) revealing empty or camouflaged services has a lower security risk while it can only capture network-level data such as port scanning, access attempts, etc. To tackle this issue, this paper proposes a large language model (LLM) powered medium-interaction honeypot system, termed HoneyLLM, which aims to provide an authentic shell based on LLM rather than a real operating system to spoof the attacker to be fully engaged with the “request-response” message interaction and leave useful data. A proof-of-concept system has been created and deployed for capturing real-world attacks. Our experiments demonstrate that this system outperforms traditional honeypots in effectiveness. HoneyLLM can capture not only network activities as LIH/MIH, but also delve deeper by capturing system activities, like HIH, providing a more complete picture of attacker activity. Despite the limited current exploration of LLMs for authentic response creation for honeypot (at the time of writing, 2024 May 4th), this research signifies a breakthrough in leveraging LLM for more deceptive and dynamic cyber defense mechanisms.

Original language	English
Title of host publication	Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings
Editors	Sokratis Katsikas, Christos Xenakis, Costas Lambrinoudakis, Christos Kalloniatis
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	253-272
Number of pages	20
ISBN (Print)	9789819788002
DOIs	https://doi.org/10.1007/978-981-97-8801-9_13
Publication status	Published - Dec 2024
Event	26th International Conference on Information and Communications Security, ICICS 2024 - Mytilene, Greece Duration: 26 Aug 2024 → 28 Aug 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	15057 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	26th International Conference on Information and Communications Security, ICICS 2024
Country/Territory	Greece
City	Mytilene
Period	26/08/24 → 28/08/24

Keywords

Authentic Response
Deception Defdel
Fake Shell
Honeypot
Large Language Model
Shell Evaluation

Access to Document

10.1007/978-981-97-8801-9_13

Cite this

Fan, W., Yang, Z., Liu, Y., Qin, L., & Liu, J. (2024). HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot. In S. Katsikas, C. Xenakis, C. Lambrinoudakis, & C. Kalloniatis (Eds.), Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings (pp. 253-272). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15057 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-97-8801-9_13

Fan, Wenjun ; Yang, Zichen ; Liu, Yuanzhen et al. / HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot. Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings. editor / Sokratis Katsikas ; Christos Xenakis ; Costas Lambrinoudakis ; Christos Kalloniatis. Springer Science and Business Media Deutschland GmbH, 2024. pp. 253-272 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{40c1be76c42f4b858be784bdbf4ef86b,

title = "HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot",

abstract = "Honeypot is a sort of deception defense tool and deliberately created for capturing malicious behaviors. The trade-off between security risk and data availability often incurs arduous efforts. Since a high-interaction honeypot (HIH) can capture much deeper system-level data while it has to disclose the full operating system, which absolutely leads to a higher security risk. In contrast, a low-/medium-interaction honeypot (LIH/MIH) revealing empty or camouflaged services has a lower security risk while it can only capture network-level data such as port scanning, access attempts, etc. To tackle this issue, this paper proposes a large language model (LLM) powered medium-interaction honeypot system, termed HoneyLLM, which aims to provide an authentic shell based on LLM rather than a real operating system to spoof the attacker to be fully engaged with the “request-response” message interaction and leave useful data. A proof-of-concept system has been created and deployed for capturing real-world attacks. Our experiments demonstrate that this system outperforms traditional honeypots in effectiveness. HoneyLLM can capture not only network activities as LIH/MIH, but also delve deeper by capturing system activities, like HIH, providing a more complete picture of attacker activity. Despite the limited current exploration of LLMs for authentic response creation for honeypot (at the time of writing, 2024 May 4th), this research signifies a breakthrough in leveraging LLM for more deceptive and dynamic cyber defense mechanisms.",

keywords = "Authentic Response, Deception Defdel, Fake Shell, Honeypot, Large Language Model, Shell Evaluation",

author = "Wenjun Fan and Zichen Yang and Yuanzhen Liu and Lang Qin and Jia Liu",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.; 26th International Conference on Information and Communications Security, ICICS 2024 ; Conference date: 26-08-2024 Through 28-08-2024",

year = "2024",

month = dec,

doi = "10.1007/978-981-97-8801-9_13",

language = "English",

isbn = "9789819788002",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "253--272",

editor = "Sokratis Katsikas and Christos Xenakis and Costas Lambrinoudakis and Christos Kalloniatis",

booktitle = "Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings",

}

Fan, W, Yang, Z, Liu, Y, Qin, L & Liu, J 2024, HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot. in S Katsikas, C Xenakis, C Lambrinoudakis & C Kalloniatis (eds), Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 15057 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 253-272, 26th International Conference on Information and Communications Security, ICICS 2024, Mytilene, Greece, 26/08/24. https://doi.org/10.1007/978-981-97-8801-9_13

HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot. / Fan, Wenjun; Yang, Zichen; Liu, Yuanzhen et al.
Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings. ed. / Sokratis Katsikas; Christos Xenakis; Costas Lambrinoudakis; Christos Kalloniatis. Springer Science and Business Media Deutschland GmbH, 2024. p. 253-272 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 15057 LNCS).

Research output: Chapter in Book or Report/Conference proceeding › Conference Proceeding › peer-review

TY - GEN

T1 - HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot

AU - Fan, Wenjun

AU - Yang, Zichen

AU - Liu, Yuanzhen

AU - Qin, Lang

AU - Liu, Jia

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

PY - 2024/12

Y1 - 2024/12

N2 - Honeypot is a sort of deception defense tool and deliberately created for capturing malicious behaviors. The trade-off between security risk and data availability often incurs arduous efforts. Since a high-interaction honeypot (HIH) can capture much deeper system-level data while it has to disclose the full operating system, which absolutely leads to a higher security risk. In contrast, a low-/medium-interaction honeypot (LIH/MIH) revealing empty or camouflaged services has a lower security risk while it can only capture network-level data such as port scanning, access attempts, etc. To tackle this issue, this paper proposes a large language model (LLM) powered medium-interaction honeypot system, termed HoneyLLM, which aims to provide an authentic shell based on LLM rather than a real operating system to spoof the attacker to be fully engaged with the “request-response” message interaction and leave useful data. A proof-of-concept system has been created and deployed for capturing real-world attacks. Our experiments demonstrate that this system outperforms traditional honeypots in effectiveness. HoneyLLM can capture not only network activities as LIH/MIH, but also delve deeper by capturing system activities, like HIH, providing a more complete picture of attacker activity. Despite the limited current exploration of LLMs for authentic response creation for honeypot (at the time of writing, 2024 May 4th), this research signifies a breakthrough in leveraging LLM for more deceptive and dynamic cyber defense mechanisms.

AB - Honeypot is a sort of deception defense tool and deliberately created for capturing malicious behaviors. The trade-off between security risk and data availability often incurs arduous efforts. Since a high-interaction honeypot (HIH) can capture much deeper system-level data while it has to disclose the full operating system, which absolutely leads to a higher security risk. In contrast, a low-/medium-interaction honeypot (LIH/MIH) revealing empty or camouflaged services has a lower security risk while it can only capture network-level data such as port scanning, access attempts, etc. To tackle this issue, this paper proposes a large language model (LLM) powered medium-interaction honeypot system, termed HoneyLLM, which aims to provide an authentic shell based on LLM rather than a real operating system to spoof the attacker to be fully engaged with the “request-response” message interaction and leave useful data. A proof-of-concept system has been created and deployed for capturing real-world attacks. Our experiments demonstrate that this system outperforms traditional honeypots in effectiveness. HoneyLLM can capture not only network activities as LIH/MIH, but also delve deeper by capturing system activities, like HIH, providing a more complete picture of attacker activity. Despite the limited current exploration of LLMs for authentic response creation for honeypot (at the time of writing, 2024 May 4th), this research signifies a breakthrough in leveraging LLM for more deceptive and dynamic cyber defense mechanisms.

KW - Authentic Response

KW - Deception Defdel

KW - Fake Shell

KW - Honeypot

KW - Large Language Model

KW - Shell Evaluation

UR - http://www.scopus.com/inward/record.url?scp=85215273964&partnerID=8YFLogxK

U2 - 10.1007/978-981-97-8801-9_13

DO - 10.1007/978-981-97-8801-9_13

M3 - Conference Proceeding

AN - SCOPUS:85215273964

SN - 9789819788002

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 253

EP - 272

BT - Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings

A2 - Katsikas, Sokratis

A2 - Xenakis, Christos

A2 - Lambrinoudakis, Costas

A2 - Kalloniatis, Christos

PB - Springer Science and Business Media Deutschland GmbH

T2 - 26th International Conference on Information and Communications Security, ICICS 2024

Y2 - 26 August 2024 through 28 August 2024

ER -

Fan W, Yang Z, Liu Y, Qin L, Liu J. HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot. In Katsikas S, Xenakis C, Lambrinoudakis C, Kalloniatis C, editors, Information and Communications Security - 26th International Conference, ICICS 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2024. p. 253-272. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-981-97-8801-9_13

HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this