shelLM – A New AI-Based Honeypot to Engage Attackers as a Real System

A honeypot is a trap on a network that lures and studies cyber-attack techniques of threat actors, alerting defenders to unauthorized access attempts.

Though Honeypots help and assist cybersecurity researchers in several ways, they can also be used by cybercriminals to trick and mislead cybersecurity researchers.

Recently, the following cybersecurity researchers from their respective universities and organizations found a new AI-based honeypot dubbed “shelLM,” to engage attackers as a real system:-

  • Muris Sladic (Czech Technical University)
  • Veronica Valeros (Czech Technical University)
  • Carlos Catania (School of Engineering, UNCuyo)
  • Sebastian Garcia (Czech Technical University)

AI-Based Honeypot

To create sheLLM, experts used various prompts to instruct the LLM, emphasizing:-

  • Precision
  • Realism
  • Secrecy

Besides this, for better outputs and performance, they also used the following key things:- 

  • A personality prompt
  • Detailed behavior descriptions
  • With few-shot prompting, a Chain of Thought (CoT) approach

The researchers aimed to create an LLM honeypot indistinguishable from a real system. They used an LLM to simulate a Linux terminal via SSH and tested it with 12 users of varying security expertise, analyzing their ability to detect it.

Experiments studied human interactions with cloud-based LLM honeypots, assigning unique instances to participants who logged in, interacted with, and emailed their answers.

Evaluation processes of the honeypot software (Source – Arxiv)

Participants knew it was a honeypot; the focus was on whether the output appeared normal. However, they provided command-specific feedback via:-

  • Logs
  • Screenshots
  • Videos

For this honeypot evaluation, errors were categorized as false positives (misidentifying real as a honeypot), false negatives (misidentifying honeypot as real), and true positives/negatives.

Here below, we have mentioned the error interpretations

  • True Positives (TP)
  • False Positives (FP)
  • False Negatives (FN)
  • True Negatives (TN)

Techniques Used

Here below, we have mentioned all the methods that are used:-

12 users tested the honeypot with 226 commands, mostly involving package, file, network, and system management. The following are the top ten commands with an average of 19 commands per user:-

  • cat
  • ls
  • sudo
  • get
  • echo
  • pwd
  • nano
  • ping
  • ssh
  • whois

In command evaluation, the following results were revealed:-

  • 90% true negative rate
  • 9% false positives
  • 18% true positives
  • 2% false negatives

In this study, security researchers used LLMs to create a convincing honeypot system generating synthetic data, validated by experts with 92% accuracy.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.