Generative LLM Defending Honeypots Project

The Generative LLM Defending Honeypots Project aims to leverage the power of LLMs in all its forms to generate the content of honeypots in such a way that they are:

  • Not easily differentiated from a real service by attackers.

  • Coherent in its answers regarding the context.

  • Good in luring the attackers to spend more time inside the honeypot.

The project would generate honeypots for SSH, TELNET, HTTP, POP3, SMTP, and other protocols.

If successful, such honeypots would allow for a better internal early warning system for the defenders.

Motivation

The honeypot technology is old and known, but nowadays is mainly used as IoC collectors on the Internet, with some exceptions using honeytokens. We believe that the power of honeypots can go back inside internal networks as good early warning systems.

LLMs have been, so far, mainly used in security as summarization tools, explanation tools, and attacking generative tools. However, we believe that LLMs have great potential as defensive tools. LLM-generated text can be used inside honeypots to show the attacker complex and variable content. If produced correctly, the honeypot would be high interaction, dynamic, variable, and hard to attack, given ample time for the defenders to better protect their networks


Project

The Generative LLM Defending Honeypots Project project explores, researches, and develops LLMs as part of the trusted security tools of the community. Our current research spans many topics, from honeypots to autonomous security defensive agents.

This project covers the topic from two perspectives: first as an exploration of the security principles and designs of LLMs in defense, and second as research on how to improve the LLMs for our purposes.


A first approximation to the topic was already done by our student Muris Sladic regarding the generation of an SSH LLM honeypot called ShelLM. ShelLM mimics a real interactive SSH terminal and answers all the commands of the user. The research has been published in first iteration form:
- Video: https://www.youtube.com/watch?v=0ysdHanr-jA
- Arxiv paper: https://arxiv.org/pdf/2309.00155.pdf
- Code: https://github.com/stratosphereips/SheLLM
- Published poster: https://esorics2023.org/program/accepted_posters/

LLMs as honeypots: ShelLM


A second approximation to the topic is the use of LLMs as strategic decision makers for defensive agents. This technology, still under development, seeks to build agents that can play and take decisions as defensive agents given specific information about the state of a network.

LLMs as defensive agents