Wednesday, April 30, 2025
HomeCyber AICreating An AI Honeypot To Engage With Attackers Sophisticatedly

Creating An AI Honeypot To Engage With Attackers Sophisticatedly

Published on

SIEM as a Service

Follow Us on Google News

Honeypots, decoy systems, detect and analyze malicious activity by coming in various forms and can be deployed on cloud platforms to provide insights into attacker behavior, enhancing security.

The study proposes to create an interactive honeypot system using a Large Language Model (LLM) to mimic Linux server behavior.

By fine-tuning the LLM with a dataset of attacker-generated commands, the goal is to enhance honeypot effectiveness in detecting and analyzing malicious activities.

- Advertisement - Google News

The authors combined three datasets of Linux commands, including real-world attacker data, common commands, and command explanations, and processed this data by simulating command execution and preprocessing the text, creating a robust dataset for training their language model to mimic a honeypot.

Prompt engineering involved refining prompts to align with research objectives and enhance model interaction with the dataset, leading to a more effective honeypot system.

The Llama3 8B model was selected for honeypot LLM due to its balance of linguistic proficiency and computational efficiency.

Larger models were too slow, while code-centric models were less effective for honeypot simulation.

Decoding Compliance: What CISOs Need to Know – Join Free Webinar

They fine-tuned a pre-trained language model using LlamaFactory, employing LoRA, QLoRA, NEFTune noise, and Flash Attention 2 to enhance training efficiency and performance, resulting in a honeypot server-like model.

It proposes an LLM-Honeypot framework using an SSH server and a fine-tuned LLM to interact with attackers in natural language, enabling realistic simulation and attacker behavior analysis.

The custom SSH server, built using Python’s Paramiko library, employs a fine-tuned language model to generate realistic responses to user commands.

It logs SSH connections, user credentials, and command interactions, providing valuable data for cybersecurity analysis.

The fine-tuned model’s training losses exhibited a steady decline, indicating effective learning from the dataset.

A learning rate of 5×10−4 was used for 36 training steps, resulting in consistent performance improvement and enhanced ability to generate realistic and contextually appropriate responses.

Histogram of Cosine Similarity Scores over 140 Samples

It demonstrated superior performance in generating terminal outputs compared to the base model, as evidenced by consistently higher similarity scores and lower distance metrics across all samples, which indicates the model’s effectiveness in producing outputs that closely align with expected responses from a Cowrie honeypot server.

The paper proposes a new method for creating interactive and realistic honeypot systems using LLMs. By fine-tuning an LLM on attacker data, the system enhances response quality, improves threat detection, and provides deeper insights into attacker behavior.

They plan to expand training datasets, explore alternative fine-tuning, and incorporate behavioral analysis by deploying the system publicly to collect attack logs and create knowledge graphs to analyze attacker strategies.

They will also evaluate performance using metrics like accuracy and interaction quality to refine the model and enhance honeypots for better cyber-threat detection and analysis.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

How CISOs Can Strengthen Supply Chain Security in 2025

The responsibilities of Chief Information Security Officers (CISOs) are rapidly evolving as digital transformation...

The CISO’s Guide to Effective Cloud Security Strategies

As organizations accelerate cloud adoption, CISOs face unprecedented challenges securing dynamic, multi-cloud environments. The...

Mitigating Insider Threats – A CISO’s Practical Approach

Insider threats represent one of the most challenging cybersecurity risks facing organizations today, with...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...

Security Policy Development Codifying NIST CSF For Enterprise Adoption

The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) has become a...

Cato Networks macOS Client Vulnerability Enables Low-Privilege Code Execution

A critical vulnerability in Cato Networks’ widely used macOS VPN client has been disclosed,...