LLM in the Shell: Generative Honeypots (2309.00155v3)

Abstract: Honeypots are essential tools in cybersecurity for early detection, threat intelligence gathering, and analysis of attacker's behavior. However, most of them lack the required realism to engage and fool human attackers long-term. Being easy to distinguish honeypots strongly hinders their effectiveness. This can happen because they are too deterministic, lack adaptability, or lack deepness. This work introduces sheLLM, a dynamic and realistic software honeypot based on LLMs that generates Linux-like shell output. We designed and implemented sheLLM using cloud-based LLMs. We evaluated if sheLLM can generate output as expected from a real Linux shell. The evaluation was done by asking cybersecurity researchers to use the honeypot and give feedback if each answer from the honeypot was the expected one from a Linux shell. Results indicate that sheLLM can create credible and dynamic answers capable of addressing the limitations of current honeypots. SheLLM reached a TNR of 0.90, convincing humans it was consistent with a real Linux shell. The source code and prompts for replicating the experiments have been publicly available.