- The paper reveals that 99.23% of authenticated SSH sessions are non-interactive single-command executions used mainly for reconnaissance.
- It employs 11 high-interaction LLM-based honeypots and cross-validates with Cowrie sensors to ensure statistically reliable measurements of post-authentication behavior.
- Findings imply that SSH honeypot designs must shift from interactive shell emulation to accurately capturing automated, command-based attacker probes.
Quantitative Analysis of Non-Interactive SSH Attack Behavior in Honeypots
Introduction
The paper "Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots" (2606.28006) provides a rigorous quantitative examination of post-authentication SSH session types as observed in high-interaction, LLM-based honeypots deployed in the Internet, focusing particularly on the under-investigated prevalence of non-interactive attacks. Using an empirical approach, the authors challenge widespread assumptions in cyberdeception research—specifically, the notion that attacker activity following SSH authentication is predominantly interactive and shell-based. Instead, the paper provides statistically significant evidence that the vast majority of authenticated attack sessions utilize the SSH "exec" mode for single-command execution, with implications that reshape the design, deployment, and evaluation criteria for SSH honeypots.
Methodology
The study deployed eleven SSH honeypot sensors based on an adapted version of AdvancedShelLM, an LLM-driven high-interaction honeypot, across distinct public IPs, collecting a comprehensive dataset of 177,622 authenticated sessions over a 15-day observational window. Instrumentation modifications allowed for granular measurement of session modality: interactive shell vs. non-interactive exec vs. file-transfer request. The deployment environment standardized host and software configurations to mitigate confounds resulting from system heterogeneity.
To validate generalizability, the findings were cross-checked against an independently collected dataset from 4,737 Cowrie sensors (the HaaS network operated by CZ.NIC) over an equivalent time window, using heuristic mapping to infer session types from command traces.
Results
Modal Distribution of Attack Sessions
A core empirical finding is that 99.23% of all authenticated sessions correspond to non-interactive "exec" commands, i.e., one-shot command execution after authentication, with no shell allocated. In contrast, only 0.10% of sessions were interactive shells, and 0.67% were file-transfer requests (the latter rejected by the honeypot). This pattern was highly consistent across all honeypot instances.
Figure 1: Per-sensor fraction of authenticated sessions that are non-interactive, with all sensors exhibiting rates above 97.6%.
The cross-site validation with the Cowrie HaaS dataset corroborated these findings: for sessions containing at least one command, 92.67% were non-interactive single-command sessions. This robust agreement rules out significant deployment or instrumentation artifacts.
Functional Profile of Non-Interactive Commands
Analysis of non-interactive commands revealed a highly skewed distribution: the top ten command strings (e.g., various invocations of "uname", "whoami", "nproc") account for over 41% of non-interactive sessions. These commands overwhelmingly perform reconnaissance and environment discovery, rather than state-changing operations, supporting the interpretation that non-interactive sessions not only dominate numerically but are also primarily automated reconnaissance steps.
Verification and Honeypot Evasion Activity
A significant portion of non-interactive sessions were identified as explicit verification probes: commands that seek to ascertain whether the target is a real system, an emulation, or a known honeypot. Examples include commands that check for correct binary file contents ("cat /bin/echo"), correct execution semantics (arithmetic or base64 decoding), system state persistence, or the existence of honeypot artefacts (such as Cowrie process names).
Identification of 2,178 such simulated-shell check sessions—most using arithmetic and decoding checks—demonstrates that attackers increasingly employ rapid, single-command checks to fingerprint and bypass honeypots before deploying payloads or engaging further. Notably, there was a total absence of prompt-injection attempts or LLM-specific string probes in both the primary and validation dataset, suggesting that LLM-driven attacker agents, if present, did not betray themselves via string artifacts within this measurement scope.
Discussion and Implications
Paradigm Shift for SSH Honeypot Design
The empirical dominance of non-interactive sessions invalidates evaluation metrics and deception strategies centered on interactive shell engagement, session duration, or command count within a single session. Shell-centric honeypots effectively sample only a minute and structurally biased fraction of post-login attacker behavior, systematically missing the contemporary attack surface. The critical design implication is that SSH honeypots must faithfully implement non-interactive command execution (and ideally subsystem/file-transfer support) to capture representative attack activity and to avoid drawing misleading inferences about attacker behavior.
Impact on LLM-based Honeypot Evaluation
Contemporary LLM-based honeypots (e.g., shelLM, VelLMes, HoneyLLM) [sladicLLMShellGenerative2024, sladicVelLMesHighInteractionAIBased2025, fanHoneyLLMLargeLanguage2025] prioritized interactive shell dialog realism, leveraging LLM adaptability for high-fidelity engagement. However, since the overwhelming number of authenticated attacks never request a shell, the efficacy of these systems must be re-evaluated using per-command, per-probe correctness benchmarks in non-interactive contexts. For deception to be effective against modern automated attacker workflows, LLM output persistence, correctness, and resistance to stateful verification become primary—not secondary—performance objectives.
Attacker Automation and Evasion
The predominance of single-command sessions, coupled with observed surges linked to large-scale automated campaigns, illustrates a shift in attacker techniques. Attacks now often algorithmically perform shallow but broad reconnaissance and verification, dynamically adapting to evade deception. This match with findings by Munteanu et al. [munteanuAttacksComeThose2025] and comprehensive surveys [javadpourComprehensiveSurveyCyber2024, bridgesSoKHoneypotsLLMs2026] highlights a trend toward post-authentication logic that is more automated, atomic, and verification-driven than often assumed.
Theoretical and Practical Implications
- Measurement protocol: Any scientific study or field experiment involving SSH honeypots must now explicitly report the SSH modes supported and present a breakdown of observed session types, to ensure comparability and scientific validity.
- Threat intelligence: For incident response and threat characterization, meaningful intelligence must be reconstructed through meta-sessions that group non-interactive commands by campaign, leveraging detailed command sequence and source correlation.
- Deception robustness: LLM-based deception technologies should pivot towards active defense against protocol-level fingerprinting and verification probes, emphasizing behavioral fidelity at the command execution/emulation layer.
Limitations
Measurements reflect the global, indiscriminate activity observable from cloud address space with credentials accepted by default. Targeted attacks on production assets—especially those requiring prolonged interactive engagement—may not exhibit the same behavioral profile. Additionally, the lack of file-transfer support and imposed post-verification session rejection may modestly skew event distributions.
Future Directions
Recommended research directions include (1) deployment of broader, more diverse honeypot networks with support for file-transfer and additional SSH subsystems, (2) active manipulation of honeypot responses to verification probes to empirically measure downstream attacker adaptation, and (3) the development of probe-passing deception metrics suitable for LLM-based honeypot benchmarking.
Conclusion
"Ghost Without Shell" (2606.28006) rigorously demonstrates that the SSH attacker threat model measured by most honeypots and assumed by much of the cyberdeception literature is substantially outmoded. SSH honeypot deployments and LLM-based deception systems must realign their designs and evaluation methodologies towards non-interactive, verification-oriented attacker workflows to preserve relevance as automated, large-scale attack campaigns continue to evolve. Theoretical research and practical engineering will need to shift focus from dialog realism to per-command execution fidelity and resilience against protocol-aware evasion.