Papers
Topics
Authors
Recent
Search
2000 character limit reached

Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots

Published 26 Jun 2026 in cs.CR | (2606.28006v1)

Abstract: Cyber deception research has focused on improving honeypot deception capabilities to increase attacker engagement and extend their interactions to collect more and better intelligence. For SSH honeypots, this relies on the assumption that attackers log in, open a shell, and type. We tested whether this still held by deploying eleven SSH honeypots that served both interactive and non-interactive session requests for fifteen days. We collected 177,622 authenticated sessions and validated our results against an independent Cowrie dataset over the same time window. We found that 99.23% of sessions were non-interactive. Interactive sessions account for only 0.10%. The same pattern held in the comparative third-party dataset used for evaluation. This finding is important because a honeypot that focuses on interactive shells or evaluates success based on session length and the number of commands can miss most authenticated attacks and draw the wrong conclusions about what attackers do after login.

Summary

  • The paper reveals that 99.23% of authenticated SSH sessions are non-interactive single-command executions used mainly for reconnaissance.
  • It employs 11 high-interaction LLM-based honeypots and cross-validates with Cowrie sensors to ensure statistically reliable measurements of post-authentication behavior.
  • Findings imply that SSH honeypot designs must shift from interactive shell emulation to accurately capturing automated, command-based attacker probes.

Quantitative Analysis of Non-Interactive SSH Attack Behavior in Honeypots

Introduction

The paper "Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots" (2606.28006) provides a rigorous quantitative examination of post-authentication SSH session types as observed in high-interaction, LLM-based honeypots deployed in the Internet, focusing particularly on the under-investigated prevalence of non-interactive attacks. Using an empirical approach, the authors challenge widespread assumptions in cyberdeception research—specifically, the notion that attacker activity following SSH authentication is predominantly interactive and shell-based. Instead, the paper provides statistically significant evidence that the vast majority of authenticated attack sessions utilize the SSH "exec" mode for single-command execution, with implications that reshape the design, deployment, and evaluation criteria for SSH honeypots.

Methodology

The study deployed eleven SSH honeypot sensors based on an adapted version of AdvancedShelLM, an LLM-driven high-interaction honeypot, across distinct public IPs, collecting a comprehensive dataset of 177,622 authenticated sessions over a 15-day observational window. Instrumentation modifications allowed for granular measurement of session modality: interactive shell vs. non-interactive exec vs. file-transfer request. The deployment environment standardized host and software configurations to mitigate confounds resulting from system heterogeneity.

To validate generalizability, the findings were cross-checked against an independently collected dataset from 4,737 Cowrie sensors (the HaaS network operated by CZ.NIC) over an equivalent time window, using heuristic mapping to infer session types from command traces.

Results

A core empirical finding is that 99.23% of all authenticated sessions correspond to non-interactive "exec" commands, i.e., one-shot command execution after authentication, with no shell allocated. In contrast, only 0.10% of sessions were interactive shells, and 0.67% were file-transfer requests (the latter rejected by the honeypot). This pattern was highly consistent across all honeypot instances. Figure 1

Figure 1: Per-sensor fraction of authenticated sessions that are non-interactive, with all sensors exhibiting rates above 97.6%.

The cross-site validation with the Cowrie HaaS dataset corroborated these findings: for sessions containing at least one command, 92.67% were non-interactive single-command sessions. This robust agreement rules out significant deployment or instrumentation artifacts.

Functional Profile of Non-Interactive Commands

Analysis of non-interactive commands revealed a highly skewed distribution: the top ten command strings (e.g., various invocations of "uname", "whoami", "nproc") account for over 41% of non-interactive sessions. These commands overwhelmingly perform reconnaissance and environment discovery, rather than state-changing operations, supporting the interpretation that non-interactive sessions not only dominate numerically but are also primarily automated reconnaissance steps.

Verification and Honeypot Evasion Activity

A significant portion of non-interactive sessions were identified as explicit verification probes: commands that seek to ascertain whether the target is a real system, an emulation, or a known honeypot. Examples include commands that check for correct binary file contents ("cat /bin/echo"), correct execution semantics (arithmetic or base64 decoding), system state persistence, or the existence of honeypot artefacts (such as Cowrie process names).

Identification of 2,178 such simulated-shell check sessions—most using arithmetic and decoding checks—demonstrates that attackers increasingly employ rapid, single-command checks to fingerprint and bypass honeypots before deploying payloads or engaging further. Notably, there was a total absence of prompt-injection attempts or LLM-specific string probes in both the primary and validation dataset, suggesting that LLM-driven attacker agents, if present, did not betray themselves via string artifacts within this measurement scope.

Discussion and Implications

Paradigm Shift for SSH Honeypot Design

The empirical dominance of non-interactive sessions invalidates evaluation metrics and deception strategies centered on interactive shell engagement, session duration, or command count within a single session. Shell-centric honeypots effectively sample only a minute and structurally biased fraction of post-login attacker behavior, systematically missing the contemporary attack surface. The critical design implication is that SSH honeypots must faithfully implement non-interactive command execution (and ideally subsystem/file-transfer support) to capture representative attack activity and to avoid drawing misleading inferences about attacker behavior.

Impact on LLM-based Honeypot Evaluation

Contemporary LLM-based honeypots (e.g., shelLM, VelLMes, HoneyLLM) [sladicLLMShellGenerative2024, sladicVelLMesHighInteractionAIBased2025, fanHoneyLLMLargeLanguage2025] prioritized interactive shell dialog realism, leveraging LLM adaptability for high-fidelity engagement. However, since the overwhelming number of authenticated attacks never request a shell, the efficacy of these systems must be re-evaluated using per-command, per-probe correctness benchmarks in non-interactive contexts. For deception to be effective against modern automated attacker workflows, LLM output persistence, correctness, and resistance to stateful verification become primary—not secondary—performance objectives.

Attacker Automation and Evasion

The predominance of single-command sessions, coupled with observed surges linked to large-scale automated campaigns, illustrates a shift in attacker techniques. Attacks now often algorithmically perform shallow but broad reconnaissance and verification, dynamically adapting to evade deception. This match with findings by Munteanu et al. [munteanuAttacksComeThose2025] and comprehensive surveys [javadpourComprehensiveSurveyCyber2024, bridgesSoKHoneypotsLLMs2026] highlights a trend toward post-authentication logic that is more automated, atomic, and verification-driven than often assumed.

Theoretical and Practical Implications

  • Measurement protocol: Any scientific study or field experiment involving SSH honeypots must now explicitly report the SSH modes supported and present a breakdown of observed session types, to ensure comparability and scientific validity.
  • Threat intelligence: For incident response and threat characterization, meaningful intelligence must be reconstructed through meta-sessions that group non-interactive commands by campaign, leveraging detailed command sequence and source correlation.
  • Deception robustness: LLM-based deception technologies should pivot towards active defense against protocol-level fingerprinting and verification probes, emphasizing behavioral fidelity at the command execution/emulation layer.

Limitations

Measurements reflect the global, indiscriminate activity observable from cloud address space with credentials accepted by default. Targeted attacks on production assets—especially those requiring prolonged interactive engagement—may not exhibit the same behavioral profile. Additionally, the lack of file-transfer support and imposed post-verification session rejection may modestly skew event distributions.

Future Directions

Recommended research directions include (1) deployment of broader, more diverse honeypot networks with support for file-transfer and additional SSH subsystems, (2) active manipulation of honeypot responses to verification probes to empirically measure downstream attacker adaptation, and (3) the development of probe-passing deception metrics suitable for LLM-based honeypot benchmarking.

Conclusion

"Ghost Without Shell" (2606.28006) rigorously demonstrates that the SSH attacker threat model measured by most honeypots and assumed by much of the cyberdeception literature is substantially outmoded. SSH honeypot deployments and LLM-based deception systems must realign their designs and evaluation methodologies towards non-interactive, verification-oriented attacker workflows to preserve relevance as automated, large-scale attack campaigns continue to evolve. Theoretical research and practical engineering will need to shift focus from dialog realism to per-command execution fidelity and resilience against protocol-aware evasion.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 6 likes about this paper.