Generative Honeypots: Dynamic Cyber Deception

• Generative honeypots are cyber deception systems that leverage AI, particularly LLMs, to generate on-the-fly, context-aware responses mimicking real network behaviors.
• They incorporate modular architectures and hybrid caching to emulate various services such as shell environments, credential decoys, and device configurations with sustained session state.
• Evaluation metrics like True Negative Rate, similarity scores, and response latency are crucial for assessing the realism, performance, and cost-efficiency of these dynamic systems.

Generative honeypots are cyber deception systems in which responses to attacker interactions are produced dynamically by generative models—most prominently LLMs—instead of relying on static scripts or deterministic state machines. By synthesizing interactive, context-aware, and realistic outputs on demand, generative honeypots significantly elevate the difficulty of detection for sophisticated adversaries and enable broader, deeper engagement for intelligence-gathering, threat analysis, and attacker behavior research (Malhotra, 1 Sep 2025, Sladić et al., 2023, Sassnick et al., 28 Oct 2024, Bridges et al., 29 Oct 2025, Otal et al., 12 Sep 2024).

1. Defining Features and Taxonomy

Generative honeypots are distinguished by their use of generative AI—especially LLMs or deep sequence models—to emulate network services, shell environments, credential decoys, traffic flows, device configurations, or even malware signatures. Unlike low- or medium-interaction honeypots (e.g., Cowrie), which match attacker commands to predefined responses, LLM-driven honeypots dynamically construct replies, synthesizing filesystem layouts, process tables, error messages, protocol handshakes, and complex application-layer semantics in real time (Malhotra, 1 Sep 2025, Sladić et al., 2023, Adebimpe et al., 24 Oct 2025, Wang et al., 4 Jun 2024).

The core attributes are:

• On-the-fly, context-sensitive response generation: “Dynamic outputs that adapt to arbitrary commands,” not scripted or replayed (Otal et al., 12 Sep 2024).
• Session and state awareness: Virtual session state (filesystem, process table, device state) is continuously tracked to provide continuity and persistence across attacker interactions (Malhotra, 1 Sep 2025, Sladić et al., 2023).
• Model-driven realism: Generated outputs mimic the idiosyncratic features, error codes, and system behaviors found on real hosts.

A standardized taxonomy of generative honeypots can be derived along two axes (Bridges et al., 29 Oct 2025):

• Target layer: Shells (SSH/Telnet), network services (HTTP, OPC UA, etc.), credentials (“honeywords”), honeynets, device/service configurations, malware signature generation.
• Modeling approach: Pretrained/fine-tuned LLMs, GANs (for configs or traffic), VAEs/RNNs (for graph or time-series generation), hybrid pipelines with retrieval augmented generation (RAG).

2. Canonical Architectures and Design Patterns

A canonical LLM honeypot architecture comprises the following modular components (Bridges et al., 29 Oct 2025, Adebimpe et al., 24 Oct 2025, Malhotra, 1 Sep 2025, Sladić et al., 2023):

Component	Function	Implementation Example
Network Ingress	Intercept attacker connections as SSH/Telnet/HTTP	AsyncSSH (Python), custom wrappers
Filter/Router	Block/route known/benign/hostile patterns	Regex, command classifier, session logs
Prompt Manager	Maintain persona prompt, context window, session state	Concatenated shell prompt, system vars
LLM Invocation Core	Generate next output given prompt & session state	OpenAI GPT-3.5 (cloud), local Llama-3
State Tracker	Track and mutate virtual filesystem/processes	In-memory dict, JSON snapshots
Hybrid Cache	Instantly serve cached responses for frequent commands	Dictionary-based, persistent mapping
Post-Processors	Sanitize, filter hallucinations, mask AI markers	Regex replacement, output validators
Logger	Record (cmd, prompt, response, state) for analysis	Flat files, database, SIEM integration

Hybrid architectures combine fast dictionary caches for the 40–50 most common commands to mask LLM latency, falling back to the LLM for novel or OOD commands (Malhotra, 1 Sep 2025, Adebimpe et al., 24 Oct 2025). Session state (file creations, deletions, process table) is diffed and prepended to prompts to persist context and minimize hallucinations (Malhotra, 1 Sep 2025, Sladić et al., 2023).

RAG frameworks—such as SBASH—enable the system to retrieve relevant documentation or sample outputs for rarely seen commands, improving fidelity at some cost in latency (Adebimpe et al., 24 Oct 2025).

3. Models and Generation Algorithms

Generative honeypots rely upon a spectrum of AI models and generation algorithms, tuned for their specific task domain:

• LLMs for shell/network simulation: Commercial (GPT-3.5/4, Gemini) and open-source (Llama, Qwen, Phi, Gemma) models are conditioned with system prompts and session history to mimic command-line environments (Sladić et al., 2023, Otal et al., 12 Sep 2024, Adebimpe et al., 24 Oct 2025, Malhotra, 1 Sep 2025).
• GANs for device/service decoy generation: HoneyGAN Pots employs a deep Wasserstein GAN to output structured device configuration arrays encoding OS/build/port/service tuples, achieving PRD (precision/recall) competitive with real population distributions (Gabrys et al., 10 Jul 2024).
• VAEs/DAG-RNNs for graph extension: Deep generative node placement for Active Directory (AD) environments employs a bidirectional GRU-based VAE to insert honeyusers in organic, attack-prone graph positions (Lukas et al., 2021).
• LSTM Encoder–Decoders for industrial protocol traffic: Multi-output LSTM time-series models learn OPC UA process trajectories, enabling plausible behavioral mimicry of industrial control systems (Sassnick et al., 28 Oct 2024).
• LLMs/Prompt pipelines for honeytokens: Modular prompt engineering enables LLMs to mass-generate syntax-valid, context-rich honeywords, logs, config files, and robots.txt entries to seed detection beacons across systems (Reti et al., 24 Apr 2024).

Fine-tuning, quantization (e.g., QLoRA), and low-rank adaptation (LoRA) are often applied to align LLMs with target system dialects while optimizing for resource usage (Otal et al., 12 Sep 2024).

4. Evaluation Paradigms and Metrics

Rigorous quantitative and qualitative testing is central to generative honeypot development:

• Human deception assessment: Red-teamers are tasked with classifying command–response transcripts as “real” or “simulated.” The primary metric is the True Negative Rate (TNR, specificity), i.e., fraction of realistic outputs correctly identified as real (Sladić et al., 2023, Bridges et al., 29 Oct 2025). shelLM achieves TNR = 0.90 across expert testers (Sladić et al., 2023).
• Similarity and Fidelity Scores: Statistical similarity between honeypot and real outputs are computed using BLEU-4, cosine similarity, Levenshtein/Jaro-Winkler scores, SBert/BertScore, and custom embedding distances (Malhotra, 1 Sep 2025, Otal et al., 12 Sep 2024, Adebimpe et al., 24 Oct 2025). HoneyGAN Pots evaluates PRD (precision–recall) of configuration samples and real-world “Karma” scores for HoneyD templates (Gabrys et al., 10 Jul 2024).
• Latency and Resource Use: End-to-end response times are measured, ranging from sub-1s (cache, local LLMs) to ~3–4s (large LLMs, RAG, full context). Per-command memory overhead and operational costs are tracked (Malhotra, 1 Sep 2025, Adebimpe et al., 24 Oct 2025).
• Hallucination rate: % of outputs displaying logical or semantic inconsistencies, which may reveal the honeypot to attackers. LLMHoney reports hallucination rates from 6% to 26% depending on the backend (Malhotra, 1 Sep 2025).
• Operational risk index: Probability that attackers escape the honeypot isolation boundary, times expected damage; important for “in-the-wild” deployments (Bridges et al., 29 Oct 2025).
• Session depth and engagement: Engagement metrics include average session length, diversity of captured TTPs, and incident “temptation” rates (Wang et al., 4 Jun 2024).

5. Key Applications Across Domains

Generative honeypots have been deployed across a diverse array of cyber defense scenarios:

• Shell/SSH/Telnet emulation: LLMHoney, shelLM, SBASH, and HoneyGPT generate command outputs, simulate file hierarchies, and persist state for long-lived attacker engagement (Malhotra, 1 Sep 2025, Sladić et al., 2023, Adebimpe et al., 24 Oct 2025, Wang et al., 4 Jun 2024).
• Industrial control systems: LSTM-driven honeypots produce plausible OPC UA traffic, emulating cyclic mechatronic system variables in real time (Sassnick et al., 28 Oct 2024).
• Device/service decoys: HoneyGAN Pots generates diverse, high-fidelity network device/service decoys to seed honeynets or dynamic HoneyD deployments (Gabrys et al., 10 Jul 2024).
• AD/Identity management: Graph-based generative models insert honeyusers adaptively into AD networks, making lures indistinguishable from legitimate user entities (Lukas et al., 2021).
• Credential and data honeytokens: Prompt-tuned LLMs output large numbers of indistinguishable honeywords, logs, configs, or fake databases that integrate into both web and host environments (Reti et al., 24 Apr 2024).
• Malware signature “cures”: Generative honeypots can synthesize anti-malware signatures on the fly in response to novel payloads, propagating “cures” rapidly via broadcast (0912.2293).
• ML model traps: Backdoored classifiers (HoneyModels) induce adversarial examples with a secret watermark, enabling detection of adversarial attacks with minimal FPR (Abdou et al., 2022).

6. Limitations, Detection, and Evasion

Generative honeypots inherit several new operational and adversarial challenges (Bridges et al., 29 Oct 2025):

• Detection vectors: Attackers may fingerprint the honeypot via network posture inconsistencies, anomalous system outputs/timing, functional limitations (lack of outbound connectivity or process spawning), and ML-driven multi-feature classifiers. Sophisticated adversaries deploy composite tests:

$$P_{\mathrm{detect}}(\theta) = 1-\prod_{j=1}^4 (1-p_j(\theta))$$

where $p_j(\theta)$ is the honeypot’s failure probability under detection vector $j$ as a function of fidelity-control parameter $\theta$.

• Latency and cost: LLM inference (cloud or on-premise) can introduce multi-second delays, which are mitigated via hybrid caching, quantization, and speculative decoding (Adebimpe et al., 24 Oct 2025, Malhotra, 1 Sep 2025).
• Resource requirements: Large models may require GPU backends; local deployments sometimes trade realism for tractability (e.g., using 1–3B parameter LLMs for acceptable BLEU scores at sub-2s latency) (Malhotra, 1 Sep 2025, Adebimpe et al., 24 Oct 2025).
• Hallucinations: Without rigorous prompt engineering and state tracking, LLMs emit “impossible” outputs, which can raise suspicion (Malhotra, 1 Sep 2025, Sladić et al., 2023).
• Context window drift: Session history truncation can degrade realism in long sessions (Sladić et al., 2023).
• Model and prompt-specificity: Prompt templates optimal for one LLM may degrade on upgrades or across providers, requiring regular re-tuning (Reti et al., 24 Apr 2024).
• Adaptive adversaries: Attackers may train detection models, inject tainted prompts, or minimize projection onto watermarked features to evade honeytoken or HoneyModel traps (Abdou et al., 2022).

7. Research Trajectory and Future Directions

The systematization in (Bridges et al., 29 Oct 2025) articulates an evolutionary roadmap:

1. Transition from static honeytokens to dynamic LLM-backed deception for deeper, more realistic engagement.
2. Systematize architectures around modular layers—ingress, router/cache, context-rich prompt management, LLM core, state tracker, and autonomous improvement feedback.
3. Advance toward fully autonomous, self-improving deception ecosystems using reinforcement learning to maximize engagement, deception, and information gain:

$$J(\theta) = \mathbb{E}\left[\sum_{t=0}^T \gamma^t R(s_t, a_t)\right]$$

1. Close the “data desert” by deploying generative honeypots against LLM-powered, self-improving attacker agents and automating MITRE ATT&CK–oriented log intelligence.
2. Pursue federated, privacy-preserving log sharing and unified evaluation platforms.

Key best-practices include rigorous hybrid caching, session-state management, model selection for cost/realism trade-offs, prompt and output filtering, and ongoing fine-tuning and adversarial testing (Bridges et al., 29 Oct 2025, Malhotra, 1 Sep 2025, Adebimpe et al., 24 Oct 2025).

Generative honeypots, as defined and characterized in the emerging literature, represent a paradigm shift—combining AI-driven simulation, layered architectures, and adaptive evaluation—to create a moving target for adversaries, thereby augmenting cyber defense and threat intelligence collection across attack surfaces, protocols, and organizational domains.