LLM in the Shell: Generative Honeypots

TL;DR

This paper presents shelLM, a novel dynamic honeypot using Large Language Models to generate realistic Linux shell outputs, significantly improving deception and engagement with attackers.

Contribution

Introduces shelLM, a cloud-based LLM-powered honeypot that enhances realism and adaptability, addressing limitations of traditional static honeypots.

Findings

ShelLM achieved a 0.90 True Negative Rate in tests.

Cybersecurity researchers found shelLM's outputs credible.

ShelLM outperforms existing honeypots in realism and engagement.

Abstract

Honeypots are essential tools in cybersecurity for early detection, threat intelligence gathering, and analysis of attacker's behavior. However, most of them lack the required realism to engage and fool human attackers long-term. Being easy to distinguish honeypots strongly hinders their effectiveness. This can happen because they are too deterministic, lack adaptability, or lack deepness. This work introduces shelLM, a dynamic and realistic software honeypot based on Large Language Models that generates Linux-like shell output. We designed and implemented shelLM using cloud-based LLMs. We evaluated if shelLM can generate output as expected from a real Linux shell. The evaluation was done by asking cybersecurity researchers to use the honeypot and give feedback if each answer from the honeypot was the expected one from a Linux shell. Results indicate that shelLM can create credible and dynamic answers capable of addressing the limitations of current honeypots. ShelLM reached a TNR of 0.90, convincing humans it was consistent with a real Linux shell. The source code and prompts for replicating the experiments have been publicly available.