LLMPot: Dynamically Configured LLM-based Honeypot for Industrial Protocol and Physical Process Emulation

TL;DR

This paper introduces LLMPot, a novel LLM-based method for automatically creating realistic, vendor-agnostic honeypots in ICS networks that accurately emulate industrial protocols and control logic, reducing manual effort.

Contribution

The paper presents LLMPot, a new approach leveraging large language models to automate and optimize the deployment of ICS honeypots with diverse protocols and control logic.

Findings

Effective emulation of industrial protocols achieved

Automated honeypot configuration reduces manual effort

Vendor-agnostic and adaptable to various control logics

Abstract

Industrial Control Systems (ICS) are extensively used in critical infrastructures ensuring efficient, reliable, and continuous operations. However, their increasing connectivity and addition of advanced features make them vulnerable to cyber threats, potentially leading to severe disruptions in essential services. In this context, honeypots play a vital role by acting as decoy targets within ICS networks, or on the Internet, helping to detect, log, analyze, and develop mitigations for ICS-specific cyber threats. Deploying ICS honeypots, however, is challenging due to the necessity of accurately replicating industrial protocols and device characteristics, a crucial requirement for effectively mimicking the unique operational behavior of different industrial systems. Moreover, this challenge is compounded by the significant manual effort required in also mimicking the control logic the PLC would execute, in order to capture attacker traffic aiming to disrupt critical infrastructure operations. In this paper, we propose LLMPot, a novel approach for designing honeypots in ICS networks harnessing the potency of Large Language Models (LLMs). LLMPot aims to automate and optimize the creation of realistic honeypots with vendor-agnostic configurations, and for any control logic, aiming to eliminate the manual effort and specialized knowledge traditionally required in this domain. We conducted extensive experiments focusing on a wide array of parameters, demonstrating that our LLM-based approach can effectively create honeypot devices implementing different industrial protocols and diverse control logic.