SBASH: a Framework for Designing and Evaluating RAG vs. Prompt-Tuned LLM Honeypots

TL;DR

This paper introduces SBASH, a framework that leverages local LLMs and RAG techniques to enhance honeypot responsiveness and realism while addressing data privacy and operational costs.

Contribution

The paper presents SBASH, a novel framework combining RAG and prompt-tuned local LLMs for improved honeypot effectiveness and data protection.

Findings

RAG improves accuracy of untuned models.

Prompt-tuned models achieve similar accuracy to RAG with lower latency.

Evaluation metrics include response time, realism, and similarity to real systems.

Abstract

Honeypots are decoy systems used for gathering valuable threat intelligence or diverting attackers away from production systems. Maximising attacker engagement is essential to their utility. However research has highlighted that context-awareness, such as the ability to respond to new attack types, systems and attacker agents, is necessary to increase engagement. Large Language Models (LLMs) have been shown as one approach to increase context awareness but suffer from several challenges including accuracy and timeliness of response time, high operational costs and data-protection issues due to cloud deployment. We propose the System-Based Attention Shell Honeypot (SBASH) framework which manages data-protection issues through the use of lightweight local LLMs. We investigate the use of Retrieval Augmented Generation (RAG) supported LLMs and non-RAG LLMs for Linux shell commands and evaluate them using several different metrics such as response time differences, realism from human testers, and similarity to a real system calculated with Levenshtein distance, SBert, and BertScore. We show that RAG improves accuracy for untuned models while models that have been tuned via a system prompt that tells the LLM to respond like a Linux system achieve without RAG a similar accuracy as untuned with RAG, while having a slightly lower latency.