A honeypot is a trap on a network that lures and studies cyber-attack techniques of threat actors, alerting defenders to unauthorized access attempts.
Though Honeypots help and assist cybersecurity researchers in several ways, they can also be used by cybercriminals to trick and mislead cybersecurity researchers.
Recently, the following cybersecurity researchers from their respective universities and organizations found a new AI-based honeypot dubbed “shelLM,” to engage attackers as a real system:-
Muris Sladic (Czech Technical University)
Veronica Valeros (Czech Technical University)
Carlos Catania (School of Engineering, UNCuyo)
Sebastian Garcia (Czech Technical University)
AI-Based Honeypot
To create sheLLM, experts used various prompts to instruct the LLM, emphasizing:-
Precision
Realism
Secrecy
Besides this, for better outputs and performance, they also used the following key things:-
A personality prompt
Detailed behavior descriptions
With few-shot prompting, a Chain of Thought (CoT) approach
The researchers aimed to create an LLM honeypot indistinguishable from a real system. They used an LLM to simulate a Linux terminal via SSH and tested it with 12 users of varying security expertise, analyzing their ability to detect it.
Experiments studied human interactions with cloud-based LLM honeypots, assigning unique instances to participants who logged in, interacted with, and emailed their answers.
Evaluation processes of the honeypot software (Source – Arxiv)
Participants knew it was a honeypot; the focus was on whether the output appeared normal. However, they provided command-specific feedback via:-
Logs
Screenshots
Videos
For this honeypot evaluation, errors were categorized as false positives (misidentifying real as a honeypot), false negatives (misidentifying honeypot as real), and true positives/negatives.
Here below, we have mentioned the error interpretations
True Positives (TP)
False Positives (FP)
False Negatives (FN)
True Negatives (TN)
Techniques Used
Here below, we have mentioned all the methods that are used:-
Model Techniques
Consistency Techniques
12 users tested the honeypot with 226 commands, mostly involving package, file, network, and system management. The following are the top ten commands with an average of 19 commands per user:-
cat
ls
sudo
get
echo
pwd
nano
ping
ssh
whois
In command evaluation, the following results were revealed:-
90% true negative rate
9% false positives
18% true positives
2% false negatives
In this study, security researchers used LLMs to create a convincing honeypot system generating synthetic data, validated by experts with 92% accuracy.
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
The post shelLM – A New AI-Based Honeypot to Engage Attackers as a Real System appeared first on Cyber Security News.
Cyber Security News
