TY - GEN
T1 - HoneyLLM
T2 - 2024 IEEE Conference on Communications and Network Security, CNS 2024
AU - Guan, Chongqi
AU - Cao, Guohong
AU - Zhu, Sencun
N1 - Publisher Copyright:
© 2024 IEEE.
PY - 2024
Y1 - 2024
N2 - Large Language Models (LLMs) have shown significant potential across various domains, including cybersecurity. This paper introduces HoneyLLM, a novel approach to creating high-fidelity shell honeypots using LLMs. We first investigate the potential of different commercial LLMs to emulate shell environments, identifying their characteristics and key challenges in accuracy and consistency. To address these issues, we propose leveraging various prompt engineering techniques, including incontext learning to tackle accuracy-related issues and the chain-of-thought method to maintain response consistency across complex, multi-step attack sessions. Additionally, we design a hybrid architecture for HoneyLLM to handle real-world limitations and improve cost-effectiveness. Through comprehensive offline evaluations, we demonstrate that HoneyLLM can effectively emulate shell environments and handle complex attack scenarios. Our online deployment results show that HoneyLLM, particularly when powered by advanced models like GPT-4, significantly outperforms traditional honeypots in maintaining longer, more effective attack sessions.
AB - Large Language Models (LLMs) have shown significant potential across various domains, including cybersecurity. This paper introduces HoneyLLM, a novel approach to creating high-fidelity shell honeypots using LLMs. We first investigate the potential of different commercial LLMs to emulate shell environments, identifying their characteristics and key challenges in accuracy and consistency. To address these issues, we propose leveraging various prompt engineering techniques, including incontext learning to tackle accuracy-related issues and the chain-of-thought method to maintain response consistency across complex, multi-step attack sessions. Additionally, we design a hybrid architecture for HoneyLLM to handle real-world limitations and improve cost-effectiveness. Through comprehensive offline evaluations, we demonstrate that HoneyLLM can effectively emulate shell environments and handle complex attack scenarios. Our online deployment results show that HoneyLLM, particularly when powered by advanced models like GPT-4, significantly outperforms traditional honeypots in maintaining longer, more effective attack sessions.
UR - https://www.scopus.com/pages/publications/85210554145
UR - https://www.scopus.com/pages/publications/85210554145#tab=citedBy
U2 - 10.1109/CNS62487.2024.10735663
DO - 10.1109/CNS62487.2024.10735663
M3 - Conference contribution
AN - SCOPUS:85210554145
T3 - 2024 IEEE Conference on Communications and Network Security, CNS 2024
BT - 2024 IEEE Conference on Communications and Network Security, CNS 2024
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 30 September 2024 through 3 October 2024
ER -