HoneyLLM: Enabling Shell Honeypots with Large Language Models
Chongqi Guan, Guohong Cao, Sencun Zhu
Abstract
Large Language Models (LLMs) have shown significant potential across various domains, including cybersecurity. This paper introduces HoneyLLM, a novel approach to creating high-fidelity shell honeypots using LLMs. We first investigate the potential of different commercial LLMs to emulate shell environments, identifying their characteristics and key challenges in accuracy and consistency. To address these issues, we propose leveraging various prompt engineering techniques, including incontext learning to tackle accuracy-related issues and the chain-of-thought method to maintain response consistency across complex, multi-step attack sessions. Additionally, we design a hybrid architecture for HoneyLLM to handle real-world limitations and improve cost-effectiveness. Through comprehensive offline evaluations, we demonstrate that HoneyLLM can effectively emulate shell environments and handle complex attack scenarios. Our online deployment results show that HoneyLLM, particularly when powered by advanced models like GPT-4, significantly outperforms traditional honeypots in maintaining longer, more effective attack sessions.