High-interaction honeypots offer rich insights into adversarial behavior but face two persistent challenges: the overwhelming volume of unstructured logs they generate and the limited realism of their interactive environments. This paper introduces LAD-H (Leveraging Large Language Models to Analyze and Deceive in High-Interaction Honeypots), a unified framework that integrates large language models across both deception and analysis phases. On the deception side, LAD-H employs LLM-driven shell and SQL modules that preserve contextual state, emulate virtual file systems and databases, and generate realistic error and timing responses to mislead adversaries. On the analysis side, LAD-H combines lightweight machine learning with LLM-assisted semantic reasoning, enhanced by retrieval-augmented generation and cyber threat intelligence, to extract tactic-level insights from noisy and ambiguous honeypot logs. We implement a prototype of LAD-H and evaluate it against baseline honeypots and classifiers using benchmark datasets and real attack traces. Experimental results show that LAD-H not only sustains immersive attacker engagement but also achieves superior detection accuracy, with hybrid analysis reaching 97.65% accuracy. These findings demonstrate that integrating LLMs across the honeypot lifecycle yields both stronger deception and richer intelligence, offering a promising path toward next-generation cyber defense.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

LAD-H: Leveraging Large Language Models to Analyze and Deceive in High-Interaction Honeypots

  • Tianfu Xu,
  • Qun He,
  • Mengjiang Zhu,
  • Rixuan Qiu

摘要

High-interaction honeypots offer rich insights into adversarial behavior but face two persistent challenges: the overwhelming volume of unstructured logs they generate and the limited realism of their interactive environments. This paper introduces LAD-H (Leveraging Large Language Models to Analyze and Deceive in High-Interaction Honeypots), a unified framework that integrates large language models across both deception and analysis phases. On the deception side, LAD-H employs LLM-driven shell and SQL modules that preserve contextual state, emulate virtual file systems and databases, and generate realistic error and timing responses to mislead adversaries. On the analysis side, LAD-H combines lightweight machine learning with LLM-assisted semantic reasoning, enhanced by retrieval-augmented generation and cyber threat intelligence, to extract tactic-level insights from noisy and ambiguous honeypot logs. We implement a prototype of LAD-H and evaluate it against baseline honeypots and classifiers using benchmark datasets and real attack traces. Experimental results show that LAD-H not only sustains immersive attacker engagement but also achieves superior detection accuracy, with hybrid analysis reaching 97.65% accuracy. These findings demonstrate that integrating LLMs across the honeypot lifecycle yields both stronger deception and richer intelligence, offering a promising path toward next-generation cyber defense.