LLMAgentsforCyberDefense
LovisaIvarsson,MaheshKamepalli,FranklinParker,SimonPaulssonandFareedShaik
DakotaStateUniversity+AISweden-IndustrialImmersionProgram
Introduction
Intheevolvingfieldofcybersecurity,newthreatscontinually emerge,challengingexistingdefenses.Theemergenceoflarge languagemodels(LLMs)forexecutingcyberattacksallowsfor quickerandmorecomplicatedbreacheswhileloweringthebarrier ofentryforattackers[1].Thisstudyexplorestheintegrationof LLMswithhoneypotsystemstobolstercybersecuritydefenses. Enhancementstocurrenthoneypotsareproposedbyleveraging LLMsfordeployment,management,andmonitoring.Additionally,thestudydemonstratestheuseofLLMstointerpretlogs intoeasy-to-understandlanguage.
Objectives
• InvestigatehowLLMscanbeusedtocreaterealisticand adaptivehoneypots.
• DevelopaprototypeofahoneypotenhancedbyLLMs.
• ExploreifLLMscanbeusedtoanalyselogsgeneratedby honeypots.
• Comparetheperformanceofadefaulthoneypottoan LLM-enhancedhoneypot.
Cybersecurity
Cybersecurityiscrucialintoday’sdigitalageduetothegrowing dependenceononlinetechnologies[2].Itprotectsagainstcyber threatslikedatabreachesandransomware,safeguardingsensitiveinformationandensuringsystemintegrity.Cybersecurity isvitalacrossvarioussectors,includingfinance,healthcare,and nationalsecurity,whereithelpspreventfraud,protectpatient data,anddefendagainstcyberespionage.Theimportanceof cybersecurityisparamountformaintainingpublictrustandthe functionalityofessentialservices.
Honeypots
Methods
TheLLM-enhancedhoneypotwasdesignedbasedonthesystem architectureshowninFigure1.LLMswereemployedtogenerateconfigurationsandcontentsfor Cowrie,anopen-sourceSSH honeypot.Thishoneypotwasthendeployedtoacceptincomingconnections,withanotherLLMmonitoringandproviding easy-to-understandsummariesoftheinteractions.Currently,all LLMsuseChatGPT-3.5astheunderlyingmodel,butthereare planstotransitiontofine-tunedmodelsinthefuture.
Evaluationmethod
ToevaluatetheLLMenhancedhoneypot´sperformance,the amountofinformationcollectedwascomparedtotheamount collectedfromadefaultCowriehoneypot.Agoodmeasure forinformationdensity,ortheaverageamountofinformation isentropy[3].
Results
FutureWork
FutureworkcouldinvolveenhancinghoneypotswithLLMscapableoflearningfromcyberattackers’behavior,allowingfor adaptiveresponses.Additionally,incorporatingfederatedlearningwouldenablethecollectionandmodelingofattackerbehavior acrossmultiplehoneypots,furtherstrengtheningcyberdefenses throughcontinuousimprovementandcollaboration.ThisapproachwouldensurethatLLMsevolvewithemergingthreats, providingrobustanddynamicprotection.
Conclusion
Thestudydemonstratestheeffectivenessoftheintegrationof LLMsintohoneypotsystems.Implementationenhancestheir realismandreducestheneedformanualconfigurations,thereby enablingthemtoadaptmoreeffectivelytoevolvingattacks. Additionally,LLMsshowpotentialinanalyzinghoneypotlogs andpresentingthemtousersinareadableandcomprehensible format,whichservesasasubstantialtimesaver.However,to achievehigh-qualityanalysisandcategorizationofthelogs,furtherdevelopmentandfine-tuningoftheLLMsbecomenecessary. Byprovidingbettercontextandrefinedmodels,theconceptensurestheoutputprovideseasytointerpretclassificationsofattackdata,therebymaximizingtheeffectivenessofthehoneypot systems.
References
[1] RichardFang,RohanBindu,AkulGupta,andDanielKang. Llmagentscanautonomouslyexploitone-dayvulnerabilities,2024.
Figure2: EntropyincommandsforboththedefaultCowrieinstanceandour LLMenhancedhoneypotfromthreedifferentsources.
[2] RossouwvonSolmsandJohanvanNiekerk. Frominformationsecuritytocybersecurity. Computers&Security,38:97–102,2013. CybercrimeintheDigitalEconomy.
[3] C.E.Shannon. Amathematicaltheoryofcommunication. TheBellSystemTechnicalJournal,27(3):379–423,1948.
Honeypotsactasdecoysystems designedtoattractbadactorsand gathervaluableinsightsintotheir behavior,muchlikehowthebees aredrawntoWinniethePooh’s honeypotintheillustration.By imitatingalegitimatetarget,such asanetwork,server,ordatabase, honeypotsdivertattackersaway fromreal,criticalassets.They workbyconvincingattackersthat theyareinteractingwithsecuresystems,thusencouragingthem toengage.Thesedecoysystemscontainfakedataandapplicationsthatappeargenuinetoattackers.Onceanattackerinteractswithahoneypot,securityteamscanmonitortheiractions, analyzetheirstrategies,andcollectcrucialinformationtoimproveoverallsecuritymeasures,similartohowPoohobserves thebees’behavior.
Commandsreceivedbythehoneypotswerecategorizedintotwo groups:thosedirectedtotheLLM-enhancedhoneypotandthose tothedefaulthoneypot.Eachcommandwastokenized,and probabilitydistributions, p(x),werederivedforthetokensin eachgroup.Entropy, H(X),wasthencalculatedforbothgroups, enablingaquantitativecomparisonoftheinformationdensity collected.Bootstrappingtechniqueswereusedtoestimatethe distributionofentropyvalues,providinganestimateofvariability andconfidenceinthemeasurements.
TheresultsindicatethattheLLM-enhancedhoneypotgenerates interactionswithahigheraverageamountofinformationcomparedtoadefaulthoneypot.Figure2illustratesaclearseparationbetweenthebootstrapdistributionsforthetwohoneypots, indicatingastatisticallysignificantdifferenceandsuggestingthat theperformanceoftheLLM-enhancedhoneypotisnotdueto randomchance.
ThehigherentropyvaluesobservedintheLLM-enhancedhoneypotsuggestitcapturesamorediverseandcomplexsetof commandsfromattackers.Thisincreasedinformationdensity reflectstheabilityoftheLLMtocreatemorediverseandrealisticscenarios,enrichingthedatacollectedduringhoneypot interactions.
Exampleprompts
• PromptforContents: Createafilesystemstructurebasedontheautomotivecompanydataprovidedandexplainthereason.
• Reasoning: Howcanthecompanyleveragetheuseofjazzmusicinitsmarketingcampaigns?
• FileCreated: FilePath:/home/user/Music/jazz/MilesDavisConcert.mp4
Acknowledgements
ThisprojectwouldnothavebeenpossiblewithoutthearrangementandsupportfromDakotaStateUniversity,AISwedenandChalmersUniversity.SpecialthankstoThomasMitchellfromVolvoGroupforhisinvaluableguidance andsupportthroughoutourresearch.Theassistanceofcolleaguesandthe resourcesprovidedbytheinstitutionsarealsodeeplyappreciated.
Visittheprojectpage!
