Abstract
A honeypot is an effective tool for luring attackers and collecting information on their methods. However, honeypots are vulnerable
to exploitation and can become attack vectors, necessitating enhanced
security. One way to improve security is by analyzing input submitted to
the honeypot and assigning a risk level to determine execution, especially
important for SSH adaptive honeypots. However, in the literature, only
a simple binary classification is used to classify commands as either severe or non-severe. Motivated by this gap, we propose a novel approach
to assess the risk of shell commands by classifying them into five risk
levels ranging from very low risk (R0) to extremely high risk (R4), evaluating the potential adversarial impact of executing them on a system.
The proposed approach is then used to build a classification model using
a large-language model (LLM), RoBERTa, to automatically assess commands based on their defined risk levels. We evaluate this model against
two other classifiers using two different embeddings: Bag-of-Words and
Word2Vec. The evaluation result shows that the LLM-based classifier
outperforms the other models in accurately assessing the risk levels of
shell commands.
to exploitation and can become attack vectors, necessitating enhanced
security. One way to improve security is by analyzing input submitted to
the honeypot and assigning a risk level to determine execution, especially
important for SSH adaptive honeypots. However, in the literature, only
a simple binary classification is used to classify commands as either severe or non-severe. Motivated by this gap, we propose a novel approach
to assess the risk of shell commands by classifying them into five risk
levels ranging from very low risk (R0) to extremely high risk (R4), evaluating the potential adversarial impact of executing them on a system.
The proposed approach is then used to build a classification model using
a large-language model (LLM), RoBERTa, to automatically assess commands based on their defined risk levels. We evaluate this model against
two other classifiers using two different embeddings: Bag-of-Words and
Word2Vec. The evaluation result shows that the LLM-based classifier
outperforms the other models in accurately assessing the risk levels of
shell commands.
| Original language | English |
|---|---|
| Title of host publication | Risks and Security of Internet and Systems |
| Subtitle of host publication | 19th International Conference, CRiSIS 2024, Aix-en-Provence, France, November 26-28, 2024, Proceedings |
| Publisher | Springer, Cham |
| Volume | 1 |
| ISBN (Electronic) | 978-3-031-89349-0 |
| Publication status | Published - 21 May 2025 |
Publication series
| Name | Lecture Notes in Computer Science |
|---|---|
| Publisher | Springer Cham |
| Volume | 15456 |
| ISSN (Print) | 0302-9743 |
| ISSN (Electronic) | 1611-3349 |
Keywords
- risk assessment
- shell attack
- Adaptive Honeypot
- large language models