Honeypot's Best Friend? Investigating ChatGPT's Ability to Evaluate Honeypot Logs
Authors: 
Meryem Berfin Ozkok, Baturay Birinci, Orcun Cetin, Budi Arief, Julio Hernandez-CastroAuthors Info & Claims
Meryem Berfin Ozkok, Baturay Birinci, Orcun Cetin, Budi Arief, Julio Hernandez-CastroAuthors Info & ClaimsPages 128 - 135
Abstract
Honeypots can gather substantial data from intruders, but many honeypots lack the necessary features to analyse and explain the nature of these potential attacks. Typically, honeypot analysis reports only highlight the attacking IP addresses and the malicious requests. As such, analysts might miss out on the more useful insights that can be derived from the honeypot data, such as the attackers’ plan or emerging threats. Meanwhile, recent advances in large language models (LLM) – such as ChatGPT – have opened up the possibility of using artificial intelligence (AI) to comprehend honeypot data better, for instance, to perform an automated and intelligent log analysis that can explain consequences, provide labels, and deal with obfuscation. In this study, we probed ChatGPT’s proficiency in understanding and explaining honeypot logs from actual recorded attacks on our honeypots. Our data encompassed 627 requests to Elasticsearch honeypots and 73 attacks detected by SSH honeypots, collected over a two-week period. Our analysis was focused on evaluating ChatGPT’s explanation ability regarding the potential consequences of each attack, in alignment with the MITRE ATT&CK Framework, and whether ChatGPT can identify any obfuscation techniques that might be used by attackers. We found that ChatGPT achieved a 96.65% accuracy in correctly explaining the consequences of the attack targeting Elasticsearch servers. Furthermore, ChatGPT achieved a 72.46% accuracy in matching a given attack to one or more techniques listed by the MITRE ATT&CK Framework. Similarly, ChatGPT was excellent in identifying obfuscation techniques employed by attackers and offering deobfuscation solutions. However, 30.46% of the request body and 7.5% of the targeted URI were falsely identified as obfuscated, leading to a very high score of false positive for obfuscation. With the SSH honeypot data, we achieved a 97.26% accuracy while explaining the consequences of the attacks and a 98.84% accuracy for correctly mapping to MITRE ATT&CK Framework techniques. Based on these results, we can say that ChatGPT has shown great potential for automating the process of analysing honeypot data. Its proficiency in explaining attack consequences and in managing obfuscation through implementing MITRE ATT&CK techniques is impressive. Nevertheless, it is essential to be mindful of the possibility of high false positive rates, which can cause some issues. This needs to be addressed in future research, for example by leveraging the advanced fine-tuning techniques that were recently introduced to ChatGPT, but not available at the time of writing of this paper.
References
[1]
Waqas Ahmad, Muhammad Arsalan Raza, Sabreena Nawaz, and Farhana Waqas. 2023. Detection and Analysis of Active Attacks using Honeypot. International Journal of Computer Applications (0975 – 8887) 184, 50 (2023), 27–31.
[2]
Chris Egersdoerfer, Di Zhang, and Dong Dai. 2023. Early Exploration of Using ChatGPT for Log-based Anomaly Detection on Parallel File Systems Logs. In Procs 32nd Int’l Symp. on High-Perf. Parallel and Distributed Computing. 315–316.
[3]
Maanak Gupta, CharanKumar Akiri, Kshitiz Aryal, Eli Parker, and Lopamudra Praharaj. 2023. From ChatGPT to ThreatGPT: Impact of Generative AI in Cybersecurity and Privacy. IEEE Access (2023).
[4]
Yekta Kocaogullar, Orcun Cetin, Budi Arief, Calvin Brierley, Jamie Pont, and Julio C Hernandez-Castro. 2022. Hunting High or Low: Evaluating the Effectiveness of High-Interaction and Low-Interaction Honeypots. In 12th Int’l Workshop on Socio-Technical Aspects in Security (STAST 2022).
[5]
Van-Hoang Le and Hongyu Zhang. 2023. An Evaluation of Log Parsing with ChatGPT. arXiv preprint arXiv:2306.01590 (2023).
[6]
Van-Hoang Le and Hongyu Zhang. 2023. Log Parsing: How Far Can ChatGPT Go?. In 2023 38th IEEE/ACM Int’l Conf. on Automated Software Engineering (ASE). IEEE, 1699–1704.
[7]
Jinyang Liu, Junjie Huang, Yintong Huo, Zhihan Jiang, Jiazhen Gu, Zhuangbin Chen, Cong Feng, Minzhi Yan, and Michael R Lyu. 2023. Scalable and Adaptive Log-based Anomaly Detection with Expert in the Loop. arXiv preprint arXiv:2306.05032 (2023).
[8]
Yilun Liu, Shimin Tao, Weibin Meng, Jingyu Wang, Wenbing Ma, Yanqing Zhao, Yuhang Chen, Hao Yang, Yanfei Jiang, and Xun Chen. 2023. LogPrompt: Prompt Engineering Towards Zero-Shot and Interpretable Log Analysis. arXiv preprint arXiv:2308.07610 (2023).
[9]
Forrest McKee and David Noever. 2023. Chatbots in a Honeypot World. arXiv preprint arXiv:2301.03771 (2023).
[10]
Iyatiti Mokube and Michele Adams. 2007. Honeypots: Concepts, Approaches, and Challenges. In Procs 45th Annual Southeast Regional Conference. 321–326.
[11]
Omer Said Ozturk, Emre Ekmekcioglu, Orcun Cetin, Budi Arief, and Julio Hernandez-Castro. 2023. New Tricks to Old Codes: Can AI Chatbots Replace Static Code Analysis Tools?. In Procs 2023 European Interdisciplinary Cybersecurity Conference. 13–18.
[12]
Nenad Petrović. 2023. Machine Learning-Based Run-Time DevSecOps: ChatGPT Against Traditional Approach. In 10th Int’l Conf. on Electrical, Electronic and Computing Engineering (IcETRAN). IEEE, 1–5.
[13]
Attia Qammar, Hongmei Wang, Jianguo Ding, Abdenacer Naouri, Mahmoud Daneshmand, and Huansheng Ning. 2023. Chatbots to ChatGPT in a Cybersecurity Space: Evolution, Vulnerabilities, Attacks, Challenges, and Future Recommendations. arXiv preprint arXiv:2306.09255 (2023).
[14]
Jiaxing Qi, Shaohan Huang, Zhongzhi Luan, Carol Fung, Hailong Yang, and Depei Qian. 2023. LogGPT: Exploring ChatGPT for Log-Based Anomaly Detection. arXiv preprint arXiv:2309.01189 (2023).
[15]
Iqbal H Sarker, Md Hasan Furhad, and Raza Nowrozy. 2021. AI-Driven Cybersecurity: An Overview, Security Intelligence Modeling and Research Directions. SN Computer Science 2 (2021), 1–18.
[16]
Mark Scanlon, Frank Breitinger, Christopher Hargreaves, Jan-Niclas Hilgert, and John Sheppard. 2023. ChatGPT for Digital Forensic Investigation: The Good, The Bad, and The Unknown. arXiv preprint arXiv:2307.10195 (2023).
[17]
Mark Scanlon, Bruce Nikkel, and Zeno Geradts. 2023. Digital forensic investigation in the age of ChatGPT. Forensic Sci. Int’l: Digital Investigation 44 (2023).
[18]
Febrian Setianto, Erion Tsani, Fatima Sadiq, Georgios Domalis, Dimitris Tsakalidis, and Panos Kostakos. 2021. GPT-2C: A Parser for Honeypot Logs Using Large Pre-trained Language Models. In Procs 2021 IEEE/ACM Int’l Conf. on Advances in Social Networks Analysis and Mining. 649–653.
[19]
Pawankumar Sharma and Bibhu Dash. 2023. Impact of Big Data Analytics and ChatGPT on Cybersecurity. In 2023 4th Int’l Conf. on Computing and Communication Systems (I3CS). IEEE, 1–6.
[20]
Muris Sladić, Veronica Valeros, Carlos Catania, and Sebastian Garcia. 2023. LLM in the Shell: Generative Honeypots. arXiv preprint arXiv:2309.00155 (2023).
Index Terms
- Honeypot's Best Friend? Investigating ChatGPT's Ability to Evaluate Honeypot Logs
Recommendations
Intelligent IDS: Venus Fly-Trap Optimization with Honeypot Approach for Intrusion Detection and Prevention
AbstractIntrusion Detection Systems and Intrusion Prevention Systems are used to detect and prevent attacks/malware from entering the network/system. Honeypot is a type of Intrusion Detection System which is used to find the intruder, study the intruder ...
Honeypot detection in advanced botnet attacks
Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Using rootkits hiding techniques to conceal honeypot functionality
AbstractHoneypot is one of the existing technologies in the area of computer network security. The goal of Honeypot is to create a tempting target for the attacker. The system that is considered as a Honeypot in the network includes the ...
Comments
Information & Contributors
Information
Published In
June 2024
235 pages
Copyright © 2024 Owner/Author.
This work is licensed under a Creative Commons Attribution International 4.0 License.
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 05 June 2024
Check for updates
Author Tags
Qualifiers
- Research-article
- Research
- Refereed limited
Conference
EICC 2024
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 314Total Downloads
- Downloads (Last 12 months)314
- Downloads (Last 6 weeks)112
Reflects downloads up to 15 Oct 2024
Other Metrics
Citations
View Options
View options
View or Download as a PDF file.
PDFeReader
View online with eReader.
eReaderHTML Format
View this article in HTML Format.
HTML FormatGet Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in