Vusion
Together with Volvo Group this project investigates how large language models (LLM) can be used as honeypots as a distraction for threat agents. LLMs provide an easy way to generate synthetic data looking quite real or baiting any bad actors to scrape for information. The project utilizes the LLMs to decide on what type and how many honeypots to deploy along with the contents including files, folders, and users. When deployed the honeypot then is monitored by an analyst LLM to decide how to react to the honeypot by providing additional honeypots or more file contents to the system.
The primary objective of the project is to provide a working concept of a system where a feedback loop works to generate more agents in order to react to the ecosystem as necessary. Interactions will include, hiring the right team members (LLMs) to deploy the right contents, and to perform any additional analysis.
We plan to generate a complex adaptive system leveraging LLM's to create contextual honeypots. Traditionally systems need to come up with fake data, generate their own approach to trick hackers, and even understand the cumbersome process of deploying a honeypot and knowing which one to use.
Introduce LLM Blue Team. The basic concept involves using multiple prompts where LLM's act as agents to communicate amongst each other to determine the type of content to produce based on information given by an organization. The LLM's discuss what type of information is best, then using logic the system parses information into deployable systems where hackers think they've found the pot of gold at the end of the rainbow. They've successfully committed an attack and from there we log their actions to learn about the different methods they plan to use.
All the meanwhile the LLM team actively watches the logs then decides how to proceed based on the bad actor's attempts which then the tables have turned and now the defenders have obtained the pot of gold and hopefully the bad actor thinks they've left with the gold not only poisoning their findings, but will likely try to sell the information and use this to poison the entire community of bad actors.
Our solution
We focus on providing a conceptual model for which other people may build upon the concept to deploy appropriately. We provide a system framework for which people adapt and apply their resources where affordable or appropriate.
The Concept (07/29/2024):
A Working Example:
We host the Honeypots on Amazon Web Services (AWS). Our operating system sits next to these honeypots ready to deploy and run analytics on the interactions. The honeypot sends logs to DynamoDB, a NoSQL database on AWS, and then we make calls to the database to feed to the Chat GPT API. The feedback from the Chat GPT call serves as an analyst to interpret logs.
When deploying the honeypots we found a significant difference between default honeypots and the enhanced systems. In terms of engagement, most bad actors tend to look at the enhanced version over the default system. However, this does not mean that an AI enhanced model outperforms a carefully configured system, but the research does show that with an automated system, it's quite fast and easy to create a realistic system without much upfront cost to deploy and manage. The prototype is also limited to pseudo environments, but are confident in the gains.
In the ever-evolving landscape of cybersecurity, the need for innovative defense mechanisms has never been more critical. Traditional honeypots require extensive manual configuration and deployment, often involving the generation of fake data and complex strategies to deceive potential attackers. However, our latest AI project aims to transform this process by leveraging Large Language Models (LLMs) to create contextual and adaptive honeypots. Welcome to the future of cybersecurity with a Blue LLM Team. The inspiration behind our project stems from the increasing sophistication of cyber threats. Traditional honeypot systems often fall short due to their static nature and the laborious process of setup and maintenance. We envisioned a system that could dynamically generate and manage honeypots, making them more effective and less resource-intensive for organizations. Our primary objective is to develop a complex adaptive system using LLMs to create highly contextual honeypots. The concept revolves around multiple LLMs acting as agents, communicating with each other to determine the optimal fake data and deployment strategies based on specific organizational information. Here’s how it works:
Our Progress So Far We have made significant strides in our project, implementing a linear approach using an LLM that can design a custom file system based on company-specific information. This is integrated with the prebuilt honeypot Cowrie. Here’s what we’ve achieved:
Above is a diagram illustrating our current system architecture. Challenges and Learnings We faced several challenges, ensuring the communication between LLM agents and optimizing real-time analysis of logs. However, each obstacle provided valuable insights that helped us refine our approach and enhance the system's robustness. Next Steps Our next steps involve expanding the capabilities of our LLM agents to handle more complex scenarios and improve their decision-making processes. We plan to:
Conclusion Our journey with LLM Blue Team has been exciting and promising. By harnessing the power of AI, we are creating a more dynamic and effective defense mechanism against cyber threats. We invite you to follow our progress as we continue to innovate and enhance our system. |
|
2024-06-11 10:55
Post
Fareed Shaik (first on the left) Fareed is a rock star full stack developer and AWS expert. He advises the team on system implementation. The knowledge he brings to the team on information systems tied in with full stack development experience makes him a powerhouse when work as part of a team. Mahesh Babu Kamepall (second from the left) Mahesh provides years of experience in Java development being an expert programmer, and excellent communicator when needing to provide simple communication to non-technical experts. Simon Paulsson (middle) Simon Paulson, he leads the team's strategy and architecture coming up with complex dynamic adaptive approaches to define robust solutions. He excels in taking static simple solutions and delivering adaptive systems, developing products which respond to their environments as best as possible. Lovisa Ivarsson (second from the right) Lovisa provides a cyber security background. She works hard to help ensure the team answers real world attack problems and cyber security vulnerabilities from job experience in defending the Swedish nation's cyber systems. Her calm demeanor shines through when the team needs help in the decision making process. Franklin Parker (first on the right) Frank helps with project management related tasks including task management, stakeholder communication, scheduling, scoping, and diagram. With a diverse set of skills Frank brings deep perspective and works hard to understand each team member's skill sets and needs to break down complex tasks. |
|