Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots

Muris Sladi\'c; Sebastian Garcia; Veronica Valeros

arxiv: 2606.28006 · v1 · pith:4MIWUSFXnew · submitted 2026-06-26 · 💻 cs.CR

Ghost Without Shell: Measuring Non-Interactive SSH Attacks on Honeypots

Veronica Valeros , Muris Sladi\'c , Sebastian Garcia This is my paper

Pith reviewed 2026-06-29 03:46 UTC · model grok-4.3

classification 💻 cs.CR

keywords SSH honeypotsnon-interactive attackscyber deceptionSSH authenticationhoneypot evaluationattack measurementsession classification

0 comments

The pith

Ninety-nine percent of authenticated SSH sessions on honeypots are non-interactive and never open a shell.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests the standing assumption in cyber deception research that attackers who log into SSH honeypots will open a shell and type commands. Eleven honeypots were run for fifteen days, yielding 177,622 authenticated sessions whose behavior was classified as interactive or non-interactive. The data showed 99.23 percent of sessions were non-interactive while only 0.10 percent were interactive; the same distribution appeared in an independent third-party dataset collected over the same period. If correct, honeypots and evaluation methods that measure success by shell activity or command volume will overlook the great majority of real attacks and reach mistaken conclusions about post-login attacker actions.

Core claim

Authenticated SSH attacks on honeypots consist overwhelmingly of non-interactive sessions that request no shell and perform no interactive commands, a pattern confirmed across multiple independent deployments.

What carries the argument

Classification of each authenticated session by whether it requests an interactive shell and executes typed commands versus automated non-interactive requests.

If this is right

Honeypot success metrics that rely on session length or number of commands will systematically undercount attack volume.
Research on SSH deception must address non-interactive vectors to capture the dominant form of authenticated activity.
Evaluations of new honeypot features focused on shell interaction will miss most real-world authenticated attacks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Many non-interactive sessions likely represent automated credential testing or scanning tools rather than manual exploration.
Defenses and monitoring tuned to interactive shells may need to shift focus to patterns in non-interactive authentication attempts.
The low interactive rate could indicate attackers already detect or avoid honeypot shells, suggesting a need to test detection evasion in non-interactive paths.

Load-bearing premise

The honeypots accurately mimic real servers so attackers treat them the same way, and the interactive versus non-interactive classification method produces few errors.

What would settle it

A comparable deployment on production SSH servers or on honeypots with substantially different configurations that records a much higher share of interactive sessions would disprove the reported distribution.

Figures

Figures reproduced from arXiv: 2606.28006 by Muris Sladi\'c, Sebastian Garcia, Veronica Valeros.

read the original abstract

Cyber deception research has focused on improving honeypot deception capabilities to increase attacker engagement and extend their interactions to collect more and better intelligence. For SSH honeypots, this relies on the assumption that attackers log in, open a shell, and type. We tested whether this still held by deploying eleven SSH honeypots that served both interactive and non-interactive session requests for fifteen days. We collected 177,622 authenticated sessions and validated our results against an independent Cowrie dataset over the same time window. We found that 99.23% of sessions were non-interactive. Interactive sessions account for only 0.10%. The same pattern held in the comparative third-party dataset used for evaluation. This finding is important because a honeypot that focuses on interactive shells or evaluates success based on session length and the number of commands can miss most authenticated attacks and draw the wrong conclusions about what attackers do after login.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper's main result is that 99.23% of authenticated SSH sessions on their honeypots were non-interactive, with the same pattern in a Cowrie dataset.

read the letter

The central finding is straightforward: across 177k sessions from eleven honeypots over fifteen days, only 0.10% were interactive. The authors cross-checked against an independent Cowrie dataset and saw the same split. This directly tests the common assumption in deception research that attackers log in and then type commands.

What stands out is the scale of the measurement and the consistency across datasets. Collecting that many authenticated sessions and reporting the split is useful data even if the interpretation is narrow.

The soft spot is the classification step. The abstract gives the percentages but does not detail the exact rules for labeling a session interactive versus non-interactive. The stress-test point about possible honeypot-specific logging or evasion by standard tools is worth checking in the methods; if the eleven honeypots share implementation traits that real OpenSSH servers lack, the 99% figure could partly reflect the measurement setup rather than attacker behavior alone. The Cowrie comparison is helpful but does not fully test the classifier in isolation.

This is for people who run or evaluate SSH honeypots and threat-intelligence pipelines. A reader who needs current numbers on post-login activity will get something concrete from it. The work is observational and grounded in logged data, so it deserves peer review to surface any gaps in how sessions were labeled and whether the honeypots are representative enough for the claim.

Referee Report

3 major / 2 minor

Summary. The manuscript reports results from deploying eleven SSH honeypots for fifteen days, collecting 177,622 authenticated sessions. It claims that 99.23% of these sessions were non-interactive while only 0.10% were interactive, with the same pattern observed in an independent Cowrie dataset collected over the same period. The central conclusion is that honeypot research and evaluation focused on interactive shell activity may miss the large majority of authenticated attacks.

Significance. If the classification of sessions proves reliable and generalizable, the result would meaningfully shift assumptions in cyber deception research about post-login attacker behavior and would affect how honeypot success is measured. The inclusion of a third-party dataset for cross-validation is a positive aspect of the study design.

major comments (3)

[Methods / Results] The manuscript does not specify the exact logging features or thresholds used to label a session as interactive versus non-interactive (e.g., PTY allocation, presence of command input after login, or other session attributes). This definition is load-bearing for the headline percentages reported in the abstract and results.
[Deployment description] The eleven honeypots are described only at a high level; it is unclear whether they share a common implementation (such as a Cowrie fork) that real OpenSSH servers do not exhibit, which could affect whether the observed non-interactive behavior generalizes beyond the measurement apparatus.
[Evaluation / Comparative dataset] The comparative Cowrie dataset is used for validation, yet the manuscript provides no independent ground-truth labeling or manual audit of a sample of sessions to confirm that the classifier does not systematically mislabel automated clients that request a shell but issue no further commands.

minor comments (2)

[Abstract] The abstract states the study ran for fifteen days but does not report the exact calendar window or any controls for temporal effects in attacker behavior.
[Figures/Tables] Table or figure captions should explicitly state the total number of sessions and the breakdown by category to allow readers to verify the reported percentages without returning to the text.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback. We address each major comment point-by-point below, indicating planned revisions where appropriate.

read point-by-point responses

Referee: [Methods / Results] The manuscript does not specify the exact logging features or thresholds used to label a session as interactive versus non-interactive (e.g., PTY allocation, presence of command input after login, or other session attributes). This definition is load-bearing for the headline percentages reported in the abstract and results.

Authors: We agree the classification criteria require explicit detail. Sessions were labeled non-interactive if the log showed no PTY allocation and no post-authentication input events; interactive sessions required both PTY and at least one command. We will revise the Methods section to state these exact features and thresholds. revision: yes
Referee: [Deployment description] The eleven honeypots are described only at a high level; it is unclear whether they share a common implementation (such as a Cowrie fork) that real OpenSSH servers do not exhibit, which could affect whether the observed non-interactive behavior generalizes beyond the measurement apparatus.

Authors: All eleven instances used a Cowrie fork configured to accept both interactive and non-interactive sessions while preserving standard OpenSSH authentication behavior. The identical pattern in the independent Cowrie dataset supports that the result is not deployment-specific. We will expand the deployment section with configuration parameters and a brief discussion of potential artifacts. revision: partial
Referee: [Evaluation / Comparative dataset] The comparative Cowrie dataset is used for validation, yet the manuscript provides no independent ground-truth labeling or manual audit of a sample of sessions to confirm that the classifier does not systematically mislabel automated clients that request a shell but issue no further commands.

Authors: We acknowledge that a manual audit would strengthen validation. Classification relies on observable log attributes rather than inferred intent, and scale (177k+ sessions) plus cross-dataset consistency provide supporting evidence. We will add a limitations paragraph discussing misclassification risks and the absence of manual ground truth. revision: partial

Circularity Check

0 steps flagged

Observational measurement study with direct data collection; no derivations or self-referential logic present

full rationale

The paper is an empirical measurement study that collects and classifies 177,622 authenticated SSH sessions from eleven deployed honeypots over fifteen days, then validates the observed 99.23% non-interactive rate against an independent third-party Cowrie dataset. No equations, parameter fitting, predictions, ansatzes, or uniqueness theorems appear in the provided text. The core result follows directly from logging session properties (e.g., PTY allocation and command execution) without any reduction to fitted inputs or self-citations. The classification is presented as an observational outcome rather than a derived claim, making the study self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper reports empirical observations from honeypot deployments with no free parameters, axioms, or invented entities; it relies on standard assumptions of data logging in security research.

pith-pipeline@v0.9.1-grok · 5685 in / 1025 out tokens · 68441 ms · 2026-06-29T03:46:09.290158+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

27 extracted references · 15 canonical work pages · 2 internal anchors

[1]

van Oorschot

AbdelRahman Abdou, David Barrera, and Paul C. van Oorschot. 2016. What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks. InTechnology and Practice of Passwords, Frank Stajano, Stig F. Mjølsnes, Graeme Jenkinson, and Per Thorsheim (Eds.). Springer International Publishing, Cham, 72–91. doi:10.1007/ 978-3-319-29938-9_6

2016
[2]

Eman Alibalić, Muris Sladić, and Sebastian Garcia. 2026. AdvancedSheLLM. https://github.com/stratosphereips/SheLLM

2026
[3]

Daniel Ayzenshteyn, Roy Weiss, and Yisroel Mirsky. 2025. Cloak, Honey, Trap: Proactive Defenses Against LLM Agents. In34th USENIX Security Symposium (USENIX Security 25). USENIX Association, USA, 8095–8114. https://www.usenix. org/conference/usenixsecurity25/presentation/ayzenshteyn

2025
[4]

SoK: Honeypots & LLMs, More Than the Sum of Their Parts?

Robert A. Bridges, Thomas R. Mitchell, Mauricio Muñoz, and Ted Henriks- son. 2026. SoK: Honeypots & LLMs, More Than the Sum of Their Parts? arXiv:2510.25939 [cs.CR]. doi:10.48550/arXiv.2510.25939

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2510.25939 2026
[5]

CZ.NIC. 2017. Honeypot as a Service (HaaS). https://haas.nic.cz/

2017
[6]

Wenjun Fan, Zichen Yang, Yuanzhen Liu, Lang Qin, and Jia Liu. 2025. HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot. InInformation and Communications Security, Sokratis Katsikas, Christos Xenakis, Christos Kallo- niatis, and Costas Lambrinoudakis (Eds.). Springer Nature, Singapore, 253–272. doi:10.1007/978-981-97-8801-9_13

work page doi:10.1007/978-981-97-8801-9_13 2025
[7]

Schotten

Daniel Fraunholz, Marc Zimmermann, Alexander Hafner, and Hans D. Schotten
[8]

In2017 IEEE International Conference on Data Mining Workshops (ICDMW)

Data Mining in Long-Term Honeypot Data. In2017 IEEE International Conference on Data Mining Workshops (ICDMW). IEEE, USA, 649–656. doi:10. 1109/ICDMW.2017.92

2017
[9]

Amir Javadpour, Forough Ja’fari, Tarik Taleb, Mohammad Shojafar, and Chafika Benzaïd. 2024. A comprehensive survey on cyber deception techniques to improve honeypot performance.Computers & Security140 (May 2024), 103792. doi:10. 1016/j.cose.2024.103792

arXiv 2024
[10]

Adel Ka. 2023. 0x4D31/galah. https://github.com/0x4D31/galah

2023
[11]

Ioannis Koniaris, Georgios Papadimitriou, and Petros Nicopolitidis. 2013. Analysis and visualization of SSH attacks using honeypots. InEurocon 2013. IEEE, Zagreb, Croatia, 65–72. doi:10.1109/EUROCON.2013.6624967

work page doi:10.1109/eurocon.2013.6624967 2013
[12]

2014.Monitoring and Analysis of Cyber Attacks

Ondřej Koutský. 2014.Monitoring and Analysis of Cyber Attacks. Master’s thesis. Masaryk University, Brno, Czech Republic. https://is.muni.cz/th/gguo9/

2014
[13]

Xingyun Liu. 2026. Puzzle Pot: Challenge Based Honeypot Framework for De- tecting and Defending Against Autonomous LLM Agents.International Jour- nal of Software Engineering and Knowledge Engineering(March 2026), 1–27. doi:10.1142/S0218194026410032

work page doi:10.1142/s0218194026410032 2026
[14]

Cristian Munteanu, Yogesh Bhargav Suriyanarayanan, Georgios Smaragdakis, Anja Feldmann, and Tobias Fiebig. 2025. Attacks Come to Those Who Wait: Long- Term Observations in an SSH Honeynet. InProceedings of the 2025 ACM Internet Measurement Conference (IMC ’25). Association for Computing Machinery, New York, NY, USA, 628–644. doi:10.1145/3730567.3764475

work page doi:10.1145/3730567.3764475 2025
[15]

Michel Oosterhof. 2026. Cowrie SSH/Telnet Honeypot. https://github.com/ cowrie/cowrie

2026
[16]

Otal and M

Hakan T. Otal and M. Abdullah Canbaz. 2024. LLM Honeypot: Leveraging Large Language Models as Advanced Interactive Honeypot Systems. In2024 IEEE Conference on Communications and Network Security (CNS). IEEE, Taiwan, 1–6. ISSN: 2994-5895. doi:10.1109/CNS62487.2024.10735607

work page doi:10.1109/cns62487.2024.10735607 2024
[17]

Jarrod Ragsdale and Rajendra V. Boppana. 2023. On Designing Low-Risk Honey- pots Using Generative Pre-Trained Transformer Models With Curated Inputs. IEEE Access11 (2023), 117528–117545. doi:10.1109/ACCESS.2023.3326104

work page doi:10.1109/access.2023.3326104 2023
[18]

Reworr and Dmitrii Volkov. 2025. LLM Agent Honeypot: Monitoring AI Hacking Agents in the Wild. arXiv:2410.13919 [cs.CR]. doi:10.48550/arXiv.2410.13919

work page doi:10.48550/arxiv.2410.13919 2025
[19]

Muris Sladić, Veronica Valeros, Carlos Catania, and Sebastian Garcia. 2024. LLM in the Shell: Generative Honeypots. In2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, Austria, 430–435. ISSN: 2768-0657. doi:10.1109/EuroSPW61312.2024.00054

work page internal anchor Pith review Pith/arXiv arXiv doi:10.1109/eurospw61312.2024.00054 2024
[20]

Muris Sladić, Veronica Valeros, Carlos Catania, and Sebastian Garcia. 2025. VelLMes: A High-Interaction AI-Based Deception Framework. In2025 IEEE Eu- ropean Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, Italy, 671–679. ISSN: 2768-0657. doi:10.1109/EuroSPW67616.2025.00082

work page doi:10.1109/eurospw67616.2025.00082 2025
[21]

Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis. 2022. Interaction matters: a comprehensive analysis and a dataset of hybrid IoT/OT honeypots. InProceedings of the 38th Annual Computer Security Applications Conference (ACSAC ’22). Association for Computing Machinery, New York, NY, USA, 742–755. doi:10.1145/3564625.3564645

work page doi:10.1145/3564625.3564645 2022
[22]

Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis. 2023. Gotta Catch ’em All: A Multistage Framework for Honeypot Fingerprinting. Digital Threats: Research and Practice4, 3 (Sept. 2023), 1–28. doi:10.1145/3584976

work page doi:10.1145/3584976 2023
[23]

Mahboobeh, Hithem Lamri, Manaar Alam, and Michail Maniatakos

Christoforos Vasilatos, Dunia J. Mahboobeh, Hithem Lamri, Manaar Alam, and Michail Maniatakos. 2025. LLMPot: Dynamically Configured LLM-based Hon- eypot for Industrial Protocol and Physical Process Emulation. In2025 IEEE 10th European Symposium on Security and Privacy (EuroS&P). IEEE, Italy, 963–979. doi:10.1109/EuroSP63326.2025.00059

work page doi:10.1109/eurosp63326.2025.00059 2025
[24]

Ziyang Wang, Jianzhou You, Haining Wang, Tianwei Yuan, Shichao Lv, Yang Wang, and Limin Sun. 2024. HoneyGPT: Breaking the Trilemma in Terminal Honeypots with Large Language Model. arXiv:2406.01882 [cs]. doi:10.48550/ arXiv.2406.01882

arXiv 2024
[25]

IEEE Access12, 144579–144587 (2024)

Simon B. Weber, Marc Feger, and Michael Pilgermann. 2024. Don’t Stop Believin’: A Unified Evaluation Approach for LLM Honeypots.IEEE Access12 (2024), 144579–144587. doi:10.1109/ACCESS.2024.3472460

work page doi:10.1109/access.2024.3472460 2024
[26]

Matej Zuzčák and Petr Bujok. 2019. Causal analysis of attacks against honeypots based on properties of countries.IET Information Security13, 5 (2019), 435–

2019
[27]

doi:10.1049/iet-ifs.2018.5141 A Ethical Considerations Our honeypots logged only the traffic that attackers sent to them

_eprint: https://onlinelibrary.wiley.com/doi/pdf/10.1049/iet-ifs.2018.5141. doi:10.1049/iet-ifs.2018.5141 A Ethical Considerations Our honeypots logged only the traffic that attackers sent to them. We collected no personal data beyond source IP addresses, which we use only in aggregate and do not publish. No human subjects were involved in this study. B G...

work page doi:10.1049/iet-ifs.2018.5141 2018

[1] [1]

van Oorschot

AbdelRahman Abdou, David Barrera, and Paul C. van Oorschot. 2016. What Lies Beneath? Analyzing Automated SSH Bruteforce Attacks. InTechnology and Practice of Passwords, Frank Stajano, Stig F. Mjølsnes, Graeme Jenkinson, and Per Thorsheim (Eds.). Springer International Publishing, Cham, 72–91. doi:10.1007/ 978-3-319-29938-9_6

2016

[2] [2]

Eman Alibalić, Muris Sladić, and Sebastian Garcia. 2026. AdvancedSheLLM. https://github.com/stratosphereips/SheLLM

2026

[3] [3]

Daniel Ayzenshteyn, Roy Weiss, and Yisroel Mirsky. 2025. Cloak, Honey, Trap: Proactive Defenses Against LLM Agents. In34th USENIX Security Symposium (USENIX Security 25). USENIX Association, USA, 8095–8114. https://www.usenix. org/conference/usenixsecurity25/presentation/ayzenshteyn

2025

[4] [4]

SoK: Honeypots & LLMs, More Than the Sum of Their Parts?

Robert A. Bridges, Thomas R. Mitchell, Mauricio Muñoz, and Ted Henriks- son. 2026. SoK: Honeypots & LLMs, More Than the Sum of Their Parts? arXiv:2510.25939 [cs.CR]. doi:10.48550/arXiv.2510.25939

work page internal anchor Pith review Pith/arXiv arXiv doi:10.48550/arxiv.2510.25939 2026

[5] [5]

CZ.NIC. 2017. Honeypot as a Service (HaaS). https://haas.nic.cz/

2017

[6] [6]

Wenjun Fan, Zichen Yang, Yuanzhen Liu, Lang Qin, and Jia Liu. 2025. HoneyLLM: A Large Language Model-Powered Medium-Interaction Honeypot. InInformation and Communications Security, Sokratis Katsikas, Christos Xenakis, Christos Kallo- niatis, and Costas Lambrinoudakis (Eds.). Springer Nature, Singapore, 253–272. doi:10.1007/978-981-97-8801-9_13

work page doi:10.1007/978-981-97-8801-9_13 2025

[7] [7]

Schotten

Daniel Fraunholz, Marc Zimmermann, Alexander Hafner, and Hans D. Schotten

[8] [8]

In2017 IEEE International Conference on Data Mining Workshops (ICDMW)

Data Mining in Long-Term Honeypot Data. In2017 IEEE International Conference on Data Mining Workshops (ICDMW). IEEE, USA, 649–656. doi:10. 1109/ICDMW.2017.92

2017

[9] [9]

Amir Javadpour, Forough Ja’fari, Tarik Taleb, Mohammad Shojafar, and Chafika Benzaïd. 2024. A comprehensive survey on cyber deception techniques to improve honeypot performance.Computers & Security140 (May 2024), 103792. doi:10. 1016/j.cose.2024.103792

arXiv 2024

[10] [10]

Adel Ka. 2023. 0x4D31/galah. https://github.com/0x4D31/galah

2023

[11] [11]

Ioannis Koniaris, Georgios Papadimitriou, and Petros Nicopolitidis. 2013. Analysis and visualization of SSH attacks using honeypots. InEurocon 2013. IEEE, Zagreb, Croatia, 65–72. doi:10.1109/EUROCON.2013.6624967

work page doi:10.1109/eurocon.2013.6624967 2013

[12] [12]

2014.Monitoring and Analysis of Cyber Attacks

Ondřej Koutský. 2014.Monitoring and Analysis of Cyber Attacks. Master’s thesis. Masaryk University, Brno, Czech Republic. https://is.muni.cz/th/gguo9/

2014

[13] [13]

Xingyun Liu. 2026. Puzzle Pot: Challenge Based Honeypot Framework for De- tecting and Defending Against Autonomous LLM Agents.International Jour- nal of Software Engineering and Knowledge Engineering(March 2026), 1–27. doi:10.1142/S0218194026410032

work page doi:10.1142/s0218194026410032 2026

[14] [14]

Cristian Munteanu, Yogesh Bhargav Suriyanarayanan, Georgios Smaragdakis, Anja Feldmann, and Tobias Fiebig. 2025. Attacks Come to Those Who Wait: Long- Term Observations in an SSH Honeynet. InProceedings of the 2025 ACM Internet Measurement Conference (IMC ’25). Association for Computing Machinery, New York, NY, USA, 628–644. doi:10.1145/3730567.3764475

work page doi:10.1145/3730567.3764475 2025

[15] [15]

Michel Oosterhof. 2026. Cowrie SSH/Telnet Honeypot. https://github.com/ cowrie/cowrie

2026

[16] [16]

Otal and M

Hakan T. Otal and M. Abdullah Canbaz. 2024. LLM Honeypot: Leveraging Large Language Models as Advanced Interactive Honeypot Systems. In2024 IEEE Conference on Communications and Network Security (CNS). IEEE, Taiwan, 1–6. ISSN: 2994-5895. doi:10.1109/CNS62487.2024.10735607

work page doi:10.1109/cns62487.2024.10735607 2024

[17] [17]

Jarrod Ragsdale and Rajendra V. Boppana. 2023. On Designing Low-Risk Honey- pots Using Generative Pre-Trained Transformer Models With Curated Inputs. IEEE Access11 (2023), 117528–117545. doi:10.1109/ACCESS.2023.3326104

work page doi:10.1109/access.2023.3326104 2023

[18] [18]

Reworr and Dmitrii Volkov. 2025. LLM Agent Honeypot: Monitoring AI Hacking Agents in the Wild. arXiv:2410.13919 [cs.CR]. doi:10.48550/arXiv.2410.13919

work page doi:10.48550/arxiv.2410.13919 2025

[19] [19]

Muris Sladić, Veronica Valeros, Carlos Catania, and Sebastian Garcia. 2024. LLM in the Shell: Generative Honeypots. In2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, Austria, 430–435. ISSN: 2768-0657. doi:10.1109/EuroSPW61312.2024.00054

work page internal anchor Pith review Pith/arXiv arXiv doi:10.1109/eurospw61312.2024.00054 2024

[20] [20]

Muris Sladić, Veronica Valeros, Carlos Catania, and Sebastian Garcia. 2025. VelLMes: A High-Interaction AI-Based Deception Framework. In2025 IEEE Eu- ropean Symposium on Security and Privacy Workshops (EuroS&PW). IEEE, Italy, 671–679. ISSN: 2768-0657. doi:10.1109/EuroSPW67616.2025.00082

work page doi:10.1109/eurospw67616.2025.00082 2025

[21] [21]

Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis. 2022. Interaction matters: a comprehensive analysis and a dataset of hybrid IoT/OT honeypots. InProceedings of the 38th Annual Computer Security Applications Conference (ACSAC ’22). Association for Computing Machinery, New York, NY, USA, 742–755. doi:10.1145/3564625.3564645

work page doi:10.1145/3564625.3564645 2022

[22] [22]

Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis. 2023. Gotta Catch ’em All: A Multistage Framework for Honeypot Fingerprinting. Digital Threats: Research and Practice4, 3 (Sept. 2023), 1–28. doi:10.1145/3584976

work page doi:10.1145/3584976 2023

[23] [23]

Mahboobeh, Hithem Lamri, Manaar Alam, and Michail Maniatakos

Christoforos Vasilatos, Dunia J. Mahboobeh, Hithem Lamri, Manaar Alam, and Michail Maniatakos. 2025. LLMPot: Dynamically Configured LLM-based Hon- eypot for Industrial Protocol and Physical Process Emulation. In2025 IEEE 10th European Symposium on Security and Privacy (EuroS&P). IEEE, Italy, 963–979. doi:10.1109/EuroSP63326.2025.00059

work page doi:10.1109/eurosp63326.2025.00059 2025

[24] [24]

Ziyang Wang, Jianzhou You, Haining Wang, Tianwei Yuan, Shichao Lv, Yang Wang, and Limin Sun. 2024. HoneyGPT: Breaking the Trilemma in Terminal Honeypots with Large Language Model. arXiv:2406.01882 [cs]. doi:10.48550/ arXiv.2406.01882

arXiv 2024

[25] [25]

IEEE Access12, 144579–144587 (2024)

Simon B. Weber, Marc Feger, and Michael Pilgermann. 2024. Don’t Stop Believin’: A Unified Evaluation Approach for LLM Honeypots.IEEE Access12 (2024), 144579–144587. doi:10.1109/ACCESS.2024.3472460

work page doi:10.1109/access.2024.3472460 2024

[26] [26]

Matej Zuzčák and Petr Bujok. 2019. Causal analysis of attacks against honeypots based on properties of countries.IET Information Security13, 5 (2019), 435–

2019

[27] [27]

doi:10.1049/iet-ifs.2018.5141 A Ethical Considerations Our honeypots logged only the traffic that attackers sent to them

_eprint: https://onlinelibrary.wiley.com/doi/pdf/10.1049/iet-ifs.2018.5141. doi:10.1049/iet-ifs.2018.5141 A Ethical Considerations Our honeypots logged only the traffic that attackers sent to them. We collected no personal data beyond source IP addresses, which we use only in aggregate and do not publish. No human subjects were involved in this study. B G...

work page doi:10.1049/iet-ifs.2018.5141 2018