{rfName}
Ho

Indexed in

License and use

Citations

1

Altmetrics

Analysis of institutional authors

Hernandez-Castro, JAuthor

Share

December 19, 2024
Publications
>
Proceedings Paper
Green

Honeypot's Best Friend? Investigating ChatGPT's Ability to Evaluate Honeypot Logs

Publicated to:Proceedings Of The 2024 European Interdisciplinary Cybersecurity Conference, Eicc 2024. 128-135 - 2024-01-01 (), DOI: 10.1145/3655693.3655716

Authors: Ozkok, MB; Birinci, B; Cetin, O; Arief, B; Hernandez-Castro, J

Affiliations

Sabanci Univ - Author
Univ Kent - Author
Univ Politecn Madrid - Author

Abstract

Honeypots can gather substantial data from intruders, but many honeypots lack the necessary features to analyse and explain the nature of these potential attacks. Typically, honeypot analysis reports only highlight the attacking IP addresses and the malicious requests. As such, analysts might miss out on the more useful insights that can be derived from the honeypot data, such as the attackers' plan or emerging threats. Meanwhile, recent advances in large language models (LLM) - such as ChatGPT - have opened up the possibility of using artificial intelligence (AI) to comprehend honeypot data better, for instance, to perform an automated and intelligent log analysis that can explain consequences, provide labels, and deal with obfuscation. In this study, we probed ChatGPT's proficiency in understanding and explaining honeypot logs from actual recorded attacks on our honeypots. Our data encompassed 627 requests to Elasticsearch honeypots and 73 attacks detected by SSH honeypots, collected over a two-week period. Our analysis was focused on evaluating ChatGPT's explanation ability regarding the potential consequences of each attack, in alignment with the MITRE ATT&CK Framework, and whether ChatGPT can identify any obfuscation techniques that might be used by attackers. We found that ChatGPT achieved a 96.65% accuracy in correctly explaining the consequences of the attack targeting Elasticsearch servers. Furthermore, ChatGPT achieved a 72.46% accuracy in matching a given attack to one or more techniques listed by the MITRE ATT&CK Framework. Similarly, ChatGPT was excellent in identifying obfuscation techniques employed by attackers and offering deobfuscation solutions. However, 30.46% of the request body and 7.5% of the targeted URI were falsely identified as obfuscated, leading to a very high score of false positive for obfuscation. With the SSH honeypot data, we achieved a 97.26% accuracy while explaining the consequences of the attacks and a 98.84% accuracy for correctly mapping to MITRE ATT&CK Framework techniques. Based on these results, we can say that ChatGPT has shown great potential for automating the process of analysing honeypot data. Its proficiency in explaining attack consequences and in managing obfuscation through implementing MITRE ATT&CK techniques is impressive. Nevertheless, it is essential to be mindful of the possibility of high false positive rates, which can cause some issues. This needs to be addressed in future research, for example by leveraging the advanced fine-tuning techniques that were recently introduced to ChatGPT, but not available at the time of writing of this paper.

Keywords

Artificial intelligenceChatgptComputational linguisticsData obfuscationDeobfuscationFalse positiveFalse positive ratesFramework techniquesHoneypotHoneypotsLanguage modelLog analysisMatchingsNetwork securityPotential attackWell logging

Quality index

Bibliometric impact. Analysis of the contribution and dissemination channel

Independientemente del impacto esperado determinado por el canal de difusión, es importante destacar el impacto real observado de la propia aportación.

Según las diferentes agencias de indexación, el número de citas acumuladas por esta publicación hasta la fecha 2025-07-05:

  • Scopus: 1

Impact and social visibility

From the perspective of influence or social adoption, and based on metrics associated with mentions and interactions provided by agencies specializing in calculating the so-called "Alternative or Social Metrics," we can highlight as of 2025-07-05:

  • The use of this contribution in bookmarks, code forks, additions to favorite lists for recurrent reading, as well as general views, indicates that someone is using the publication as a basis for their current work. This may be a notable indicator of future more formal and academic citations. This claim is supported by the result of the "Capture" indicator, which yields a total of: 24 (PlumX).

It is essential to present evidence supporting full alignment with institutional principles and guidelines on Open Science and the Conservation and Dissemination of Intellectual Heritage. A clear example of this is:

  • The work has been submitted to a journal whose editorial policy allows open Open Access publication.

Leadership analysis of institutional authors

This work has been carried out with international collaboration, specifically with researchers from: Turkey; United Kingdom.

There is a significant leadership presence as some of the institution’s authors appear as the first or last signer, detailed as follows: Last Author (HERNANDEZ CASTRO, JULIO CESAR).