Phase-Adaptive Model Routing in LLM-Driven SSH Honeypots: Balancing Response Fidelity and Latency Across the Attack Lifecycle
Abstract
1. Introduction
2. Literature Review
2.1. Evolution of SSH Honeypot Realism
2.2. Language Models as Response Generators
2.3. Language Models as Feature Extractors
2.4. Adaptive Inference and Model Cascading
2.5. Positioning of the Present Study
3. Materials and Methods
3.1. System Model and Problem Formulation
| Algorithm 1. Offline dispatch-table construction and online routing. |
| Offline—dispatch-table construction (input: calibration split D_cal) 1: for each phase s ∈ {recon, exploit, persist} do 2: for each complexity bucket κ ∈ {0, 1, 2} do 3: A ← {k ∈ M: (k, s, κ) ≥ φ_min(s)} ▷ admissible backends 4: if A = ∅ then A ← {argmaxk (k, s, κ)} ▷ fall back to most-faithful 5: T[s, κ] ← argmink ∈ A (k, κ) ▷ least-latency admissible 6: end for 7: end for 8: return dispatch table T Online—per-command routing (input: command c_t) 9: (ŝ_t, γ_t) ← PhaseEstimator(window_t) ▷ stage + confidence 10: κ_t ← Complexity(c_t) ▷ complexity bucket ∈ {0, 1, 2} 11: k ← T[ŝ_t, κ_t] ▷ O(1) table lookup 12: if γ_t < θ and φ(k, ŝ_t, κ_t) < φ_min(ŝ_t) + (1 − γ_t)·δ then ▷ escalation, Equation (2) 13: k ← next_higher_capacity_backend(k) 14: end if 15: return Generate(k, c_t) |
3.2. PAMR Architecture
3.2.1. SSH Frontend
3.2.2. Phase Estimator
3.2.3. Router
3.2.4. Backend Pool and Logging
3.3. Dataset and Ground Truth
3.4. Evaluation Protocol
- Phase-Weighted Fidelity (PWF): the average per-command token-level fidelity weighted by the operational severity of the stage in which the command was issued, with severity weights wrecon = 1, wexploit = 2 and wpersist = 2. The 2:1 weighting of exploitation and persistence over reconnaissance reflects the operational consensus that an inconsistent response during post-foothold phases is substantially more likely to trigger attacker suspicion than during initial enumeration, consistent with the qualitative assessment in [1] and the session-dwell observations in [2].
- Latency Savings Ratio (LSR): the relative reduction in mean response latency achieved by PAMR with respect to a reference uniform-model baseline.
3.5. Cross-Validation and Dispatch-Table Robustness
3.6. Implementation Notes
3.6.1. Sentence Encoder
3.6.2. Complexity Scoring
3.6.3. Dispatch Table
3.6.4. Confidence Threshold
4. Results and Discussion
4.1. Routing Distribution Across the Backend Pool
4.2. Latency and Fidelity Trade-Off
4.3. Phase Classification Quality
4.4. Discussion
4.4.1. Operational Interpretation
4.4.2. Relation to Prior Work
4.4.3. State Consistency: A Coherence Lens on Fidelity
4.4.4. Limitations
- Benchmark rather than live traffic: The evaluation is conducted in a controlled laboratory setting on a curated benchmark, not against live attackers. This preserves comparability with [1] and offers methodological control, but it cannot capture the strategic behaviour of adversaries who probe the system to detect the routing logic, and it under-represents the noise and variability of in-the-wild traffic. Part of the benchmark is synthesized, which can bias every learned or calibrated component in a correlated way: the phase estimator may exploit lexical regularities of synthesized traces that real traffic lacks; the router’s dispatch table is calibrated against that same distribution; and the token-level fidelity metrics are computed against references drawn from the same curated set. The 0.87 online F1 and the latency savings should therefore be read as within-distribution results whose external validity is established only by the live deployment described in Section 5.
- Token-level fidelity, not operational realism: As detailed in Section 4.4.3, cosine/Jaro–Winkler/BLEU measure token- or character-level similarity to a reference and do not capture within-session state consistency. We have accordingly framed the contribution throughout as a latency/token-fidelity trade-off and proposed SCR as the missing operational measure; we do not claim a latency/operational-realism trade-off on the present evidence.
- Coarse three-stage taxonomy: The reconnaissance–exploitation–persistence scheme is inherited from [2] and covers the early-to-mid kill-chain tactics typical of opportunistic SSH intrusions, but real campaigns also include privilege escalation, lateral movement, defence evasion, data exfiltration, and cleanup. We adopt three stages for comparability with [2] and because they already exercise the full routing mechanism, but we regard the taxonomy as a limitation rather than a sufficient model. Importantly, nothing in the formulation of Section 3.1 is tied to three classes: the dispatch table generalizes to an N-phase × M-complexity grid, and adding stages requires only additional prototype vectors and additional rows in Algorithm 1. Extending to a finer-grained kill-chain taxonomy is therefore a matter of annotation and calibration effort, addressed in Section 5.
- Hardware- and backend-dependent latency, with an API artefact: The latency figures in Table 1 are sensitive to the choice of backends and hardware; absolute values are indicative rather than universal. In particular, the high-capacity reference is API-hosted and its latency is infrastructure-favoured (Section 4.2), which is why we additionally report the more conservative 45% reduction against the locally hosted mid-capacity baseline.
- Abandonment and dwell-time not measured. The most operationally meaningful outcome—whether routing makes attackers stay longer or abandon less often—cannot be measured on a static benchmark and is not reported here; PWF is used as a stand-in for the cost of low-fidelity responses, but it is a proxy, not a behavioural measurement. Dwell time and abandonment rate are primary endpoints of the planned live study (Section 5).
4.4.5. Threats to Validity
4.4.6. Adversarial Latency Analysis
4.4.7. Deployment Considerations: Heterogeneous (Linux and Windows) Environments
5. Conclusions
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Malhotra, P. LLMHoney: A real-time SSH honeypot with large language model-driven dynamic response generation. arXiv 2025, arXiv:2509.01463. [Google Scholar]
- Magazov, R.; Uralova, F.; Aksholak, G.; Abeshev, K. Command pattern recognition in Linux-based cyber incidents using large language models for intelligent honeypot systems. In Proceedings of the 2026 18th International Conference on Electronics, Computer, and Computation (ICECCO), Kaskelen, Kazakhstan, 10–11 April 2026. [Google Scholar]
- Oosterhof, M. Cowrie SSH/Telnet Honeypot, Version 2.5.0 Documentation. Available online: https://docs.cowrie.org/ (accessed on 8 July 2026).
- Pahal, S.; Priya, P. A comprehensive research study on low-interaction SSH honeypot. Mapana J. Sci. 2022, 21, 99–118. [Google Scholar] [CrossRef]
- Franco, J.J.; Aris, A.; Canberk, B.; Uluagac, A.S. A survey of honeypots and honeynets for IoT, IIoT, and cyber-physical systems. IEEE Commun. Surv. Tutor. 2021, 23, 2351–2383. [Google Scholar] [CrossRef]
- Javadpour, A.; Ja’Fari, F.; Taleb, T.; Shojafar, M.; Benzaïd, C. A comprehensive survey on cyber deception techniques to improve honeypot performance. Comput. Secur. 2024, 140, 103792. [Google Scholar] [CrossRef]
- Morić, Z.; Dakić, V.; Regvart, D. Advancing cybersecurity with honeypots and deception strategies. Informatics 2025, 12, 14. [Google Scholar] [CrossRef]
- Otal, H.T.; Canbaz, M.A. LLM honeypot: Leveraging large language models as advanced interactive honeypot systems. arXiv 2024, arXiv:2409.08234. [Google Scholar]
- Sladić, M.; Valeros, V.; Catania, C.; García, S. LLM in the shell: Generative honeypots. In Proceedings of the IEEE European Symposium on Security and Privacy Workshops (EuroSPW), Vienna, Austria, 8–12 July 2024. [Google Scholar]
- Wang, Z.; You, J.; Wang, H.; Yuan, T.; Lv, S.; Wang, Y.; Sun, L. HoneyGPT: Breaking the trilemma in terminal honeypots with large language models. arXiv 2024, arXiv:2406.01882. [Google Scholar]
- Fan, W.; Yang, Z.; Liu, Y.; Qin, L.; Liu, J. HoneyLLM: A large language model-powered medium-interaction honeypot. In Proceedings of the ICICS, Mytilene, Greece, 26–28 August 2024; pp. 253–272. [Google Scholar]
- Volkov, D. LLM agent honeypot: Monitoring AI hacking agents in the wild. arXiv 2024, arXiv:2410.13919. [Google Scholar]
- Bridges, R.A.; Mitchell, T.R.; Muñoz, M.; Henriksson, T. SoK: Honeypots & LLMs, more than the sum of their parts? arXiv 2025, arXiv:2510.25939. [Google Scholar]
- Crespi, V.; Hardaker, W.; Abu-El-Haija, S.; Galstyan, A. Identifying botnet IP address clusters using NLP techniques on honeypot command logs. arXiv 2021, arXiv:2104.10232. [Google Scholar]
- Liu, Z.; Buford, J. Anomaly detection of command shell sessions based on DistilBERT. arXiv 2023, arXiv:2310.13247. [Google Scholar]
- Hobert, K.; Lim, C.; Budiarto, E. Enhancing cyber attribution through behavior similarity detection on Linux shell honeypots with ATT&CK framework. In Proceedings of the IEEE International Conference on Cryptography, Informatics, and Cybersecurity (ICoCICs), Bogor, Indonesia, 22–24 August 2023. [Google Scholar] [CrossRef]
- Alasmary, H.; Anwar, A.; Abusnaina, A.; Alabduljabbar, A.; Abuhamad, M.; Wang, A.; Nyang, D.; Awad, A.; Mohaisen, D. ShellCore: Automating malicious IoT software detection by using shell commands representation. arXiv 2021, arXiv:2103.14221. [Google Scholar]
- Dong, S.; Su, H.; Xia, Y.; Zhu, F.; Hu, X.; Wang, B. A comprehensive survey on authentication and attack detection schemes that threaten it in vehicular ad-hoc networks. IEEE Trans. Intell. Transp. Syst. 2023, 24, 13573–13602. [Google Scholar] [CrossRef]
- Chen, L.; Zaharia, M.; Zou, J. FrugalGPT: How to use large language models while reducing cost and improving performance. arXiv 2023, arXiv:2305.05176. [Google Scholar]
- Shazeer, N.; Mirhoseini, A.; Maziarz, K.; Davis, A.; Le, Q.; Hinton, G.; Dean, J. Outrageously large neural networks: The sparsely-gated mixture-of-experts layer. arXiv 2017, arXiv:1701.06538. [Google Scholar]
- MITRE Corporation. MITRE ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge. 2025. Available online: https://attack.mitre.org/ (accessed on 2 June 2026).
- Landis, J.R.; Koch, G.G. The measurement of observer agreement for categorical data. Biometrics 1977, 33, 159–174. [Google Scholar] [CrossRef] [PubMed]
- Papineni, K.; Roukos, S.; Ward, T.; Zhu, W.J. BLEU: A method for automatic evaluation of machine translation. In Proceedings of the 40th Annual Meeting of the Association for Computational Linguistics (ACL), Philadelphia, PA, USA, 7–12 July 2002; pp. 311–318. [Google Scholar]
- Wolf, T.; Debut, L.; Sanh, V.; Chaumond, J.; Delangue, C.; Moi, A.; Cistac, P.; Rault, T.; Louf, R.; Funtowicz, M.; et al. Transformers: State-of-the-art natural language processing. In Proceedings of the EMNLP (System Demonstrations), Online, 16–20 October 2020; pp. 38–45. [Google Scholar]







| Configuration | Latency ms | ±SD | Cosine Sim. | ±SD | Jaro–Winkler | BLEU-4 | PWF |
|---|---|---|---|---|---|---|---|
| Small uniform | 492 | (31) | 0.171 | (0.021) | 0.518 | 0.029 | 0.21 |
| Mid-capacity uniform | 3584 | (142) | 0.211 | (0.018) | 0.612 | 0.063 | 0.34 |
| High-capacity uniform | 3168 | (119) | 0.404 | (0.029) | 0.710 | 0.244 | 0.51 |
| PAMR (proposed) | 1974 | (87) | 0.391 | (0.026) | 0.694 | 0.231 | 0.49 |
| Attack Stage | Precision | Recall | F1-Score |
|---|---|---|---|
| Reconnaissance | 0.89 (±0.014) | 0.88 (±0.013) | 0.88 (±0.013) |
| Exploitation | 0.86 (±0.017) | 0.87 (±0.016) | 0.86 (±0.016) |
| Persistence | 0.88 (±0.015) | 0.85 (±0.018) | 0.86 (±0.017) |
| Macro-average | 0.88 (±0.015) | 0.87 (±0.016) | 0.87 (±0.015) |
| Variant | Latency ms | ±SD | PWF | ±SD | ΔLatency vs. Full PAMR |
|---|---|---|---|---|---|
| Full PAMR | 1974 | (87) | 0.49 | (0.019) | — |
| −dictionary cache | 2641 | (94) | 0.49 | (0.019) | +34% |
| −conf. escalation | 2012 | (91) | 0.44 | (0.022) | +2% |
| −phase routing | 2198 | (103) | 0.46 | (0.021) | +11% |
| −estimator (rnd) | 2887 | (211) | 0.41 | (0.031) | +46% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Magazov, R.; Uralova, F.; Abeshev, K.; Akhmedi, G.; Aksholak, G. Phase-Adaptive Model Routing in LLM-Driven SSH Honeypots: Balancing Response Fidelity and Latency Across the Attack Lifecycle. Future Internet 2026, 18, 359. https://doi.org/10.3390/fi18070359
Magazov R, Uralova F, Abeshev K, Akhmedi G, Aksholak G. Phase-Adaptive Model Routing in LLM-Driven SSH Honeypots: Balancing Response Fidelity and Latency Across the Attack Lifecycle. Future Internet. 2026; 18(7):359. https://doi.org/10.3390/fi18070359
Chicago/Turabian StyleMagazov, Raiymbek, Fatima Uralova, Kuanysh Abeshev, Guldana Akhmedi, and Gulnur Aksholak. 2026. "Phase-Adaptive Model Routing in LLM-Driven SSH Honeypots: Balancing Response Fidelity and Latency Across the Attack Lifecycle" Future Internet 18, no. 7: 359. https://doi.org/10.3390/fi18070359
APA StyleMagazov, R., Uralova, F., Abeshev, K., Akhmedi, G., & Aksholak, G. (2026). Phase-Adaptive Model Routing in LLM-Driven SSH Honeypots: Balancing Response Fidelity and Latency Across the Attack Lifecycle. Future Internet, 18(7), 359. https://doi.org/10.3390/fi18070359

