LLM-SSHH: An LLM-Powered SSH Honeypot Framework via State Snapshot
Abstract
1. Introduction
- We identify and analyze two fundamental flaws in LLM-based SSH honeypots: state loss from context window limitations and output hallucinations from generative mechanisms, demonstrating their exploitability.
- We propose LLM-SSHH, combining persistent state snapshots with state-driven response generation and output validation to achieve state consistency and generation flexibility.
- We implement and evaluate our framework, achieving substantially lower detection rates and significantly extended interaction survivability compared to existing methods.
2. Related Work
2.1. LLM in Cybersecurity
2.2. Honeypots Technologies
3. Problem Formulation
3.1. Task Definition
3.2. Assumptions
- System Scope. The honeypot simulates a basic Linux SSH server environment where all command outputs are generated through simulation without executing real binaries or kernel operations. Input commands are assumed to be syntactically valid.
- Resource Constraints. The system has access to capable LLM APIs such as GPT-4 or Claude, subject to standard API latency and rate limits.
- Attacker Model. The attacker is assumed to possess Linux expertise and can execute arbitrary shell commands but has no access to the internal implementation details of the honeypot.
4. LLM-SSHH
4.1. Algorithm Overview
4.2. State Snapshot
- File System State : Represents the honeypot’s file system and models it using a dictionary data structure that maps complete paths to file information (e.g., {“/etc/passwd”: FileObject}), formalized as . Each file object contains a type field (file or directory), content payload, and metadata (permissions, ownership, timestamps). For instance, the dictionary key /root/script.sh maps to , . Path prefix relationships implicitly encode directory hierarchy, enabling efficient query resolution where listing /root simply matches all /root/* paths without constructing explicit tree structures.
- Context State : Maintains mutable session information as an extensible set , where d stores the current working directory, holds environment variables, records command history synchronized with /root/.bash_history in , maps process IDs to descriptors, maintains network connections, and tracks system timestamps. Additional fields such as user sessions or open file descriptors can be incorporated based on deployment requirements.
- System Metadata : Encapsulates immutable system identification attributes as . All fields are initialized once at session start. The field set can be extended with new entries during runtime, but existing field values remain unchanged to ensure consistency. This design guarantees temporal consistency for repeated invocations of system information commands such as uname -a, hostname, or cat /etc/os-release.
4.3. Output Generation
4.4. Output Validation
- File System Consistency. For directory listing commands such as ls, the validator extracts the ground truth file set from the state snapshot and accepts response r only if , ensuring that all files recorded in the state snapshot appear in the output while allowing the LLM to generate additional realistic files to enhance system authenticity. Similar validation applies to file content (cat) and path resolution (pwd) commands.
- Temporal Consistency. System identification commands such as uname, hostname, and date must return identical outputs across repeated invocations within a single session. The system maintains a consistency cache mapping each command to its first execution output, validating subsequent executions by checking whether for repeated commands or for first-time invocations.
- Structural Integrity. Format-sensitive outputs such as ps aux and netstat are validated against structural templates to ensure content completeness (all entries from or must appear), state mapping accuracy, and format compliance with standard Linux specifications. Any missing fields, formatting errors, or content mismatches trigger rejection to prevent outputs that would confuse parsing tools or reveal simulation artifacts.
5. Experiment and Evaluation
5.1. Experimental Setup
5.1.1. Experimental Design Rationale
- For attack command generation, the LLM generates candidate commands based on the current system state and previously executed commands, followed by review from one cybersecurity researcher who validates syntactic correctness, attack logic rationality, and safety to avoid actual destructive operations, with the LLM required to regenerate until approval is obtained if deemed unreasonable. This human-machine collaboration approach can generate more diverse and context-relevant attack sequences compared to static command sets.
- For interaction sequence judgment, to avoid requiring manual assessment for every interaction, we artificially limit session interaction sequence lengths to between 5 and 50 rounds, submitting complete interaction sequences of specific lengths to the LLM for preliminary judgment (i.e., three independent judgments are performed for each sequence length, and the final decision is determined by majority voting), followed by human review to confirm the final results and determine whether the system is a honeypot. The Detection Rate (DR) is then calculated across multiple experimental trials.
5.1.2. Baseline Methods
- Docker (Real Linux Environment) [29]: A genuine Ubuntu 20.04 container serving as the oracle for evaluating output correctness, where all commands are executed in a real Linux environment without any simulation or emulation.
- LLM-Basic [30]: A minimal LLM-powered honeypot that directly forwards attacker commands to a language model without maintaining explicit state, relying solely on the LLM’s short-term conversational memory for context retention.
- shelLM [10]: An LLM-driven honeypot employing chain-of-thought prompting and session-based history management, where the complete interaction history is preserved across sessions but lacks a structured filesystem representation.
- LLMHoney [31]: A hybrid architecture combining dictionary-based caching for common commands with LLM generation for novel inputs, featuring a virtual filesystem but limited to predefined file structures.
- HoneyLLM [9]: An LLM-powered medium-interaction honeypot that generates authentic shell responses to deceive attackers without exposing a real operating system.
- Cowrie_LLM [32]: An enhanced version of the widely-deployed Cowrie honeypot augmented with LLM capabilities, where pre-scripted responses are replaced by dynamic LLM-generated outputs while retaining Cowrie’s static filesystem emulation.
5.1.3. Evaluation Metrics
5.1.4. Hyperparameter Settings
5.2. Experimental Results
5.2.1. Detection Rate Across Interaction Lengths
5.2.2. Validation of Evaluation Methodology
5.2.3. Ablation Study
5.3. Case Study
6. Conclusions
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- Melese, S.Z.; Avadhani, P. Honeypot system for attacks on SSH protocol. Int. J. Comput. Netw. Inf. Secur. 2016, 8, 19. [Google Scholar] [CrossRef]
- Franco, J.; Aris, A.; Canberk, B.; Uluagac, A.S. A survey of honeypots and honeynets for internet of things, industrial internet of things, and cyber-physical systems. IEEE Commun. Surv. Tutor. 2021, 23, 2351–2383. [Google Scholar] [CrossRef]
- Oosterhof, M. Cowrie SSH/Telnet Honeypot. Open-Source Medium Interaction SSH/Telnet Honeypot Software. 2015–2025. Available online: https://github.com/cowrie/cowrie (accessed on 20 December 2025).
- Tamminen, U. Kippo: Medium Interaction SSH Honeypot. Archived SSH Honeypot Project, Predecessor to Cowrie. 2010–2015. Available online: https://github.com/desaster/kippo (accessed on 20 December 2025).
- Kheirkhah, E.; Amin, S.P.; Sistani, H.J.; Acharya, H. An experimental study of ssh attacks by using honeypot decoys. Indian J. Sci. Technol. 2013, 6, 5567–5578. [Google Scholar] [CrossRef]
- Doubleday, H.; Maglaras, L.; Janicke, H. SSH honeypot: Building, deploying and analysis. Int. J. Adv. Comput. Sci. Appl. 2016, 7, 117–121. [Google Scholar] [CrossRef]
- OpenAI. GPT-4 Technical Report. arXiv 2023, arXiv:2303.08774. [Google Scholar] [CrossRef]
- Anthropic. Introducing the Next Generation of Claude. Advanced Claude Family of Large Language Models. 2024. Available online: https://www.anthropic.com/news/claude-3-family (accessed on 10 December 2025).
- Fan, W.; Yang, Z.; Liu, Y.; Qin, L.; Liu, J. Honeyllm: A large language model-powered medium-interaction honeypot. In Proceedings of the International Conference on Information and Communications Security; Springer: Berlin/Heidelberg, Germany, 2024; pp. 253–272. [Google Scholar]
- Sladić, M.; Valeros, V.; Catania, C.; Garcia, S. Llm in the shell: Generative honeypots. In Proceedings of the 2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW); IEEE: Piscataway, NJ, USA, 2024; pp. 430–435. [Google Scholar]
- Du, Y.; Tian, M.; Ronanki, S.; Rongali, S.; Bodapati, S.; Galstyan, A.; Wells, A.; Schwartz, R.; Huerta, E.A.; Peng, H. Context length alone hurts LLM performance despite perfect retrieval. arXiv 2025, arXiv:2510.05381. [Google Scholar] [CrossRef]
- Liu, J.; Zhu, D.; Bai, Z.; He, Y.; Liao, H.; Que, H.; Wang, Z.; Zhang, C.; Zhang, G.; Zhang, J.; et al. A comprehensive survey on long context language modeling. arXiv 2025, arXiv:2503.17407. [Google Scholar] [CrossRef]
- Ji, Z.; Yu, T.; Xu, Y.; Lee, N.; Ishii, E.; Fung, P. Towards mitigating LLM hallucination via self reflection. In Proceedings of the Findings of the Association for Computational Linguistics: EMNLP 2023, Singapore, 6–10 December 2023; pp. 1827–1843. [Google Scholar]
- Martino, A.; Iannelli, M.; Truong, C. Knowledge injection to counter large language model (LLM) hallucination. In Proceedings of the European Semantic Web Conference; Springer: Berlin/Heidelberg, Germany, 2023; pp. 182–185. [Google Scholar]
- Mohawesh, R.; Ottom, M.A.; Salameh, H.B. A data-driven risk assessment of cybersecurity challenges posed by generative AI. Decis. Anal. J. 2025, 15, 100580. [Google Scholar] [CrossRef]
- Motlagh, F.N.; Hajizadeh, M.; Majd, M.; Najafi, P.; Cheng, F.; Meinel, C. Large language models in cybersecurity: State-of-the-art. arXiv 2024, arXiv:2402.00891. [Google Scholar] [CrossRef]
- Xu, H.; Wang, S.; Li, N.; Wang, K.; Zhao, Y.; Chen, K.; Yu, T.; Liu, Y.; Wang, H. Large language models for cyber security: A systematic literature review. ACM Trans. Softw. Eng. Methodol. 2024. [Google Scholar] [CrossRef]
- Deason, L.; Bali, A.; Bejean, C.; Bolocan, D.; Crnkovich, J.; Croitoru, I.; Durai, K.; Midler, C.; Miron, C.; Molnar, D.; et al. CyberSOCEval: Benchmarking LLMs Capabilities for Malware Analysis and Threat Intelligence Reasoning. arXiv 2025, arXiv:2509.20166. [Google Scholar] [CrossRef]
- Wang, T.; Xie, X.; Zhang, L.; Wang, C.; Zhang, L.; Cui, Y. Shieldgpt: An llm-based framework for ddos mitigation. In Proceedings of the 8th Asia-Pacific Workshop on Networking, Sydney, Australia, 3–4 August 2024; pp. 108–114. [Google Scholar]
- Rigaki, M.; Catania, C.; Garcia, S. Hackphyr: A local fine-tuned LLM agent for network security environments. arXiv 2024, arXiv:2409.11276. [Google Scholar] [CrossRef]
- Phanireddy, S. LLM Security and Guardrail Defense Techniques in Web Applications. Int. J. Emerg. Trends Comput. Sci. Inf. Technol. 2025, 221–224. [Google Scholar] [CrossRef]
- Prasad, R.B.; Abraham, A.; Abhinav, A.; Gurlahosur, S.V.; Srinivasa, Y. Design and Efficient Deployment of Honeypot and Dynamic Rule Based Live Network Intrusion Collaborative System. Int. J. Netw. Secur. Its Appl. 2011, 3, 52–67. [Google Scholar] [CrossRef]
- Kelly, C.; Pitropakis, N.; Mylonas, A.; McKeown, S.; Buchanan, W.J. A comparative analysis of honeypots on different cloud platforms. Sensors 2021, 21, 2433. [Google Scholar] [CrossRef] [PubMed]
- Yu, T.; Xin, Y.; Zhang, C. HoneyFactory: Container-Based Comprehensive Cyber Deception Honeynet Architecture. Electronics 2024, 13, 361. [Google Scholar] [CrossRef]
- Lengyel, T.K.; Neumann, J.; Maresca, S.; Payne, B.D.; Kiayias, A. Virtual machine introspection in a hybrid honeypot architecture. In Proceedings of the CSET, Bellevue, WA, USA, 6 August 2012. [Google Scholar]
- Wang, Z.; You, J.; Wang, H.; Yuan, T.; Lv, S.; Wang, Y.; Sun, L. HoneyGPT: Breaking the trilemma in terminal honeypots with large language model. arXiv 2024, arXiv:2406.01882. [Google Scholar] [CrossRef]
- Maesschalck, S.; Giotsas, V.; Race, N. World wide ICS honeypots: A study into the deployment of conpot honeypots. In Proceedings of the Industrial Control System Security Workshop, Virtual, 7 December 2021; pp. 1–10. [Google Scholar]
- Liu, Y.; Li, D.; Wang, K.; Xiong, Z.; Shi, F.; Wang, J.; Li, B.; Hang, B. Are LLMs good at structured outputs? A benchmark for evaluating structured output capabilities in LLMs. Inf. Process. Manag. 2024, 61, 103809. [Google Scholar] [CrossRef]
- Docker, Inc. Docker: Lightweight Container Platform. 2013–2025. Available online: https://www.docker.com/ (accessed on 25 December 2025).
- Sahoo, P.; Singh, A.K.; Saha, S.; Jain, V.; Mondal, S.; Chadha, A. A systematic survey of prompt engineering in large language models: Techniques and applications. arXiv 2024, arXiv:2402.07927. [Google Scholar]
- Malhotra, P. LLMHoney: A Real-Time SSH Honeypot with Large Language Model-Driven Dynamic Response Generation. arXiv 2025, arXiv:2509.01463. [Google Scholar]
- ZHallen122. Cowrie_LLM: A GPT-Enhanced Cowrie Honeypot (GitHub Repository). 2025. Available online: https://github.com/ZHallen122/Cowrie_LLM (accessed on 25 December 2025).



| Symbol | Description |
|---|---|
| Command and response at interaction round i | |
| State snapshot: file system, context, metadata | |
| Response generation and state update functions | |
| File system state (path → file objects) | |
| Context state components | |
| System metadata (hostname, kernel, OS, etc.) | |
| Output validation function | |
| Interaction survivability metric |
| Method | Interaction Rounds | Mean | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| 5 | 10 | 15 | 20 | 30 | 35 | 40 | 45 | 50 | ||
| True Docker | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.1 | 0.1 | 0.2 | 0.2 | 0.075 |
| ShelLM | 0.0 | 0.1 | 0.2 | 0.1 | 0.6 | 0.5 | 0.8 | 0.8 | 1.0 | 0.513 |
| LLMHoney | 0.0 | 0.0 | 0.1 | 0.1 | 0.3 | 0.5 | 0.7 | 1.0 | 0.9 | 0.450 |
| HoneyLLM | 0.1 | 0.2 | 0.1 | 0.3 | 0.5 | 0.6 | 0.8 | 0.9 | 0.9 | 0.550 |
| Cowrie_llm | 0.0 | 0.0 | 0.2 | 0.3 | 0.4 | 0.5 | 0.8 | 1.0 | 1.0 | 0.613 |
| LLM-Basic | 0.1 | 0.1 | 0.3 | 0.2 | 0.4 | 1.0 | 1.0 | 0.9 | 1.0 | 0.625 |
| LLM-SSHH (Ours) | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.2 | 0.3 | 0.3 | 0.4 | 0.150 |
| Mean | 0.029 | 0.086 | 0.143 | 0.157 | 0.329 | 0.514 | 0.643 | 0.729 | 0.771 | - |
| Configuration | Interaction Rounds | Mean | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| 5 | 10 | 15 | 20 | 30 | 35 | 40 | 45 | 50 | ||
| w/o State Snapshot | 0.1 | 0.2 | 0.4 | 0.5 | 0.7 | 0.8 | 0.9 | 1.0 | 1.0 | 0.622 |
| w/o Output Validation | 0.0 | 0.1 | 0.1 | 0.2 | 0.3 | 0.4 | 0.5 | 0.6 | 0.7 | 0.322 |
| Full LLM-SSHH | 0.0 | 0.0 | 0.0 | 0.0 | 0.0 | 0.2 | 0.3 | 0.3 | 0.4 | 0.150 |
| Round | Command | LLM-Basic | LLM-SSHH (Ours) |
|---|---|---|---|
| 28 | cat/etc/passwd (repeated) | Inconsistent user lists ✗ | Fixed content from ✓ |
| 37 | ls/tmp | File not listed (state loss) ✗ | File correctly shown ✓ |
| 43 | uname -a (repeated) | Inconsistent kernel version ✗ | Consistent output via cache ✓ |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2026 by the authors. Published by MDPI on behalf of the International Institute of Knowledge Innovation and Invention. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.
Share and Cite
Li, X.; Li, N.; Li, Z.; Yan, L.; Ma, D.; Cao, H.; Wang, X.; Liu, Y. LLM-SSHH: An LLM-Powered SSH Honeypot Framework via State Snapshot. Appl. Syst. Innov. 2026, 9, 101. https://doi.org/10.3390/asi9050101
Li X, Li N, Li Z, Yan L, Ma D, Cao H, Wang X, Liu Y. LLM-SSHH: An LLM-Powered SSH Honeypot Framework via State Snapshot. Applied System Innovation. 2026; 9(5):101. https://doi.org/10.3390/asi9050101
Chicago/Turabian StyleLi, Xiang, Nanfang Li, Zongrong Li, Lijun Yan, Denghui Ma, Haishan Cao, Xu Wang, and Yu Liu. 2026. "LLM-SSHH: An LLM-Powered SSH Honeypot Framework via State Snapshot" Applied System Innovation 9, no. 5: 101. https://doi.org/10.3390/asi9050101
APA StyleLi, X., Li, N., Li, Z., Yan, L., Ma, D., Cao, H., Wang, X., & Liu, Y. (2026). LLM-SSHH: An LLM-Powered SSH Honeypot Framework via State Snapshot. Applied System Innovation, 9(5), 101. https://doi.org/10.3390/asi9050101
