🤖 AI Summary
This study addresses the challenge of maintaining high fidelity, low latency, and strong consistency in long-running SSH deception sessions. To this end, it introduces large language models (LLMs) into system-level network deception for the first time, proposing a synergistic framework that integrates chain-of-thought automation, stateful memory, speculative command execution, sandbox-aware intelligent routing, and subdomain anomaly detection. This approach effectively mitigates common LLM limitations in persistent interactive environments—namely statelessness, response latency, and behavioral inconsistency—and establishes the first standardized evaluation protocol for such systems. Experimental results demonstrate significant improvements over baseline methods in correctness (0.898), consistency (0.918), state tracking (0.98), and robustness (0.95). User studies further confirm that the system’s realism rivals that of genuine shells, with superior perceived command coverage compared to traditional honeypots.
📝 Abstract
Cyber deception and Moving Target Defense are promising strategies that aim to disrupt adversaries by increasing uncertainty. However, sustaining long-lived, credible interactive sessions with adversaries remains an open challenge. Large Language Models (LLMs) offer a promising path toward more dynamic deception systems, but suffer from key limitations that fundamentally limit their applicability, including: lack of persistent state, output inconsistencies, hallucinations, latency, and susceptibility to behavioral subversion that may reveal the deception.
We propose ShellGames, an SSH shell simulator based on LLM designed to address these limitations. ShellGames combines five complementary techniques: (i) Automatic Chain-of-Thought and few-shot learning to improve correctness; (ii) memory management to maintain system state coherency; (iii) speculative command execution to reduce response latency; (iv) smart routing of complex interactive commands to a sandboxed environment; and (v) subversion detection leveraging the constrained input-output domain of shell environments. To enable systematic evaluation, we introduce a standardized benchmarking protocol and dataset spanning correctness, consistency, state tracking, and robustness tasks. ShellGames achieves $0.898$ command accuracy on correctness ($+5.3pp$ over baselines), $0.918$ sequence-level accuracy on consistency ($+36pp$), $0.98$ state tracking accuracy ($+18.3pp$), and $0.95$ accuracy on robustness ($+37pp$). A user study with $n=20$ participants confirms that ShellGames achieves realism comparable to a real shell under free exploration and outperforms traditional honeypots on perceived command coverage.