Splunk, a leader in data analytics and cybersecurity solutions, has introduced a groundbreaking proof-of-concept honeypot system named DECEIVE (DECeption with Evaluative Integrated Validation Engine).
This AI-powered tool is designed to simulate high-interaction systems with minimal setup effort, offering organizations an innovative way to monitor attacker behavior and gain insights into potential threats.
A New Era of Honeypots
Traditional honeypots often require extensive manual effort to set up realistic environments, including seeding them with user data, applications, and configurations.
DECEIVE eliminates this challenge by leveraging large language models (LLMs) to dynamically simulate realistic system environments based on customizable prompts.
This allows cybersecurity professionals to deploy convincing decoy systems without the need for extensive manual intervention.
Unlike conventional high-interaction honeypots that provide attackers access to real systems, DECEIVE relies on its AI backend to emulate responses and interactions.
This ensures that no actual system is compromised while still capturing valuable intelligence on attacker tactics, techniques, and procedures (TTPs).
Key Features of DECEIVE
AI-Driven System Simulation: Users can configure the type of system they want to emulate by editing a simple prompt file like:
- “You are a video game developer’s system with realistic source code and assets.”
- You are free to include any further information you believe may be useful. For example:
- “You are the mail server for bigschool.edu, hosting simulated emails and user accounts.”
SSH Protocol Support: The current version of DECEIVE emulates a Linux server accessible via SSH. It logs all user inputs, AI-generated outputs, and session summaries.
Session Analysis: After each session, DECEIVE provides a summary categorizing the activity as benign, suspicious, or malicious. For example:
A benign session might involve basic commands like pwd (print working directory) or exit. Suspicious or malicious sessions could include reconnaissance commands or privilege escalation attempts.
Automated Logging: All interactions are logged in JSON lines format for easy analysis. Each log entry includes details such as timestamps (in UTC), source IP addresses, user inputs (base64-encoded), and LLM responses.
Cross-Platform Compatibility: While primarily developed on macOS 15 (Sequoia), DECEIVE is compatible with any UNIX-like system running Python 3, including Linux and Windows (via Windows Subsystem for Linux).
Getting Started with DECEIVE
- Clone the repository from GitHub:
git clone https://github.com/splunk/DECEIVE
cd DECEIVE
pip3 install -r requirements.txt
- Generate an SSH host key:
ssh-keygen -t rsa -b 4096 -f SSH/ssh_host_key
Configure the honeypot by editing SSH/config.ini and SSH/prompt.txt to define the emulated system’s characteristics.
- Start the honeypot server:
export OPENAI_API_KEY=""
python3 ./ssh_server.py
- Test the setup using an SSH client:
ssh guest@localhost -p 8022
Splunk emphasizes that DECEIVE is a proof-of-concept project and not production-ready. While it offers valuable insights into attacker behavior, users are advised against deploying it in live environments without thorough testing and safeguards.
Additionally, since DECEIVE logs sensitive information such as usernames and passwords for analysis purposes, organizations must handle these logs responsibly to avoid privacy violations.
By combining AI’s generative capabilities with traditional cybersecurity tools, DECEIVE represents a significant leap forward in deception technology.
It empowers organizations to study attacker behavior in controlled environments while minimizing setup efforts and risks.
Splunk encourages contributions from the open-source community to enhance DECEIVE’s capabilities further.
As cyber threats continue to evolve, tools like DECEIVE demonstrate how artificial intelligence can play a pivotal role in strengthening organizational defenses while providing actionable intelligence against adversaries.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar