Honeypot and Generative AI

The rapidly evolving nature of cybersecurity threats has necessitated the development of more adaptive and dynamic defence strategies. Traditional methods often struggle to keep pace with the fluid tactics of attackers, exacerbating the Defender's Dilemma, where attackers only exploit a single vulnerability. In contrast, defenders are tasked with protecting all possible entry points. This thesis addresses this challenge by integrating generative artificial intelligence (AI) with honeypot technologies, culminating in creating SYNAPSE (Synthetic AI Pot for Security Enhancement). It represents an innovative approach to cybersecurity defence by combining the deceptive nature of honeypots with the adaptive capabilities of AI. This thesis explores how such dynamic systems can significantly enhance cyber defences, transforming honeypots from passive lures into active participants in cybersecurity strategies. A vital component of this research is the automatic mapping of logs generated by SYNAPSE to the MITRE ATT&CK framework. By integrating machine learning technologies, SYNAPSE accelerates the identification of attack patterns, offering defenders immediate insights into the strategies employed by attackers and enabling them to respond in real-time. The Literature Review in Chapter 2 covers foundational concepts surrounding information security, cybersecurity, and honeypot technologies. It also provides an overview of generative artificial intelligence and the advancements in large language models (LLMs), which form the backbone of SYNAPSE's AI-driven responses. The literature review also introduces the MITRE ATT&CK framework, establishing its significance in contextualizing cyber threats and mapping SYNAPSE's logs to adversary tactics. The Methodology, Chapter 3, details SYNAPSE's design, development, and implementation. The system simulates a Linux OS terminal with critical services like SSH and MySQL servers designed to mimic real-world interactions with attackers. In addition, the SYNAPSE-to-MITRE extension is introduced, which automatically maps the collected logs to the MITRE ATT&CK framework. This chapter also includes case studies and experiments to evaluate SYNAPSE's performance. The Results in Chapter 4 highlight the essential findings and evaluations from the experiments. SYNAPSE's dynamic interaction capabilities significantly improved its ability to deceive attackers, making it a more effective defence mechanism than traditional honeypots. The automatic mapping of logs to the MITRE ATT&CK framework allowed for faster and more accurate identification of attack tactics, giving defenders real-time actionable insights. This chapter also presents the comparative analysis between SYNAPSE and DENDRITE, emphasizing the limitations of static honeypots and the advantages of AI-driven systems. This research contributes to the broader field of cybersecurity by showcasing the effectiveness of AI-enhanced honeypots and automated log mapping to frameworks like MITRE ATT&CK. Future work could explore integrating additional AI models, testing SYNAPSE in more diverse environments, and expanding the automatic mapping capabilities to other cybersecurity frameworks. This thesis lays the foundation for further exploration into AI-driven defence mechanisms, highlighting the importance of dynamic, adaptable tools in an ever-evolving cyber threat landscape.