Top 12 Study Abroad Scholarships 2025 for International Students
Explore the best study abroad scholarships 2025 for global students. Find funding for tuition, travel, and more—start your journey today!
Table of contents [Show]
Introduction
In this post, we’ll dive into Splunk’s DECEIVE, an AI-generated honeypot program designed to detect and analyze suspicious SSH activity. Created by David Bianco, DECEIVE uses AI to create high-fidelity honeypots that mimic real systems, making it a powerful tool for cybersecurity professionals. Let’s explore how it works and how you can set it up in your lab environment.
What is DECEIVE?
DECEIVE is a proof-of-concept honeypot powered by AI. It simulates realistic systems, such as a video game developer’s environment or a financial company’s server, to lure attackers. Once an attacker interacts with the honeypot, DECEIVE logs their activity and generates a session summary using AI. This summary evaluates the commands entered, their intent, and whether they are benign, suspicious, or malicious.
Key features of DECEIVE include:
- AI-Generated Honeypots: Mimic real systems with realistic files and directories.
- Session Summaries: AI evaluates SSH sessions and provides detailed insights.
- Customizable Prompts: Tailor the honeypot to mimic different environments, such as gaming studios or financial institutions.
Setting Up DECEIVE
Here’s a step-by-step guide to setting up DECEIVE in your lab environment:
- Clone the Repository: Start by cloning the DECEIVE GitHub repository to your local machine using the command:
git clone https://github.com/splunk/deceive.git. - Install Dependencies: Navigate to the project directory and install the required dependencies using:
pip3 install -r requirements.txt. - Generate SSH Host Key: Use the provided command to generate an SSH host key for the honeypot.
- Configure the Honeypot: Copy the
config.ini.templatefile toconfig.iniand customize it with your OpenAI API key and other settings. - Run the Honeypot: Start the honeypot server using:
python3 ./ssh_server.py.
Once the honeypot is running, you can SSH into it and interact with the simulated environment.
Customizing the Honeypot
DECEIVE allows you to customize the honeypot to mimic different environments. For example, you can change the prompt in the prompt.txt file to simulate a financial company’s server instead of a video game developer’s system. Here’s an example of a customized prompt:
You are a CEO at a financial company. The system includes financial documents, disclosures, reports, personal notes, and calendar invites. The internet-facing mail server is for a big tech company with state-sponsored facilities in Virginia. Valid user accounts include admin and guest.
This customization makes the honeypot more convincing and tailored to your needs.
Analyzing Session Summaries
After an attacker interacts with the honeypot, DECEIVE generates a session summary in JSON format. This summary includes:
- Session ID: Unique identifier for the SSH session.
- Commands Executed: List of commands entered by the attacker.
- AI Evaluation: Analysis of the commands’ intent (benign, suspicious, or malicious).
For example, if an attacker navigates through directories and inspects files, the AI might classify the activity as “suspicious” and note that it aligns with early stages of an attack.
Why DECEIVE is a Game-Changer
DECEIVE offers several advantages for cybersecurity professionals:
- Realistic Simulations: AI-generated environments make the honeypot more convincing.
- Actionable Insights: AI-powered session summaries provide valuable insights into attacker behavior.
- Customizability: Tailor the honeypot to mimic specific industries or systems.
While DECEIVE is currently a proof-of-concept, it has the potential to become a powerful tool for detecting and analyzing cyber threats.
Conclusion
Splunk’s DECEIVE is an innovative AI-generated honeypot that brings a new level of realism and intelligence to cybersecurity. By simulating realistic systems and providing detailed session summaries, DECEIVE helps professionals better understand and defend against cyber threats. While it’s not yet production-ready, it’s a promising tool for lab environments and future development.
For a more detailed walkthrough, check out the YouTube video. Thanks for reading, and stay tuned for more cybersecurity insights!
