{rfName}
Ho

Indexado en

Licencia y uso

Citaciones

1

Altmetrics

Análisis de autorías institucional

Hernandez-Castro, JAutor o Coautor

Compartir

19 de diciembre de 2024
Publicaciones
>
Conferencia Publicada
Green

Honeypot's Best Friend? Investigating ChatGPT's Ability to Evaluate Honeypot Logs

Publicado en:Proceedings Of The 2024 European Interdisciplinary Cybersecurity Conference, Eicc 2024. 128-135 - 2024-01-01 (), DOI: 10.1145/3655693.3655716

Autores: Ozkok, MB; Birinci, B; Cetin, O; Arief, B; Hernandez-Castro, J

Afiliaciones

Sabanci Univ - Autor o Coautor
Univ Kent - Autor o Coautor
Univ Politecn Madrid - Autor o Coautor

Resumen

Honeypots can gather substantial data from intruders, but many honeypots lack the necessary features to analyse and explain the nature of these potential attacks. Typically, honeypot analysis reports only highlight the attacking IP addresses and the malicious requests. As such, analysts might miss out on the more useful insights that can be derived from the honeypot data, such as the attackers' plan or emerging threats. Meanwhile, recent advances in large language models (LLM) - such as ChatGPT - have opened up the possibility of using artificial intelligence (AI) to comprehend honeypot data better, for instance, to perform an automated and intelligent log analysis that can explain consequences, provide labels, and deal with obfuscation. In this study, we probed ChatGPT's proficiency in understanding and explaining honeypot logs from actual recorded attacks on our honeypots. Our data encompassed 627 requests to Elasticsearch honeypots and 73 attacks detected by SSH honeypots, collected over a two-week period. Our analysis was focused on evaluating ChatGPT's explanation ability regarding the potential consequences of each attack, in alignment with the MITRE ATT&CK Framework, and whether ChatGPT can identify any obfuscation techniques that might be used by attackers. We found that ChatGPT achieved a 96.65% accuracy in correctly explaining the consequences of the attack targeting Elasticsearch servers. Furthermore, ChatGPT achieved a 72.46% accuracy in matching a given attack to one or more techniques listed by the MITRE ATT&CK Framework. Similarly, ChatGPT was excellent in identifying obfuscation techniques employed by attackers and offering deobfuscation solutions. However, 30.46% of the request body and 7.5% of the targeted URI were falsely identified as obfuscated, leading to a very high score of false positive for obfuscation. With the SSH honeypot data, we achieved a 97.26% accuracy while explaining the consequences of the attacks and a 98.84% accuracy for correctly mapping to MITRE ATT&CK Framework techniques. Based on these results, we can say that ChatGPT has shown great potential for automating the process of analysing honeypot data. Its proficiency in explaining attack consequences and in managing obfuscation through implementing MITRE ATT&CK techniques is impressive. Nevertheless, it is essential to be mindful of the possibility of high false positive rates, which can cause some issues. This needs to be addressed in future research, for example by leveraging the advanced fine-tuning techniques that were recently introduced to ChatGPT, but not available at the time of writing of this paper.

Palabras clave

Artificial intelligenceChatgptComputational linguisticsData obfuscationDeobfuscationFalse positiveFalse positive ratesFramework techniquesHoneypotHoneypotsLanguage modelLog analysisMatchingsNetwork securityPotential attackWell logging

Indicios de calidad

Impacto bibliométrico. Análisis de la aportación y canal de difusión

2025-07-05:

  • Scopus: 1

Impacto y visibilidad social

Desde la dimensión de Influencia o adopción social, y tomando como base las métricas asociadas a las menciones e interacciones proporcionadas por agencias especializadas en el cálculo de las denominadas “Métricas Alternativas o Sociales”, podemos destacar a fecha 2025-07-05:

  • La utilización de esta aportación en marcadores, bifurcaciones de código, añadidos a listas de favoritos para una lectura recurrente, así como visualizaciones generales, indica que alguien está usando la publicación como base de su trabajo actual. Esto puede ser un indicador destacado de futuras citas más formales y académicas. Tal afirmación es avalada por el resultado del indicador “Capture” que arroja un total de: 24 (PlumX).

Es fundamental presentar evidencias que respalden la plena alineación con los principios y directrices institucionales en torno a la Ciencia Abierta y la Conservación y Difusión del Patrimonio Intelectual. Un claro ejemplo de ello es:

  • El trabajo se ha enviado a una revista cuya política editorial permite la publicación en abierto Open Access.

Análisis de liderazgo de los autores institucionales

Este trabajo se ha realizado con colaboración internacional, concretamente con investigadores de: Turkey; United Kingdom.

Existe un liderazgo significativo ya que algunos de los autores pertenecientes a la institución aparecen como primer o último firmante, se puede apreciar en el detalle: Último Autor (HERNANDEZ CASTRO, JULIO CESAR).