Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI

Anıl Sezgin

doi:10.46460/ijiea.1797978

EN TR

Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI

Öz

Honeypots have long been invaluable resources for intrusion detection and cyber threat intelligence, yet they suffer from an intractable trade-off: low-interaction systems are too artificial, and high-interaction systems pose operational risks and scalability challenges. This paper introduces a new honeypot architecture that uses Retrieval-Augmented Generation (RAG) with the Llama 3.1 8B model to overcome this fidelity–risk dilemma. Instead of running live commands, our system uses a curated database of sanitized command–output pairs for historic Linux commands. When an attacker issues a command, the highest-relevant historic output is recalled and contextualized via Large Language Model (LLM), and the response is empirically informed and dynamically flexible. This architecture maintains realistic interactions without allowing compromise. We built an extensible pipeline spanning data acquisition, preprocessing, retrieval, and response generation, complemented with logging for threat intelligence purposes. Evaluation was performed on six hundred canonical Linux commands using BLEU and ROUGE metrics. Analysis indicates that the RAG-enhanced variant is an order-of-magnitude improvement beyond vanilla LLM setup, with BLEU and ROUGE-L scores rising from 0.04 and 0.24, respectively, to 0.47 and 0.72, respectively. Beyond quantitative fidelity, qualitative analysis indicates that RAG strongly diminishes hallucinations, secures session consistency, and enhances attacker engagement. Extended and more coherent adversary sessions give the defender richer behavioral context with less compromise detection risk. This proposed system illustrates that generative AI, when tied to empirical basis, can achieve high-fidelity deception without operational exposure. Findings demonstrate not only the technical possibility of RAG-based honeypots but also their promise for use in scalable, adaptive, and safe deception resources for both research infrastructures and operational uses.

Anahtar Kelimeler

Large language models, threat intelligence, adaptive honeypot systems

RAG ile Uyarlanabilir Honeypot Sistemleri: Üretken Yapay Zeka ile Tehdit İstihbaratının Güçlendirilmesi

Öz

Honeypot’lar uzun süredir saldırı tespiti ve siber tehdit istihbaratı için vazgeçilmez kaynaklar olmuştur, ancak çözülmesi güç bir ikilemden muzdariptirler: düşük etkileşimli sistemler fazla yapay kalırken, yüksek etkileşimli sistemler operasyonel riskler ve ölçeklenebilirlik sorunları doğurmaktadır. Bu makale, bu gerçekçilik–risk ikilemini aşmak için Llama 3.1 8B modeliyle birlikte Retrieval-Augmented Generation (RAG) kullanan yeni bir honeypot mimarisi sunmaktadır. Sistem, canlı komutları çalıştırmak yerine, Linux komutlarına ait temizlenmiş komut–çıktı çiftlerinden oluşan bir veritabanı kullanmaktadır. Bir saldırgan komut girdiğinde, en yüksek derecede alakalı geçmiş çıktı geri çağrılır, büyük dil modeli tarafından bağlama oturtulur, busayede yanıt hem deneysel olarak temellendirilmiş hem de dinamik olarak esnek olmaktadır. Bu mimari, sistemin ele geçirilmesine izin vermeden gerçekçi etkileşimleri sürdürebilmektedir. Veri edinimi, ön işleme, retrieval ve yanıt üretimini kapsayan, tehdit istihbaratı amaçlı loglama ile desteklenen genişletilebilir bir pipeline geliştirilmiştir. Değerlendirme, BLEU ve ROUGE metrikleri kullanılarak altı yüz temel Linux komutu üzerinde gerçekleştirilmiştir. Analiz, RAG ile güçlendirilmiş varyantın, vanilla LLM kurulumunun çok ötesinde, büyüklük mertebesinde bir iyileşme sağladığını göstermektedir, BLEU ve ROUGE-L skorları sırasıyla 0,04 ve 0,24’ten 0,47 ve 0,72’ye yükselmiştir. Nicel gerçekçiliğin ötesinde, nitel analiz RAG’in halüsinasyonları büyük ölçüde azalttığını, oturum tutarlılığını güvence altına aldığını ve saldırgan etkileşimini artırdığını göstermektedir. Daha uzun ve daha tutarlı adversary oturumları, savunmacıya daha az tespit riskiyle daha zengin davranışsal bağlam sunmaktadır. Önerilen bu sistem, üretken yapay zekanın, deneysel temele dayandırıldığında, operasyonel riske maruz kalmadan yüksek doğruluklu aldatma sağlayabileceğini ortaya koymaktadır. Bulgular, RAG tabanlı honeypotların teknik olarak mümkün olduğunu, aynı zamanda araştırma altyapıları ve operasyonel kullanımlar için ölçeklenebilir, uyarlanabilir ve güvenli aldatma kaynakları olarak umut vadettiğini göstermektedir.

Anahtar Kelimeler

Büyük dil modelleri, tehdit istihbaratı, uyarlanabilir honeypot sistemleri

Kaynakça

Morić, Z., Dakić, V., & Regvart, D. (2025). Advancing Cybersecurity with Honeypots and Deception Strategies. Informatics, 12, 1-37.
Javadpour, A., Ja'fari, F., Taleb, T., Shojafar, M., & Benzaïd, C. (2024). A comprehensive survey on cyber deception techniques to improve honeypot performance. Computers & Security, 140, 1-39.
AlQahtan, N., AlOlayan, A., AlAjaji, A., & Almaslukh, A. (2025). HoneyLite: A Lightweight Honeypot Security Solution for SMEs. Sensors, 25, 1-17.
Heluany, J. B. (2024). PLC Honeypots: Enhancing Interaction-Level Assessment. Electronics, 13, 1-18.
Chen, Q., Liu, Y., Tan, R., Jin, Z., Xiao, J., Wang, X., Zhang, F., & Liu, Q. (2025). Shadowkube: Enhancing Kubernetes security with behavioral monitoring and honeypot integration. Cybersecurity, 8, 1-19.
Lanz, S., Pignol, S. L., Schmitt, P., Wang, H., Papaioannou, M., Choudhary, G., & Dragoni, N. (2025). Optimizing Internet of Things Honeypots with Machine Learning: A Review. Applied Sciences, 15, 1-30.
Sezgin, A., & Boyacı, A. (2025). DecoyPot: A large language model-driven web API honeypot for realistic attacker engagement. Computers & Security, 154, 1-9.
Lanka, P., Gupta, K., & Varol, C. (2024). Intelligent Threat Detection—AI-Driven Analysis of Honeypot Data to Counter Cyber Threats. Electronics, 13, 1-28.
Sahraoui, Y., Hadjkouider, A. M., Kerrache, C. A., & Calafate, C. T. (2025). TwinFedPot: Honeypot Intelligence Distillation into Digital Twin for Persistent Smart Traffic Security. Sensors, 25, 1-16.
Visalom, R., Mihăilescu, M., Rughiniș, R., & Țurcanu, D. (2025). Intercepting and Monitoring Potentially Malicious Payloads with Web Honeypots. Future Internet, 17, 1-32.

Sarang, A. D., Alawami, M. A., & Park, K. (2024). MV-Honeypot: Security Threat Analysis by Deploying Avatar as a Honeypot in COTS Metaverse Platforms. CMES - Computer Modeling in Engineering and Sciences, 141(1), 655-669.
Rocha, A., & Pereira, F. S. F. (2025). What is the most targeted database? Using Honeypots to Characterize Attacks on Relational Databases. Procedia Computer Science, 256, 114-121.
Alatawi, E., & Albalawi, U. (2025). Harnessing AI for Cyber Defense: Honeypot-Driven Intrusion Detection Systems. Symmetry, 17, 1-15.
Yang, X., Yuan, J., Yang, H., Kong, Y., Zhang, H., & Zhao, J. (2023). A Highly Interactive Honeypot-Based Approach to Network Threat Management. Future Internet, 15, 1-31.
Al Abdulwahid, A. (2025). AI-Driven Identification of Attack Precursors: A Machine Learning Approach to Predictive Cybersecurity. Computers, Materials and Continua, 85(1), 1751-1777.
Yu, X., He, L., Geng, J., Liang, Z., Gan, Z., & Zhao, H. (2025). Dynamic Defense Strategy Selection Through Reinforcement Learning in Heterogeneous Redundancy Systems for Critical Data Protection. Applied Sciences, 15, 1-20.
Miao, S., Li, Y., & Pan, Q. (2023). Honeypot Game Theory against DoS Attack in UAV Cyber. Computers, Materials and Continua, 76(3), 2745-2762.
Wang, Z., Wang, Y., Xiong, X., Ren, Q., & Huang, J. (2025). A Novel Framework for Enhancing Decision-Making in Autonomous Cyber Defense Through Graph Embedding. Entropy, 27, 1-24.
Agbedanu, P. R., Yang, S. J., Musabe, R., Gatare, I., & Rwigema, J. (2025). A Scalable Approach to Internet of Things and Industrial Internet of Things Security: Evaluating Adaptive Self-Adjusting Memory K-Nearest Neighbor for Zero-Day Attack Detection. Sensors, 25, 1-35.
Wu, Q., Wen, S., Li, F., Liu, B., & Zhong, W. (2024). Web Attack Detection Based on Honeypots and Logistic Regression Algorithm. Journal of Electrical Systems, 20(3), 814-822.
Guo, W., Xue, J., Lin, Y., Du, W., Hu, J., Shi, N., & Han, W. (2025). MalFSLDF: A Few-Shot Learning-Based Malware Family Detection Framework. International Journal of Intelligent Systems, 2025(1), 1-20.
Omar, A. H. E., Soubra, H., Moulla, D. K., & Abran, A. (2024). An Innovative Honeypot Architecture for Detecting and Mitigating Hardware Trojans in IoT Devices. IoT, 5, 730-755.
Amal, M. R., & Venkadesh, P. (2023). H-DOCTOR: Honeypot based firewall tuning for attack prevention. Measurement: Sensors, 25, 1-7.
DeCusatis, C., Tomo, R., Singh, A., Khoury, E., & Masone, A. (2025). Cybersecurity Applications of Near-Term Large Language Models. Electronics, 14, 1-14.
Loumachi, F. Y., Ghanem, M. C., & Ferrag, M. A. (2025). Advancing Cyber Incident Timeline Analysis Through Retrieval-Augmented Generation and Large Language Models. Computers, 14, 1-42.
Sezgin, A. (2025). Natural Language Interfaces for Structured Query Generation in IoD Platforms. Drones, 9, 1-20.
Coppolino, L., Iannaccone, A., Nardone, R., & Petruolo, A. (2025). Asset Discovery in Critical Infrastructures: An LLM-Based Approach. Electronics, 14, 1-24.
Jaffal, N. O., Alkhanafseh, M., & Mohaisen, D. (2025). Large Language Models in Cybersecurity: A Survey of Applications, Vulnerabilities, and Defense Techniques. AI, 6, 1-45.
Yigit, Y., Ferrag, M. A., Ghanem, M. C., Sarker, I. H., Maglaras, L. A., Chrysoulas, C., Moradpoor, N., Tihanyi, N., & Janicke, H. (2025). Generative AI and LLMs for Critical Infrastructure Protection: Evaluation Benchmarks, Agentic AI, Challenges, and Opportunities. Sensors, 25, 1-40.
Su, Y., Xiong, D., Qian, K., & Wang, Y. (2024). A Comprehensive Survey of Distributed Denial of Service Detection and Mitigation Technologies in Software-Defined Network. Electronics, 13, 1-29.
Li, D., Tian, S., Jin, W., Peng, J., & Duan, M. (2025). Towards a moving target defense based on stochastic games and honeypots. Information Sciences, 720, 1-25.
d’Ambrosio, N., Lista, C., Perrone, G., & Romano, S. P. (2025). SMASH: An SDN-MTD framework for efficient honeypot deployment and insider threat mitigation. Computer Networks, 269, 1-29.
Alani, M. M. (2024). HoneyTwin: Securing smart cities with machine learning-enabled SDN edge and cloud-based honeypots. Journal of Parallel and Distributed Computing, 188, 1-9.
Abdelmaguid, M. A., Hussanein, H. S., & Zulkernine, M. (2025). Securing the unforeseen: Enhancing VANET security with dynamic honeypots and attack rate analysis. Vehicular Communications, 55, 1-10.
Alboqmi, R., & Gamble, R. F. (2025). Enhancing Microservice Security Through Vulnerability-Driven Trust in the Service Mesh Architecture. Sensors, 25, 1-23.

Ayrıntılar

Birincil Dil

İngilizce

Konular

Bilgisayar Yazılımı, Yazılım Mühendisliği (Diğer)

Bölüm

Araştırma Makalesi

Yazarlar

Anıl Sezgin ^*
0000-0002-5754-1380
Türkiye

Yayımlanma Tarihi

29 Aralık 2025

Gönderilme Tarihi

6 Ekim 2025

Kabul Tarihi

6 Kasım 2025

Yayımlandığı Sayı

Yıl 2025 Cilt: 9 Sayı: 2

DOI

https://doi.org/10.46460/ijiea.1797978

IZ

https://izlik.org/JA28RR74KH

APA

Sezgin, A. (2025). Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI. International Journal of Innovative Engineering Applications, 9(2), 175-183. https://doi.org/10.46460/ijiea.1797978

AMA

1.Sezgin A. Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI. ijiea, IJIEA. 2025;9(2):175-183. doi:10.46460/ijiea.1797978

Chicago

Sezgin, Anıl. 2025. “Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI”. International Journal of Innovative Engineering Applications 9 (2): 175-83. https://doi.org/10.46460/ijiea.1797978.

EndNote

Sezgin A (01 Aralık 2025) Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI. International Journal of Innovative Engineering Applications 9 2 175–183.

IEEE

[1]A. Sezgin, “Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI”, ijiea, IJIEA, c. 9, sy 2, ss. 175–183, Ara. 2025, doi: 10.46460/ijiea.1797978.

ISNAD

Sezgin, Anıl. “Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI”. International Journal of Innovative Engineering Applications 9/2 (01 Aralık 2025): 175-183. https://doi.org/10.46460/ijiea.1797978.

JAMA

1.Sezgin A. Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI. ijiea, IJIEA. 2025;9:175–183.

MLA

Sezgin, Anıl. “Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI”. International Journal of Innovative Engineering Applications, c. 9, sy 2, Aralık 2025, ss. 175-83, doi:10.46460/ijiea.1797978.

Vancouver

1.Anıl Sezgin. Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI. ijiea, IJIEA. 01 Aralık 2025;9(2):175-83. doi:10.46460/ijiea.1797978

Adaptive Honeypot Systems via RAG: Enhancing Threat Intelligence with Generative AI

Öz

Anahtar Kelimeler

RAG ile Uyarlanabilir Honeypot Sistemleri: Üretken Yapay Zeka ile Tehdit İstihbaratının Güçlendirilmesi

Öz

Anahtar Kelimeler

Kaynakça

Ayrıntılar

Birincil Dil

Konular

Bölüm

Yazarlar

Yayımlanma Tarihi

Gönderilme Tarihi

Kabul Tarihi

Yayımlandığı Sayı

DOI

IZ

Kaynak Göster