OHRA: dynamic multi-protocol LLM-based cyber deception

Anastasia Safargalieva; Artur Rüffer; Emmanouil Vasilomanolakis

OHRA: dynamic multi-protocol LLM-based cyber deception

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

Abstract

Honeypots aid cyber defense but traditional designs demand heavy manual setup and support few protocols. We introduce OHRA, a modular, extensible LLM-driven honeypot that supports multiple protocols (SSH, Telnet, HTTP, FTP, SMTP, SNMP, IPP) and can integrate different LLM providers. OHRA wraps the model with session memory and prompt control to generate realistic, context-aware responses with less configuration effort. We evaluate OHRA against Cowrie and a recent LLM-based honeypot using curated malware commands and a real-world Internet deployment. OHRA is among the first honeypots to demonstrate a unified LLM-based architecture across several protocols: SSH, Telnet, and HTTP are fully interactive, while FTP, SMTP, IPP, and SNMP are currently implemented in partial form. Results show higher response realism, improved session handling, and greater deceptiveness in comparison to prior systems. This work lays the groundwork for scalable and adaptive multi-protocol deception platforms.

Original language	English
Title of host publication	Proceedings of the 30th Nordic Conference on Secure IT Systems (Nordsec 2025)
Number of pages	20
Publisher	Springer
Publication status	Accepted/In press - 2026

Keywords

Deception
Honeypots
Large Language Models

Embargoed Document

Fulltext
Accepted author manuscript, 2.46 MB
Embargo ends: 13/11/2026

Cite this

@inproceedings{e2e9b34b1dd241a7b3818dcc93bfc043,

title = "OHRA: dynamic multi-protocol LLM-based cyber deception",

abstract = "Honeypots aid cyber defense but traditional designs demand heavy manual setup and support few protocols. We introduce OHRA, a modular, extensible LLM-driven honeypot that supports multiple protocols (SSH, Telnet, HTTP, FTP, SMTP, SNMP, IPP) and can integrate different LLM providers. OHRA wraps the model with session memory and prompt control to generate realistic, context-aware responses with less configuration effort. We evaluate OHRA against Cowrie and a recent LLM-based honeypot using curated malware commands and a real-world Internet deployment. OHRA is among the first honeypots to demonstrate a unified LLM-based architecture across several protocols: SSH, Telnet, and HTTP are fully interactive, while FTP, SMTP, IPP, and SNMP are currently implemented in partial form. Results show higher response realism, improved session handling, and greater deceptiveness in comparison to prior systems. This work lays the groundwork for scalable and adaptive multi-protocol deception platforms.",

keywords = "Deception, Honeypots, Large Language Models",

author = "Anastasia Safargalieva and Artur R{\"u}ffer and Emmanouil Vasilomanolakis",

year = "2026",

language = "English",

booktitle = "Proceedings of the 30th Nordic Conference on Secure IT Systems (Nordsec 2025)",

publisher = "Springer",

}

TY - GEN

T1 - OHRA: dynamic multi-protocol LLM-based cyber deception

AU - Safargalieva, Anastasia

AU - Rüffer, Artur

AU - Vasilomanolakis, Emmanouil

PY - 2026

Y1 - 2026

N2 - Honeypots aid cyber defense but traditional designs demand heavy manual setup and support few protocols. We introduce OHRA, a modular, extensible LLM-driven honeypot that supports multiple protocols (SSH, Telnet, HTTP, FTP, SMTP, SNMP, IPP) and can integrate different LLM providers. OHRA wraps the model with session memory and prompt control to generate realistic, context-aware responses with less configuration effort. We evaluate OHRA against Cowrie and a recent LLM-based honeypot using curated malware commands and a real-world Internet deployment. OHRA is among the first honeypots to demonstrate a unified LLM-based architecture across several protocols: SSH, Telnet, and HTTP are fully interactive, while FTP, SMTP, IPP, and SNMP are currently implemented in partial form. Results show higher response realism, improved session handling, and greater deceptiveness in comparison to prior systems. This work lays the groundwork for scalable and adaptive multi-protocol deception platforms.

AB - Honeypots aid cyber defense but traditional designs demand heavy manual setup and support few protocols. We introduce OHRA, a modular, extensible LLM-driven honeypot that supports multiple protocols (SSH, Telnet, HTTP, FTP, SMTP, SNMP, IPP) and can integrate different LLM providers. OHRA wraps the model with session memory and prompt control to generate realistic, context-aware responses with less configuration effort. We evaluate OHRA against Cowrie and a recent LLM-based honeypot using curated malware commands and a real-world Internet deployment. OHRA is among the first honeypots to demonstrate a unified LLM-based architecture across several protocols: SSH, Telnet, and HTTP are fully interactive, while FTP, SMTP, IPP, and SNMP are currently implemented in partial form. Results show higher response realism, improved session handling, and greater deceptiveness in comparison to prior systems. This work lays the groundwork for scalable and adaptive multi-protocol deception platforms.

KW - Deception

KW - Honeypots

KW - Large Language Models

M3 - Article in proceedings

BT - Proceedings of the 30th Nordic Conference on Secure IT Systems (Nordsec 2025)

PB - Springer

ER -

OHRA: dynamic multi-protocol LLM-based cyber deception

Abstract

Keywords

Embargoed Document

Fingerprint

Cite this