Decoding Galah: an LLM powered web honeypot
2024-10-22 , Europe - Main Room

Honeypots are invaluable tools for monitoring internet-wide scans and understanding attackers' techniques. Traditional low-interaction web honeypots use manual methods to emulate various applications or vulnerabilities. Introducing Galah, an LLM-powered web honeypot that mimics diverse applications with a single prompt. This honeypot dynamically crafts relevant HTTP responses, including headers and body content, to various HTTP requests, effectively simulating multiple web applications. In this talk, I will share lessons learned from building and deploying Galah and address two key questions: How do different large language models perform in generating HTTP messages? Does delivering authentic-looking HTTP responses increase attackers’ engagement with the honeypot?


In this talk, I will explore the limitations of traditional web honeypots and introduce Galah, an innovative LLM-powered solution designed to dynamically generate realistic HTTP responses. By evaluating the performance of different LLMs, we aim to determine their effectiveness in mimicking web applications and enhancing honeypot authenticity. I will share insights into the development process, including how to structure prompts, generate JSON outputs, and overcome common challenges. Additionally, I will present evaluation results, comparing various large language models to highlight their strengths and weaknesses. The talk will also feature interesting examples of LLM-generated HTTP responses. Finally, I will discuss practical insights and broader applications of LLMs beyond honeypots, offering valuable takeaways for attendees interested in leveraging LLMs for diverse use cases.

See also: Slides (5.0 MB)

Adel Karimi is a senior security engineer with a keen interest in threat detection, honeypots, and network traffic fingerprinting. He recently joined a “chatbot startup” after a decade of working on detection and response at companies such as Google, Salesforce, and Niantic. Adel is passionate about developing open-source projects like Galah and Venator, and in his free time, he enjoys capturing stunning images of the night sky.