Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Towards Agentic Honeynet Configuration

Federico Mirra, Matteo Boffa, Idilio Drago, Danilo Giordano, Marco Mellia

Abstract

Honeypots are deception systems that emulate vulnerable services to collect threat intelligence. While deploying many honeypots increases the opportunity to observe attacker behaviour, in practise network and computational resources limit the number of honeypots that can be exposed. Hence, practitioners must select the assets to deploy, a decision that is typically made statically despite attackers' tactics evolving over time. This work investigates an AI-driven agentic architecture that autonomously manages honeypot exposure in response to ongoing attacks. The proposed agent analyses Intrusion Detection System (IDS) alerts and network state to infer the progression of the attack, identify compromised assets, and predict likely attacker targets. Based on this assessment, the agent dynamically reconfigures the system to maintain attacker engagement while minimizing unnecessary exposure. The approach is evaluated in a simulated environment where attackers execute Proof-of-Concept exploits for known CVEs. Preliminary results indicate that the agent can effectively infer the intent of the attacker and improve the efficiency of exposure under resource constraints

Towards Agentic Honeynet Configuration

Abstract

Honeypots are deception systems that emulate vulnerable services to collect threat intelligence. While deploying many honeypots increases the opportunity to observe attacker behaviour, in practise network and computational resources limit the number of honeypots that can be exposed. Hence, practitioners must select the assets to deploy, a decision that is typically made statically despite attackers' tactics evolving over time. This work investigates an AI-driven agentic architecture that autonomously manages honeypot exposure in response to ongoing attacks. The proposed agent analyses Intrusion Detection System (IDS) alerts and network state to infer the progression of the attack, identify compromised assets, and predict likely attacker targets. Based on this assessment, the agent dynamically reconfigures the system to maintain attacker engagement while minimizing unnecessary exposure. The approach is evaluated in a simulated environment where attackers execute Proof-of-Concept exploits for known CVEs. Preliminary results indicate that the agent can effectively infer the intent of the attacker and improve the efficiency of exposure under resource constraints
Paper Structure (16 sections, 1 equation, 3 figures, 4 tables)

This paper contains 16 sections, 1 equation, 3 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Adaptive Honeynet Management Agent
  4. Design Principles
  5. Agent Architecture
  6. LLM-Centered Reasoning
  7. Simulation Environment
  8. Evaluation Results
  9. Experimental Settings
  10. Results
  11. Conclusions
  12. Deployed Services and Attack Phases
  13. Docker
  14. Apache Struts
  15. GitLab
  16. ...and 1 more sections

Figures (3)

  • Figure 1: Overview of the proposed adaptive honeypot deployment framework. Attackers actively search for specific vulnerabilities and scan the web to identify machines that satisfy their objectives. The proposed agent interprets attack-related logs, infers the attacker's underlying intentions, and dynamically exposes an optimal subset of honeypots -- subject to a maximum budget of K -- that best match the attacker's goals, enabling effective and adaptive deception.
  • Figure 2: Discrete-time simulation of attacker--defender interaction. The system evolves in epochs alternating between attacker actions and agent decisions, where the agent infers attack progression from IDS data and applies budget-constrained exposure policies.
  • Figure 3: Ground-truth attack graph used in the simulation. Nodes represent attack stages and services, and edges encode feasible progression paths aligned with the MITRE ATT&CK framework.