Search

US-12621346-B1 - Honeypots for detecting network intrusions to computer networks of organizations

US12621346B1US 12621346 B1US12621346 B1US 12621346B1US-12621346-B1

Abstract

A computer network of an organization has network assets and honeypots. Probes are deployed on the computer network to collect telemetry data of the network assets. Asset profiles of the network assets are extracted from the telemetry data to obtain organization-specific data. A prompt is generated, with the prompt including an instruction to generate a honeypot configuration based on the organization-specific data. The prompt is input to a generative artificial intelligence (AI) model, such as a large language model (LLM). A honeypot is configured in accordance with the honeypot configuration that is output by the generative AI model responsive to the prompt.

Inventors

  • Vladimir Kropotov
  • Fyodor Yarochkin
  • Ian Kenefick

Assignees

  • TREND MICRO INCORPORATED

Dates

Publication Date
20260505
Application Date
20240524

Claims (20)

  1. 1 . A method of detecting network intrusions to a computer network of an organization, the method comprising: deploying probes on the computer network; collecting, by the probes, telemetry data of network assets that are on the computer network, the telemetry data comprising asset profiles that describe configurations of corresponding network assets; extracting asset profiles of the network assets from collected telemetry data; converting extracted asset profiles to a formatted knowledge dataset; converting the formatted knowledge dataset into embeddings; generating a prompt that comprises organization-specific data of the organization that are included in the embeddings and an instruction to generate a honeypot configuration based on the organization-specific data; inputting the prompt to a first large language model (LLM); receiving, from the first language model, a honeypot configuration that is responsive to the prompt; configuring a honeypot on the computer network in accordance with the honeypot configuration; and detecting a network intrusion to the computer network responsive to detecting an anomalous access to the honeypot.
  2. 2 . The method of claim 1 , wherein the probes include program code running locally on corresponding network assets that are on the computer network.
  3. 3 . The method of claim 1 , wherein the probes include a security appliance that monitor network traffic on the computer network.
  4. 4 . The method of claim 1 , wherein the extracted asset profiles are converted to the formatted knowledge dataset using a second LLM.
  5. 5 . The method of claim 1 , wherein detecting the anomalous access to the honeypot includes detecting usage of a honey token that is on the honeypot.
  6. 6 . The method of claim 1 , wherein the organization-specific data include file paths on selected network assets that are on the computer network.
  7. 7 . The method of claim 1 , wherein the organization-specific data include open Internet Protocol (IP) addresses on the network assets.
  8. 8 . The method of claim 1 , further comprising: raising an alert responsive to detecting the network intrusion to the computer network.
  9. 9 . The method of claim 8 , wherein the alert is a message displayed on a display screen of a computer.
  10. 10 . A system comprising: a plurality of probes that collect telemetry data of network assets that are on a computer network of an organization, the telemetry data comprising asset profiles that describe configurations of corresponding network assets; a honeypot that is on the computer network; and a management server comprising at least one processor and a memory, the memory of the management server storing instructions that when executed by the at least one processor of the management server cause the management server to: receive telemetry data that are collected by the plurality of probes; extract asset profiles of the network assets from the telemetry data; generate embeddings of asset profiles that are extracted from the telemetry data; generate a prompt that comprises organization-specific data of the organization that are reflected in the embeddings and an instruction to generate a honeypot configuration based on the organization-specific data; input the prompt to a generative artificial intelligence (AI) model; and receive the honeypot configuration from the generative AI model, wherein the honeypot is configured in accordance with the honeypot configuration.
  11. 11 . The system of claim 10 , wherein the instructions stored in the memory of the management server when executed by the at least one processor of the management server cause the management server to: detect a network intrusion to the computer network responsive to detecting an anomalous access to the honeypot.
  12. 12 . The system of claim 11 , wherein the anomalous access to the honeypot is detected responsive to detecting usage of a honey token that is on the honeypot.
  13. 13 . The system of claim 10 , wherein the probes include a security appliance that monitor network traffic on the computer network.
  14. 14 . The system of claim 10 , wherein the instructions stored in the memory of the management server when executed by the at least one processor of the management server cause the management server to generate the embeddings of the asset profiles extracted from the telemetry data by: converting the asset profiles extracted from the telemetry data to a formatted knowledge dataset; and converting the formatted knowledge dataset to the embeddings.
  15. 15 . The system of claim 10 , wherein the generative AI model comprises a large language model (LLM).
  16. 16 . A method of detecting network intrusions to a computer network of an organization, the method comprising: collecting telemetry data of network assets that are on the computer network, the telemetry data comprising asset profiles that describe configurations of corresponding network assets; generating a prompt that comprises organization-specific data of the organization that are included in the telemetry data and an instruction to generate a honeypot configuration based on the organization-specific data; inputting the prompt to a generative artificial intelligence (AI) model; receiving the honeypot configuration from the generative AI model; configuring a honeypot on the computer network in accordance with the honeypot configuration; and detecting a network intrusion to the computer network responsive to detecting an anomalous access to the honeypot.
  17. 17 . The method of claim 16 , wherein the generative AI model comprises a large language model (LLM).
  18. 18 . The method of claim 16 , wherein detecting the anomalous access to the honeypot includes detecting usage of a generated honey token that is on the honeypot.
  19. 19 . The method of claim 16 , further comprising: raising an alert responsive to detecting the network intrusion to the computer network.
  20. 20 . The method of claim 19 , wherein the alert is a message displayed on a display screen of a computer.

Description

TECHNICAL FIELD The present disclosure is directed to cybersecurity. BACKGROUND Honeypots are used in cybersecurity applications to attract and thereby detect a cyberattack. Although honeypots have existed since the very early days of the Internet, the complexity of honeypots has evolved over time. For network intrusion detection, the ultimate goal of honeypots is to attract attacker activity, which creates enough noise and buys time for security personnel or components to respond to the intrusion. Configuring a realistic honeypot is relatively difficult, requiring understanding of tactics and thinking of attackers. A honeypot needs to be configured to mimic existing computing environments, so that an attacker will have difficulty differentiating honeypots from real systems. There are many publications that pertain to honeypots including D. Fraunholz, M. Zimmermann and H. D. Schotten, “An adaptive honeypot configuration, deployment and maintenance strategy,” 2017 19th International Conference on Advanced Communication Technology (ICACT), PyeongChang, Korea (South), 2017, pp. 53-57, doi: 10.23919/ICACT.2017.7890056; Hecker, Christopher et al. “Dynamic Honeypot Construction,” (2006); I. Kuwatly, M. Sraj, Z. Al Masri and H. Artail, “A dynamic honeypot design for intrusion detection,” The IEEE/ACS International Conference on Pervasive Services, 2004. ICPS 2004. Proceedings, Beirut, Lebanon, 2004, pp. 95-104, doi: 10.1109/PERSER.2004.1356776; and W. Z. Ansiry Zakaria and M. L. M. Kiah, “A review on artificial intelligence techniques for developing intelligent honeypot,” 2012 8th International Conference on Computing Technology and Information Management (NCM and ICNIT), Seoul, Korea (South), 2012, pp. 696-701. Embodiments of the present invention provide an improved method and system for configuring honeypots to detect network intrusions. BRIEF SUMMARY In one embodiment, a method of detecting network intrusions to a computer network of an organization includes deploying probes on the computer network. Telemetry data of network assets that are on the computer network are collected by the probes, the telemetry data comprising asset profiles that describe configurations of corresponding network assets. Asset profiles of the network assets are extracted from the collected telemetry data. Extracted asset profiles are converted to a formatted knowledge dataset. The formatted knowledge dataset is converted into embeddings. A prompt is generated, the prompt comprising organization-specific data of the organization that are included in the embeddings and an instruction to generate a honeypot configuration based on the organization-specific data. The prompt is input to a large language model (LLM). The LLM outputs the honeypot configuration responsive to the prompt. A honeypot on the computer network is configured in accordance with the honeypot configuration. A network intrusion to the computer network is detected responsive to detecting an anomalous access to the honeypot. In another embodiment, a system comprises a plurality of probes, a honeypot, and a management server. The probes collect telemetry data of network assets that are on a computer network of an organization, the telemetry data comprising asset profiles that describe configurations of corresponding network assets. The management server: receives the telemetry data; extracts asset profiles of the network assets from the received telemetry data; generates embeddings of asset profiles extracted from the received telemetry data; generates a prompt that comprises organization-specific data of the organization that are included in the embeddings and an instruction to generate a honeypot configuration based on the organization-specific data; inputs the prompt to a generative artificial intelligence (AI) model; and receives the honeypot configuration from the generative AI model. The honeypot is configured in accordance with the honeypot configuration. In yet another embodiment, a method of detecting network intrusions to a computer network of an organization includes collecting telemetry data of network assets that are on the computer network, the telemetry data comprising asset profiles that describe configurations of corresponding network assets. A prompt is generated, the prompt comprising organization-specific data of the organization that are included in the telemetry data and an instruction to generate a honeypot configuration based on the organization-specific data. The prompt is input to a generative AI model. The honeypot configuration is received from the generative AI model. A honeypot on the computer network is configured in accordance with the honeypot configuration. A network intrusion to the computer network is detected responsive to detecting an anomalous access to the honeypot. These and other features of the present disclosure will be readily apparent to persons of ordinary skill in the art upon reading the entirety of this disclosure, which in