arXiv: AdvancedShelLM: A Stateful Multi-Agent LLM Honeypot for SSH Deception

This publication introduces AdvancedShelLM, a novel AI-driven honeypot system that uses multiple large language model agents to simulate realistic, interactive SSH sessions for cybersecurity deception. Unlike traditional static honeypots, this system maintains stateful conversations, adapting its responses to mimic genuine server behavior and attacker tactics. The paper details the architecture and demonstrates its effectiveness in detecting and diverting malicious actors, raising important considerations for how AI can be deployed in active cyber defense.

The primary impact falls on organizations operating critical infrastructure, financial services, cloud providers, and any entity with exposed SSH services. Compliance teams in sectors governed by the EU AI Act, NIS2 Directive, or GDPR must assess whether deploying such stateful, autonomous deception systems could inadvertently process personal data or trigger liability under AI safety obligations. The use of LLMs in active defense blurs the line between passive monitoring and active countermeasures, which may require re-evaluation of existing incident response protocols.

Compliance teams should immediately review their organization’s current honeypot and deception technology policies to determine if they incorporate AI-driven, stateful systems. If so, conduct a data protection impact assessment to ensure no unauthorized processing of attacker data occurs. Engage with legal and cybersecurity teams to map this technology against the EU AI Act’s risk categories, particularly for high-risk AI systems. Finally, update internal governance frameworks to include explicit approval processes for deploying autonomous AI in active defense scenarios.