SSH honeypots serve as critical infrastructure for cyber threat intelligence, but existing LLM-based systems suffer from context window limitations causing state loss and hallucination-driven inconsistencies, making them easily detectable through simple verification tests. To address these limitations, we propose LLM-SSHH, a framework combining explicit state management with LLM generation to achieve long-term interaction consistency. The system maintains a persistent state snapshot organized as a three-component tuple capturing file system state, runtime context, and system metadata. The framework serializes the current state into LLM prompts and validates generated responses against state constraints to reject hallucinations. Validated responses update the state snapshot, forming a closed loop that ensures consistent state evolution throughout extended interactions. Experimental results demonstrate that LLM-SSHH achieves a mean detection rate of 0.150, representing a 3 to 4 times improvement over existing methods, significantly extending honeypot survivability for threat intelligence collection.
Li et al. (Mon,) studied this question.