// Final Year Project — 2026
A medium-interaction SSH honeypot backed by a locally hosted large language model, deployed to the Azure cloud to capture and analyse real-world attacker behaviour.
01 — About
Traditional medium-interaction honeypots rely on scripted, predictable responses that experienced attackers can fingerprint and disengage from. This project addresses that limitation by integrating a locally hosted large language model to generate dynamic, contextually aware responses — making the honeypot significantly harder to identify and increasing attacker engagement time.
Scripted honeypot responses are predictable. Attackers recognise patterns, disengage early, and the honeypot loses its research and defensive value before meaningful data can be collected.
An LLM-backed SSH honeypot that generates realistic, session-aware terminal responses. Deployed to Microsoft Azure with Docker, it operates on standard SSH port 22 to attract real-world automated scanners and attackers.
Hosted on an Azure Virtual Machine running Ubuntu Server, containerised with Docker Compose. The honeypot and Ollama LLM service run as separate interdependent containers with persistent log storage.
Every session generates detailed logs — commands issued, credentials attempted, session duration, wget and curl attempts, and IP addresses — building a dataset of real attacker behaviour.
02 — Features
// 01
Unknown commands are forwarded to a locally hosted llama3:8b model via Ollama, generating realistic terminal output grounded in the current session context and filesystem state.
// 02
A stateful in-memory filesystem gives each attacker session a consistent, believable environment with seeded files, realistic timestamps, and full support for common filesystem commands.
// 03
LLM responses are cached per command and filesystem state, ensuring that repeated commands return identical output — maintaining consistency and reducing latency on subsequent calls.
// 04
Three log types capture all activity: per-session command logs, a credential log for all authentication attempts, and a server log for connection-level events and rate limit activity.
// 05
Containerisation isolates attackers from the underlying VM. Rate limiting, session timeouts, and command buffer limits protect against resource exhaustion and abuse.
// 06
Authentication accepts only credentials from curated username and password wordlists, making the honeypot accessible to common scanners while maintaining realistic login behaviour.
03 — Technologies
04 — Documents
Project Specification
The initial project specification document outlining the aims, objectives, and scope of the AI-driven honeypot project.
Open PDFResearch Report
A comprehensive research report covering the existing literature on honeypots, LLM integration in cybersecurity, and the technical background underpinning the project.
Open PDFFinal Project Report
The complete final year project report detailing the system design, implementation, testing, evaluation, and findings of the AI-driven SSH honeypot.
Open PDF05 — Contact
Interested in the project or want to learn more? Feel free to reach out via any of the channels below.
The source code for this project is available on GitHub upon request. Feel free to reach out via email or LinkedIn to request access to the repository.