Cybersecurity is evolving rapidly, incorporating paradigms such as Cyber Deception (CYDEC) and Moving Target Defense (MTD) to counter sophisticated attacks. CYDEC misleads adversaries by diverting their actions into controlled environments where they unknowingly interact with decoy assets. This work introduces a deception mechanism based on stealthy TCP redirection to dynamically instantiated honeypots. Unlike static decoys, the system creates a honey server on-demand that replicates the victim asset in real time. To enhance credibility, the replica is enriched with fake but coherent data generated by a Large Language Model (LLM), producing realistic documents, logs, or configurations tailored to the compromised pillar, that is, confidentiality, integrity, or availability. The architecture builds on Software-Defined Networking (SDN), enabling flexible deployment and adaptive deception at scale. The SDN Controller manages redirection and cloning while preserving TCP session continuity through sequence-number manipulation, making the diversion virtually undetectable. Experiments validated the approach in diverse environments. Results show negligible latency overheads, even under encrypted protocols, seamless honeypot instantiation, and highly plausible LLM-generated honeydata that deceives Attackers while enriching threat intelligence. Deployment on resource-constrained hardware such as Raspberry Pi demonstrates feasibility for IoT and embedded contexts. Overall, combining SDN and LLM technologies enables a scalable, adaptive, and robust CYDEC-based defense capable of deceiving adversaries in real time while strengthening cyber threat intelligence.
Lopez et al. (Sun,) studied this question.