Research Output
Academic papers, open-source tools, and technical documents produced by the Morphosis AI team at DFKI Kaiserslautern.
This work systematically investigates the use of Large Language Models to create a variety of honeytokens. Out of seven different honeytoken types — including configuration files, databases, and log files — two were used to evaluate the optimal prompt. The generation of robots.txt files and honeywords was used to systematically test 210 different prompt structures based on 16 prompt building blocks. All honeytokens were tested across different state-of-the-art LLMs to assess varying model performance. Honeywords generated by GPT-3.5 were found to be less distinguishable from real passwords compared to previous methods of automated honeyword generation.
A threat intelligence platform that extracts attack data from T-POT honeypots and generates feeds for attack prevention and detection purposes.
Protecting Content Management Systems from vulnerability scanners with cyber deception and obfuscation — a WordPress security plugin implementing defensive techniques against automated scanning tools.
Despite decades of research, cyber deception remains underutilized as an active defense layer. The core barrier is effort: crafting convincing honeypots and honeytokens that match an organization's real infrastructure demands significant manual work, limiting adoption especially among resource-constrained organizations. Recent advances in large language models (LLMs) offer an opportunity to close this gap. We introduce Morphosis AI, a platform concept for autonomous, adaptive cyber deception powered by generative AI. Morphosis AI integrates specialized LLM pipelines for generating deceptive artifacts—documents, credentials, configurations, and synthetic personas—with automated deployment of large-scale honeypot networks (honeyranges). We describe the platform architecture, formalize a four-stage generative deception pipeline from threat modeling to continuous adaptation, and pose five research questions that must be addressed to realize this vision: (1) designing LLM-enabled deception strategies, (2) achieving resource-efficient model specialization, (3) enabling bio-inspired honeypot evolution, (4) defining automation boundaries, and (5) measuring deception effectiveness against skilled human adversaries.
Formal definition of the threat model (MS1.1), the deception strategy within the dissimulation/simulation framework (MS1.2), and the attacker attention model — defining what constitutes measurable attention in an information security context (MS1.3).
Classification of honeytoken families (credentials, documents, databases, network artefacts, personal data) against the threat and attention models. Includes a ranked cost-to-impact hierarchy to guide model specialisation and data generation priorities.