Speakers
Description
In Europe’s research and education networks, cyber‑threats have evolved from isolated events to a constant, hidden condition that permeates every layer of digital science. Nation‑state actors probe critical infrastructure while opportunistic ransomware gangs attack university mail servers, often evading signature‑based antiviruses, rule‑driven firewalls and static SIEM correlation. Advanced Persistent Threat groups use living‑off‑the‑land techniques, bespoke malware and AI‑generated phishing that slip past known detection patterns, forcing organisations to assume that malicious activity is occurring even when dashboards appear clean.
This forces a paradigm shift from reactive incident handling to proactive, anticipatory defence. Embedding generative AI— Large Language Models (LLMs)— into the defensive architecture can turn the invisible threat landscape into actionable intelligence. By using LLM‑powered honeypots, attackers’ tools are captured and analysed, converting adversarial activities into intelligence that can be used against them.
Collective efforts are usually more effective than those of single entities. We all want to know who and how is attacking us, and whether we are the only ones targeted. Thus, within the GÉANT and our local communities, we are doing our best to facilitate services for collecting and processing threat intelligence from honeypots deployed across Europe in our partners' networks.
The work does not however stop there. What our honeypots see is the same that most state-of-the-art firewalls already filter out. Hence in the presented efforts we demonstrate how we allow the malware to be dropped in our infrastructure and then automatically analysed using our on-premises sandboxing infrastructure generating intel enabling us to identify and root out those who already penetrated the defences.
We show examples of data collected from infrastructure set up solely for GN5-2 and share our experiences with setting up and running the integrations of T-Pot-based honeypots, CAPE-based sandbox and the malware database (MWDB) resulting in provisioning of customised data feeds with MISP platform.
The infrastructure is operational in the PCSS data centre, continuously gathering, validating and sharing intelligence. Participants of TNC26 are invited to join this effort.
Building on these experiences, a new initiative—PUCHACZ RI (CTI and Adversaries Research Infrastructure)—starting 2026 unites over a dozen Polish R&E institutions to create a federated malware‑analysis data lake, supporting AI‑driven cybersecurity research.
The final part demonstrates how LLM‑enhanced honeypots outperform community‑acknowledged solutions such as Cowrie and Dionaea, and explains how interested parties can deploy their local honeypots and connect them to a hardened LLM model, hosted at PCSS.
What will the TNC audience take away from your talk?
The audience learns of the A.I. 4 Security – joint initiatives that are running within the GN5-2 WP8 Task 4 and of their results through a demonstration of the integrated operational security tools which they are then invited to connect to, deploy locally and receive relevant CTI allowing them to trigger tangible insight and defence actions within their protected constituencies
| Are you a first time speaker at TNC? | No |
|---|
