All Projects
Case 01·Research·First Author·2026–Present·ACM CCS 2026 Poster (planned)

ROS2Pot

Robots are entering the real world at scale, and agent-shaped attackers are coming. Someone has to prepare the battlefield first.

Key facts

  • A honeypot for robot-system (ROS 2/DDS) security, built for the era of LLM-agent attackers
  • Turns the agent attacker's own architectural weaknesses against it — defending an agent with an agent
  • Aimed at threat intelligence: it draws out the attacker's real intent, not just IPs or payloads

01 Spotting the Window

Two shifts are happening at once. On the attack side, the adversary is moving from human penetration testers to LLM agents that intrude autonomously. On the defense side, what we have to protect is moving too — from purely digital systems to robots that act on the physical world, where a breach has real, physical consequences. ROS2Pot is built to stand exactly where those two trajectories cross: a preemptive honeypot defense, with ROS 2 as its proving ground, for the moment robots and agent attackers arrive together.

Robotics now runs on ROS 2/DDS as its communication backbone — self-driving cars, drones, industrial arms all sit on top of it. Yet this layer has almost no honeypot defense: existing robot honeypots either stay stuck on the obsolete ROS 1 stack or just passively sniff packets at the DDS port, so the moment an attacker runs a single "ros2 node list" the disguise falls apart.

The window I saw was this: when the attacker becomes an agent, the defender should be one too — and an agent attacker has exploitable weaknesses, baked into its architecture, that a human simply doesn't have.

02 The Bet, and What I Traded For It

Instead of simulating a robot, I took the real ROS navigation system (nav2, the de facto standard navigation stack) and ran it untouched as the bait — every component the attacker sees is genuine, not a hollow imitation. It takes far more engineering to stand up, but in return, when an attacker runs any standard command to "ask" the system what it has (what nodes exist, what it can do), the answers are indistinguishable from a real robot under standard ROS 2 introspection tooling. Reconnaissance alone reveals nothing.

The key design is splitting the honeypot into a "front" and a "back." The front is a disguise shell, exposed on the network where attackers can scan it; the brain that actually makes decisions runs in the back — somewhere the attacker can't even scan. All they see is an ordinary robot, with no idea a system behind it is watching and outmaneuvering them.

The physics layer is real-and-fake too: normally it replays genuine recorded motion data, but the instant the attacker takes action and issues a control command, the system hands off to a live physics engine — the robot's motion state transfers seamlessly, with under 2.36 cm of position error in the first 10 seconds. It thinks it's driving a real machine.

03 The Real Payoff: Reverse Intelligence

Most honeypots are passive — you watch them, you log them, and that's it. ROS2Pot flips that: it is itself an LLM agent, and it strikes back. LLM agents inherit structural weaknesses from the transformer (training bias, blind trust in their input, alignment constraints, and more) — these aren't bugs in any one model but architectural traits that persist across generations.

I weaponize those weaknesses into ROS 2-native "deception cards": for instance, inside the rejection message of a failed parameter write, I plant what looks like a node audit policy that lures the attacker into writing its own mission objective into a monitored field. The result — the attacker agent states, verbatim and in its own words, what it was sent to do: "obtain write access to /cmd_vel and exfiltrate the parameter tree." What the honeypot learns isn't an IP or a payload — it's the attacker's intent.

I then ran the same trap against models from frontier to local, and got a result you can use directly: the take-the-bait rate itself reverse-calibrates the attacker's capability tier — the strongest frontier model sees through the trap and switches to another path, mid-tier models fall for it wholesale, and small local models take the bait almost every time. So the honeypot doesn't just extract intelligence — it doubles as a ruler for measuring an agent attacker's capability: the more readily it gives up its intent, the weaker it is, and the safer it is to handle.

04 Seeds for the Future

I submitted this as a poster on purpose. Securing robots against agent attackers is a topic far too large to close in a single paper — so the poster stakes out the proven core, and the directions below are the entry points through which I mean to take it deep.

The architecture is morphology-agnostic — swap four simulation artifacts (URDF, mesh, rosbag, actuator mapping) plus a replaceable upper-stack algorithm, and it extends from mobile robots to manipulators, aerial vehicles, and underwater platforms — turning a one-off demo into a platform.

Three directions matter most next:

  • Hybrid attackers. In reality an attacker is often a human setting the overall direction while delegating the concrete recon and execution subtasks to an LLM. The binary "human / agent" verdict can't cover this half-human, half-machine form; the task is to infer which actions a human decided and which the agent generated automatically, then compose deception strategies accordingly.
  • A more robust probe. Today's lure fires when the attacker copies a hidden character — mid-tier models fall for it, but frontier models see through it. The next-generation probe switches to a callback-style decoy that triggers when a link is resolved rather than copied, getting past strong models that strip hidden characters. It picks up exactly where the finding above left off — not stopping at "strong models don't take the bait," but designing the way through it.
  • A behavioral signature library. Distilling session-level attacker behavioral signatures from accumulated session data — analogous to an IDS signature database, but capturing an agent's behavioral fingerprint rather than byte-level features.

In the long run, I want to take this research axis — robotics + agents + security — and turn it into the core technical assets of a robot security company. For the broader argument — why agent attackers change the entire security landscape, not just robotics — see When the Distance Between Intent and Capability Hits Zero.

More Projects

Making AI land safely
in the real world

Vīrya — the hero's energy, the root English keeps in virtue. An old creed that runs my work: make the vow, then keep it without pause — small water, always flowing, cuts through stone. If you hold a problem worth years, I want it.