Simulating Web User Behavior Using LLM-Driven Browser Automation for Realistic IDS Dataset Generation

Anna Erdi

Simulating Web User Behavior Using LLM-Driven Browser Automation for Realistic IDS Dataset Generation

Anna Erdi

Research output: Thesis › Master's Thesis

Abstract

Intrusion Detection Systems (IDS) require high-fidelity data reflecting realistic user behavior for effective training and evaluation. Traditional simulation frameworks often rely on static, rule-based models that fail to capture the variability and nuance of human activity. This thesis presents a novel approach to user behavior simulation using Large Language Models (LLMs), specifically GPT-4.1, to dynamically generate browser-based actions within a cybersecurity testbed. A command-line interface (CLI) tool was developed to translate nat-
ural language prompts into structured YAML playbooks, which are executed via a custom Playwright-based Browser Executor in the AttackMate framework. The simulation focused on a Central Alarm System (CAS) operator using ZoneMinder. A Turing-test-inspired qualitative evaluation was conducted with cybersecurity experts to assess the realism of LLM-generated behaviors compared to human-generated ones. Results indicate that LLMs can produce convincingly human-like interactions, demonstrating their potential to enhance IDS dataset generation with greater realism and lower manual effort.

Original language	English
Qualification	Master of Science
Awarding Institution	FH Campus Wien – University of Applied Sciences
Supervisors/Advisors	Göschka, Karl M., Supervisor, External person Skopik, Florian, Supervisor
Award date	31 May 2026
Publication status	Published - May 2025

Research Field

Cyber Security

Access to Document

Cite this

@mastersthesis{ff329a371a0a484782e1d5e1d743b756,

title = "Simulating Web User Behavior Using LLM-Driven Browser Automation for Realistic IDS Dataset Generation",

abstract = "Intrusion Detection Systems (IDS) require high-fidelity data reflecting realistic user behavior for effective training and evaluation. Traditional simulation frameworks often rely on static, rule-based models that fail to capture the variability and nuance of human activity. This thesis presents a novel approach to user behavior simulation using Large Language Models (LLMs), specifically GPT-4.1, to dynamically generate browser-based actions within a cybersecurity testbed. A command-line interface (CLI) tool was developed to translate nat- ural language prompts into structured YAML playbooks, which are executed via a custom Playwright-based Browser Executor in the AttackMate framework. The simulation focused on a Central Alarm System (CAS) operator using ZoneMinder. A Turing-test-inspired qualitative evaluation was conducted with cybersecurity experts to assess the realism of LLM-generated behaviors compared to human-generated ones. Results indicate that LLMs can produce convincingly human-like interactions, demonstrating their potential to enhance IDS dataset generation with greater realism and lower manual effort.",

author = "Anna Erdi",

year = "2025",

month = may,

language = "English",

school = "FH Campus Wien – University of Applied Sciences",

}

TY - THES

T1 - Simulating Web User Behavior Using LLM-Driven Browser Automation for Realistic IDS Dataset Generation

AU - Erdi, Anna

PY - 2025/5

Y1 - 2025/5

N2 - Intrusion Detection Systems (IDS) require high-fidelity data reflecting realistic user behavior for effective training and evaluation. Traditional simulation frameworks often rely on static, rule-based models that fail to capture the variability and nuance of human activity. This thesis presents a novel approach to user behavior simulation using Large Language Models (LLMs), specifically GPT-4.1, to dynamically generate browser-based actions within a cybersecurity testbed. A command-line interface (CLI) tool was developed to translate nat- ural language prompts into structured YAML playbooks, which are executed via a custom Playwright-based Browser Executor in the AttackMate framework. The simulation focused on a Central Alarm System (CAS) operator using ZoneMinder. A Turing-test-inspired qualitative evaluation was conducted with cybersecurity experts to assess the realism of LLM-generated behaviors compared to human-generated ones. Results indicate that LLMs can produce convincingly human-like interactions, demonstrating their potential to enhance IDS dataset generation with greater realism and lower manual effort.

AB - Intrusion Detection Systems (IDS) require high-fidelity data reflecting realistic user behavior for effective training and evaluation. Traditional simulation frameworks often rely on static, rule-based models that fail to capture the variability and nuance of human activity. This thesis presents a novel approach to user behavior simulation using Large Language Models (LLMs), specifically GPT-4.1, to dynamically generate browser-based actions within a cybersecurity testbed. A command-line interface (CLI) tool was developed to translate nat- ural language prompts into structured YAML playbooks, which are executed via a custom Playwright-based Browser Executor in the AttackMate framework. The simulation focused on a Central Alarm System (CAS) operator using ZoneMinder. A Turing-test-inspired qualitative evaluation was conducted with cybersecurity experts to assess the realism of LLM-generated behaviors compared to human-generated ones. Results indicate that LLMs can produce convincingly human-like interactions, demonstrating their potential to enhance IDS dataset generation with greater realism and lower manual effort.

M3 - Master's Thesis

ER -

Simulating Web User Behavior Using LLM-Driven Browser Automation for Realistic IDS Dataset Generation

Abstract

Research Field

Access to Document

Fingerprint

Cite this