Survey of High Interaction Honeypot Tools: Merits
Abdulrazaq Almutairi (Author) Prof. David Parish, Dr. Raphael Phan (Coauthors)
School of Electronic, Electrical and Systems Engineering School of Electronic, Electrical and Systems Engineering
Loughborough University Loughborough University
Leicestershire, UK LE11 3TU Leicestershire, UK LE11 3TU
Email: A.Almutairi@lboro.ac.uk Email: D.J.Parish@lboro.ac.uk, R.Phan@lboro.ac.uk
Abstract—Honeypots are the defined as fictional vulnerable services and host attacks include unauthorised logins, setup of
systems that present themselves as generic system that can be malware, access to files and changing of privileges.
used for the purpose of unauthorized / illicit use by abusers Unlike common IDSs, honeypot technology tends to provide
where the objective is to study their attack / system the attacker with important resources that needed for a
compromising methodology and to gather forensic information.
successful attack. Honeypot or honeynet based decoy system
Honeypots system are categorized based on the level of
interaction as low, medium or high interaction based honeypots is implemented for the purpose of intrusion detection and
where high-interaction honeypots offer functionality to collect a protection.
large amount of information about attackers viz. attack strategy, A honeypot is difficult to define as there are number of
actions, tools, origin, identity etc. that suits the needs of the interpretations that have been understood from the literature
forensics data analyst making high interaction honeypot tools which include domains of attack prevention, attack detection,
very useful. However, tools from this category also introduce data collection in context of security. It is distinctive as it is
high level of risk with regard to putting other machines in high- technology and not a solution or procedure / process to resolve
risk position as well as from data analysis perspective making it a particular security issues. A honeypot is a trap set to detect,
very difficult to analyse captured data due to level of flexibility / deflect or in some cases counteract the attempts of
interaction provided to attacker. This paper discusses features of unauthorised usage of production systems. It appears to be part
various high interaction honeypot tools available to researchers of a network but remains isolated and protected. Its value lies
and compares them using a detection method. It has been in being probed, attacked and compromised . Hence,
realised that most of the tools have similar features other than honeypots has no production value and they should not work
data analysis functionality that vary between tools.
with any legitimate traffic or events. According to , the
purpose of honeypot or monitored honeynet networks include
Keywords-Honeypots, High Interaction Honeypots, Forensic
1. They form a defensive distraction system in order to direct
I. INTRODUCTION AND BACKGROUND an attacker towards machines containing no valuable
Information security is becoming a primary concern in this age information;
of information. The classical method of security that was more
2. They serve the purpose of a early warning system that can
or less defensive is now being scaled to more aggressive inform about exploitation trends; and
defence format. Intrusion detection is a process of monitoring
networks and machine within the network for unauthorised 3. They become a data collection store that can be used to
usage and / or activity. examine the methods and processes of exploitation of a
Reference  explains Intrusion Detection Systems (IDSs) as honeypot.
system for detection of unwanted manipulation to system. This The interaction with honeypots is expected from attackers;
manipulation may be in form of attack by an attacker or hence the value of honeypot lies in unauthorised interaction
simply by use of malicious script that changes the fingerprint conducted by abusers of the vulnerable honeypot.
of the system under attack . Typically, an IDS is required Another term that is used regularly with honeypots is
for detection of all malicious traffic that cannot be detected by Honeynet that means a network that is formed of one or more
generally deployed tools such as firewall. IDSs are categorised honeypots . Honeypots are classified based on level of
into host-based (HIDS) – where data on individual computer interaction and purpose. Further details regarding the same are
system is examined and network-based (NIDS) – where discussed in Section 3.
analysis of data packets that transit over the network is carried This paper has been organised as follows: In Section 2, we
out. According to , various types of network attacks include discuss various types of honeypots followed by Section 3
data driven attacks on applications and network attack on where details regarding monitoring methods used by
ISBN: 978-1-902560-26-7 © 2012 PGNet
Honeypots is discussed in detail. Section 4, enumerates
advantages and shortcomings of Honeypots / Honeynet and
Section 5 presents brief discussion about research being
conducted by the author. Finally, Section 6, concludes the
paper along with discussion regarding future of Honeypots.
II. CLASSIFICATION OF HONEYPOTS
Honeypots can be classified based on the level of interaction
(low and high) and based on their purpose (research and
production). The level of interaction defines the extent of
activity honeypot allows an attacker.
A. Level of Interaction
1) Low-Interaction Honeypots
A low-interaction honeypot simulates only limited services
that cannot be exploited enough to gain total control of the Figure 1. Control panel for specter tool showing services that may be
emulated (Source: )
honeypot . The low level honeypot provides emulating
services and operating system to the attacker, which makes it
easier to deploy, and maintain. Example of emulated services
include FTP service, listening on port 21 (Telnet), login to
FTP server etc. The emulated services mitigate risk by
containing the attacker’s activity. The interaction between this
type of honeypot and production system is very limited. These
type of honeypots can be compared to passive IDS as network
traffic is not modified in any way and they do not interact with
the attacker thus mitigating the risk associated with this
category of honeypots. Generally, low-interaction
honeypots are used to analyse spammers and can also be used
for providing countermeasures against worms.
A well-known example of a commercial low interaction
honeypot is Honeyd . Honeyd  is a daemon that can used
to simulate a large network on a single network host. It is a
framework for creating virtual honeypots using unused IP
addresses of a network, which simulates various operating
Figure 2. HTTP service emulation setup using KFSensor (Source: )
systems and services. Other low-interaction honeypot include
Specter  and KFSensor . Specter can monitor a total of 14
capture extensive amounts of information by allowing the
TCP ports and of these 14 monitored ports, 7 ports are called
attackers to interact with real systems . This facilitates
traps, and the other 7 are called services. Traps are port
listeners: when the attacker makes a connection, the attempt is capturing / logging of full extent of attacker’s behaviour that
terminated, and then logged. Services are more advanced can be analysed at later stage. According to , as the
where there is interaction with the attacker, emulating the attacker has more resources to exploit at his disposal, a high
application . The level of emulation depends on each interaction honeypot should be regularly monitored to ensure
service. For example, the HTTP service emulates a simple Web that it does not become a security issue.
server with default static Web pages. Figure 1, shows the Example of high interaction honeypots include Honeynets ,
control panel for low-interaction honeypot tool – Specter. Sebek , Argos  etc. Argos offer a full operating system
KFSensor simulates system services at the application layer to the attacker and when the attackers tries to do something
. Reference  explains the methods in which KFSensor can malicious the honeypot will shut down and makes dumps of
be used to setup new firewall rules. Figure 2, shows the HTTP memory and disk to get information about what the attacker
service emulation within low interaction honeypot tool – was trying to do . A greater detail regarding the high
KFSensor. interaction monitoring methods is discussed in Section 3.
2) High-Interaction Honeypots B. Purpose of Honeypot
High interaction honeypots are complex solutions, which 1) Research Honeypot
include deploying of a real operating systems and applications A research honeypot is used to gain the information about the
. As it involves real operating system, the level of risk is attacker’s community and does not add any direct value to the
increased by many folds, but it is a trade-off in order to organisation . The purpose of research honeypots is to
gather intelligence regarding general threats that an
organisation may face and hence allow organisation to protect
itself in a better form against those analysed threats. The
primary function is to study the method how attacker attacks, such as TCPDUMP  and Ethereal . In the host-based
understand their objectives and behaviour . These type of method, specialised sensors are deployed within the honeypot
honeypots are like high-interaction honeypots that are in order to monitor and record system events.
complex to deploy and difficult to maintain. They are It should be noted that both approaches have their strengths
generally used within research and commercial community in and weakness. For instance, the network-based approach
addition to military and defence organisations. According to though being transparent and invisible to the attacker can sniff
, they add tremendous value to research providing a packets by being deployed outside the honeypot but it cannot
platform to study cyber threats and attacks. They may also be capture internal system events on a vulnerable honeypot.
suitable for aiding in development of analysis and forensic Furthermore, it may be ineffective or perform at lower
skills.  provides the instance where honeypot was used as effectiveness, if the network data traffic is encrypted. On the
a forensic analysis for DNS attack. other hand, the host-based method, if detected by the attacker
2) Production Honeyppots can be tampered with, thus leaving it ineffective.
Production honeypots are used within the environment of a Data capture modules in high interaction honeypots deals with
organisation to protect the information assets of the collection and recording of all the activities of Honeypot. It
organisation and help in mitigation of risk . Unlike deceives the intruder by capturing all activity within honeypot
research honeypots, they have direct values as they provide without attacker knowing about any monitoring i.e. with
security to organisation’s production resources. As they do not introduction of decoy systems.
require a large amount of functionality, they are not too
complex to deploy or maintain and consequently, they are
unable to provide a large amount of information regarding the
attackers. Their primary function is to mirror the production Sebek is a high interaction honeypot system that works as
network of the organisation and invite attackers to interact follows for the purpose of monitoring:
with them, so that vulnerabilities of the network can be • Sebek installs as a loadable hidden kernel module that
exposed. They are considered to add value to detection of would capture all host activities. As a result of
attacks rather than prevention of attacks. One the examples of installation, Sebek, replaces a number of sensitive system
production honeypot is Nepenthes . calls in the original operating system. For instance, in the
latest Sebek development for Linux 11 system calls have
TABLE I. CLASSIFICATION OF HONEYPOTS been replaced viz: sys_open, sys_read, sys_readv,
sys_pread64, sys_write, sys_writev, sys_pwrite64,
Classification sys_fork, sys_vfork, sys_clone, sys_socketcall . The
of Examples Brief Description
Honeypot hashtable for system calls is updated / hijacked by Sebek
A low-interaction honeypot with its own system handlers as shown in Figure 3.
Low simulates only limited services
Interaction that cannot be exploited
Honeypot enough to gain total control of
Level of the honeypot.
Interaction High interaction honeypots are
Figure 3. Instance of modified sys_read system call after loading of Sebek
High Honeynet, complex solutions, which
Interaction Sebek, include deploying of a real
Honeypot Argos operating systems and • Upon successful replacement of system calls by Sebek, it
applications. would intercept any subsequent invocations of above
A research honeypot is used to mentioned system calls and capture the arguments as well
gain the information about the
Honeynets attacker’s community and
as any context information such as PID. After capturing,
Honeypot Sebek invokes system call handlers and execute the
does not add any direct value
to the organisation. system call together with passed arguments in order to
Production honeypots are used complete requested service call.
within the environment of a
Production organisation to protect the
• All collected information about invoked replaced system
Nepenthes calls would be sent to remote Sebek server so that it can
Honeypot information assets of the
organisation and help in analysed in real time or saved for later analysis.
mitigation of risk. Figure 4, shows the Sebek based approach to honeypot
For the purpose of monitoring the malicious activity in the
III. MONITORING METHODS OF HIGH-INTERACTION
honeypot, the internal sensors like Sebek need to be
transparent and tamper-resistant. However, as mentioned
Honeypot monitoring is a very important component of any before, it case of comprise, attacker may introduce anomalies
honeypot deployment. There are two methods that used for such as :
monitoring of honeypots viz. external method (network-based) • modification of replaced system call table,
and internal method (host-based). In the network-based • inconsistency in statistics transmitted by honeypot,
method, all packets that are sent to or received from the • Unsebek  of a honeypot system.
monitored honeypot are captured and traffic sniffing tools
that all traffic can flow in and out of honeynet without
attackers detecting control activities .
• Data Capture: This part captures all activities within the
honeynet and the data entering and leaving the honeynet
without attacker knowing that they are being monitored.
Figure 4. Sebek based approach in honeypot monitoring in context of HTTP All the activities of the attacker are logged and the
(Source: ) captured data is analysed to understand vulnerabilities and
motives of the attacker.
• Data Collection: All captured data is forwarded to a
centralised data collection point. This facilitates captured
data to be collected, analysed and archived at one
IV. ADVANTAGES AND DISADVANTAGES OF HONEYPOTS
Upon understanding about background and detection of
honeypots, following distinct advantages have been realised as
compared to other security systems :
• Small Data Sets: Honeypots are always interested in the
traffic that arrived to them rather than the traffic overload
that is generally observed in production systems, where it
is difficult and complex task to differentiate between
legitimate and illegitimate packets. Overall, it collects
small data sets of high value.
• Catch new attacks, false negatives: As honeypots capture
everything arriving to them, they are capable of catching
new tactics and attack methods which may previously be
considered false negatives.
• Work in encrypted or IPv6 environments: Honeypots
have been tested to work with encrypted traffic as well as
have scaled to IPv6 environments.
• Minimal Resources: As only limited data is captured, a
high-end set of resources is not required in case of
honeypots. It is a simple concept tat requires minimal
Figure 5. Honeywall architecture (Source: )
B. Honeynets Some of the disadvantages associated with honeypots as
compared to other security system / approaches are as follows
Honeynet is a high interaction honeypot developed by The
Honeynet Project  in order to capture information on the
• Limited field of View (Microscope): It is inherent to
network. The primary purpose of the honeynet is to gather
honeypots that the only activity or data captured by them
information on security issues. It acts as a gateway called
is when the attacker directly interacts with them. Attacks
Honeywall, by collecting data from and to the honeypots on
happening on the other parts of honeypot network is
unknown to a particular honeypot.
Figure 5, shows the honeywall gateway that forms the main
part of the Honeynet and work by capturing all the traffic • Risk (mainly high-interaction honeypots): Though
entering or leaving the honeypot network. It separates the unlikely in low-interaction honeypots but in case high
honeypots victims from rest of the network. According to , interaction honeypots, as the deployment of a real
it can be configured as layer 2 or layer 3 routing gateway, operating systems and applications is committed, in
however layer 3 configuration is preferred as in bridge mode it scenarios of compromise, parts of production network
is difficult to be detected by the attackers as the gateway may be attacked that could be a major concern for an
would not have any IP address associated with itself. A highly organisation.
controlled network where every packet entering or leaving is V. RESEARCH PROPOSAL
monitored, captured, and analyzed consists of data control,
data capture and data analysis. Cyber forensics is a problem of great significance to
• Data Control: In a scenario where a honeypot deployed information infrastructure protection because computer
within honeynet is compromised, honeynet have to networks are at the heart of the operational control of much of
the mission critical operations. Analysing network activity in
contain all the activities and ensure that production
order to discover the source of security policy violations or
systems are not harmed in anyway. It should be ensured
information assurance breaches is very critical. Capturing
network activity for forensic analysis may be perceived trivial,  N. Sharma and S. S. Sran, "Detection of threats in Honeynet using
Honeywall," International Journal on Computer Science and
but it is relatively difficult in practice. Not all the information
Engineering (IJCSE), vol. 3, pp. 3332-3336, 2011.
captured or recorded will be useful for analysis. Our research  N. Provos, "Honeyd-a virtual honeypot daemon," in 10th
concerns with network forensics, offline intrusion analysis and DFNCERT Workshop, 2003.
the related issue of identifying important input features for  Netsec. (2012, 15th March). Specter. Available:
computer forensics and intrusion detection. Honeypots can not
 KFSensor. (2012, 15th March). KFSensor: Advanced Windows
help in understanding the motives and behaviour of blackhat Honeypot System. Available: http://www.keyfocus.net/kfsensor/
community but also in certain cases trace back to cyber  H. Saini, et al., "Extended Honeypot Framework to Detect old/new
criminals with evidence of process / method they use for cyber attacks," International Journal of Engineering Science
compromising the system in a proactive manner. We (IJEST), vol. 3, pp. 2421-2426, 2011.
 A. N. Singh and R. Joshi, "A honeypot system for efficient capture
endeavour create an automated network forensic system that and analysis of network attack traffic," in International Conference
would use high interaction honeypots at its core. on Signal Processing, Communication, Computing and Networking
Technologies (ICSCCN), 2011, 2011, pp. 514-519.
VI. CONCLUSION  T. H. Project. (2012, 1st March). The Honeynet Project. Available:
In this paper we provided a concise overview of honeypots  P. S. Huang, et al., "Design and implementation of a distributed
and their uses. We also discussed various classifications and early warning system combined with intrusion detection system
categories of the honeypots namely research, production, low- and honeypot," in Proceedings of the 2009 International
Conference on Hybrid Information Technology ICHIT '09 2009,
interaction and high interaction honeypots. We also looked in pp. 232-238.
detail into detection methods used by two different high  G. Portokalidis, et al., "Argos: an emulator for fingerprinting zero-
interaction honeypot systems viz. Sebek and Honeynet. day attacks for advertised honeypots with automatic signature
Although, honeypots have been active area of research for a generation," ACM SIGOPS Operating Systems Review, vol. 40, pp.
decade, but they are gaining popularity due to degree of  K. Sadasivam, et al., "Design of network security projects using
analysis tools and capturing and detection techniques that are honeypots," Journal of Computing Sciences in Colleges, vol. 20,
becoming invaluable in the world of cyber crime and network pp. 282-293, 2005.
forensics.  L. Spitzner, "Know your enemy: A forensic analysis," URL:
http://www. securityfocus. com/focus/ih/articles/foranalysis. html,
 P. Baecher, et al., "The nepenthes platform: An efficient approach
 M. Meijerink and J. Spellen, "Intrusion Detection System to collect malware," in Recent Advances in Intrusion Detection,
honeypots," Master Program System and Network Administration, 2006, pp. 165-184.
University of Amsterdam, Amsterdam, 2006.  TCPDUMP. (2012, 16th March). TCPDUMP. Available:
 I. Kuwatly, et al., "A dynamic honeypot design for intrusion http://www.tcpdump.org
detection," in IEEE/ACS International Conference on Pervasive  Ethereal. (2012, 1st March). Ethereal: A Network Protocol
Services, 2004. ICPS 2004, 2004, pp. 95-104. Analyser. Available: http://www.ethereal.com
 L. Spitzner, "Honeypots: simple, cost-effective detection,"  X. Jiang and X. Wang, "Out-of-the-box monitoring of VM-based
SecurityFocus InFocus Article, high-interaction honeypots," in Proceedings of the 10th
http://www.securityfocus.com/infocus/1690, 2003. international conference on Recent advances in intrusion detection
 I. Mokube and M. Adams, "Honeypots: concepts, approaches, and RAID'07 Gold Goast, Australia, 2007, pp. 198-218.
challenges," in Proceedings of the 45th annual southeast regional  J. Corey. (2003) Local honeypot identification. Fake Phrack
conference ACM-SE 45, Winston-Salem, North Carolina, 2007, pp. Magazine http://www.ouah.org/p62-0x07.txt.
 P. Gupta, et al., "Securing WMN using Honeypot Technique,"
International Journal on Computer Science and Engineering, vol.
4, pp. 235-238, 2012.