The purposes of honeypot are to detected and
learn from attacks and use that information
provides network security.
Honeypots are analyzed by their role of
application, which is meant it can be used for
production and research.
DEFINATION OF HONEYPOT:
"A honeypot is security resource whose value lies
in being probed, attacked, or compromised”.
A honeypot is a system that is built and set up in
order to be hacked.
1990-1991: first time , honeypot studies
released by Clifford Stoll and Bill Cheswick .
1997: Deception Toolkit version 0.1 was
introduced by Fred Cohen.
1998: First commercial honeypot was released
which is known as Cyber Cop Sting.
1998: Back Officer Friendly honeypot was
introduced. It was free and easy to configure. It
is working under Windows operating system.
1999: After Back Officer Friendly, people were
more into this new technology. Honeynet
project started at this year. people understood
the aim of the honeypots more.
prevent automated attacks:(Warms and auto-
identify a failure or breakdown in prevention
TYPES OF HONEYPOT
Complex to deploy and maintain.
Captures extensive information.
Run by a volunteer(non-profit).
Used to research the threats organization face.
Easy to use
Capture only limited information
Used by companies or corporations
Mitigates risks in organization
LEVEL OF HONEYPOT
Level of interaction determines the amount of functionality a
LOW INTERACTION HIGH INTERACTION
Low learning ,complexity & risk High learning ,complexity & risk
HIGH LEVEL INTERACTION
Load of high-interaction honeypots are reduced
by preprocessing the traffic using low-interaction
honeypots as much as possible.
A high-interaction honeypot can be compromised
completely, allowing an adversary to gain full
access to the system and use it to launch further
In High Interaction Honeypots nothing is
emulated everything is real.
High Interaction Honeypots provide a far
more detailed picture of how an attack or
intrusion progresses or how a particular malware
execute in real-time.
LOW LEVEL INTERACTION
This kind of honeypot has a small chance of
It is production honeypot.
Typical use of low-interaction honeypot
port scans identification,
generation of attack signatures,
trend analysis and malware collection.
PLACEMENT OF HONEYPOT
In front of the firewall (Internet)
DMZ (De-Militarized Zone)
Behind the firewall (intranet)
Mainly, There are two types of honeypot topologies:
Two or more honeypots on a network form a honeynet.
Actual network of computers
Its an architecture, not a product
Monitoring, capturing, and analyzing all the packets entering
or leaving through networks.
All the traffic is entering or leaving through the Honeynet is
Provides real systems, applications, and services for attackers to
Any traffic entering or leaving is suspect.
ADVANTAGES OF HONEYPOTS
Honeypots are focused (small data sets)s
Honeypots help to catch unknown attacks
Honeypots can capture encrypted activity (cf. Sebek)
Honeypots work with IPv6
Honeypots are very flexible
Honeypots require minimal resources
DISADVANTAGES OF HONEYPOT
Limited View: honeypots can only track and capture
activity that directly interacts with them.
Specifically, honeypots have the risk of being taken over by
the bad guy and being used to harm other systems. This risk
various for different honeypots.
The purpose of this topic was to define the what honeypots
are and their value to the security community. We
identified two different types of honeypots, low-
interaction and high-interaction honeypots.
Honeypots are not a solution, they are a flexible tool with
different applications to security.
Primary value in detection and information gathering.
Just the beginning for honeypots.
“ The more you know about your enemy,
the better you can protect yourself”