Skip to main content
Kent Academic Repository
Simple search | Advanced search

Hunting High or Low: Evaluating the Effectiveness of High-Interaction and Low-Interaction Honeypots

Kocaogullar, Yekta, Cetin, Orcun, Arief, Budi, Brierley, Calvin, Pont, Jamie, Hernandez-Castro, Julio C. (2025) Hunting High or Low: Evaluating the Effectiveness of High-Interaction and Low-Interaction Honeypots. In: Lecture Notes in Computer Science. Socio-Technical Aspects in Security. 12th International Workshop, STAST 2022, Copenhagen, Denmark, September 29, 2022, Revised Selected Papers. 13855. Springer E-ISBN 978-3-031-83072-3. (doi:10.1007/978-3-031-83072-3_2) (KAR id:102122)

PDF Accepted Version
Language: English
Download this file
(PDF/2MB)
[thumbnail of STAST2022.pdf]
Preview
["accessible_copy_request:button" not defined]
Official URL:
https://doi.org/10.1007/978-3-031-83072-3_2
Additional URLs:

Abstract

Honeypots are cybersecurity mechanisms that are set up as decoys in networks to lure and monitor attackers trying to compromise vulnerable systems. Two commonly used honeypot designs are high-interaction and low-interaction honeypots, which differ in the amount of interplay that the attackers are allowed to do. So far, the effectiveness of high-interaction and low-interaction honeypots has been understudied, making it difficult for security teams to choose between different honeypot technologies. The aim of this paper is to compare the effectiveness of high-interaction and low-interaction honeypots through real-world data. We deployed multiple Elasticsearch honeypot implementations to collect data: a closed-source high-interaction honeypot developed by the authors, and three types of open-source low-interaction honeypots (namely Elastichoney, Delilah and Elasticpot). The collected data came from 48 instances of high-interaction honeypots and 111 instances of low-interaction honeypots, over a period of 14 days. We found that low-interaction honeypots captured only a fraction of the attacks that high-interaction honeypots can catch. On the other hand, low-interaction honeypots are simpler, more efficient to run due to their low usage of resources, and easier to deploy. In our dataset, high-interaction honeypots captured 76.12% of the total attack packets and attracted 70.61% of the unique attacker IPs. In comparison, low-interaction honeypots performed a lot worse in collecting attack data; they only managed to capture 23.88% of the total attack packets and attracted 29.39% of the unique attacker IPs. In this paper, we present an experiment that evaluated and compared the effectiveness of high-interaction and low-interaction honeypots in terms of the amount and the type of information collected from attacks targeting them. It follows from our findings that it would be wiser to either concentrate solely on using high-interaction honeypots, or to increase the effectiveness of low-interaction ones by automatically changing each static value during deployment and/or by increasing the mimicking capabilities of low-interaction honeypots.

Item Type: Conference or workshop item (Proceeding)
DOI/Identification number: 10.1007/978-3-031-83072-3_2
Uncontrolled keywords: Security, honeypot, high-interaction, low-interaction, decision-making, comparative study
Subjects: Q Science > QA Mathematics (inc Computing science)
Institutional Unit: Schools > School of Computing
Institutes > Institute of Cyber Security for Society
Former Institutional Unit:
Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Funders: University of Kent (https://ror.org/00xkeyj56)
Depositing User: Budi Arief
Date Deposited: 18 Jul 2023 14:32 UTC
Last Modified: 25 Nov 2025 15:42 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/102122 (The current URI for this page, for reference purposes)

University of Kent Author Information

  • ["ep_summary_page_actions_title" not defined]
Altmetric
Total Views

["eprint_fieldhelp_irus_widget" not defined]

SensusAccess
Feedback