Skip to main content
Kent Academic Repository

Hunting High or Low: Evaluating the Effectiveness of High-Interaction and Low-Interaction Honeypots

Kocaogullar, Yekta, Cetin, Orcun, Arief, Budi, Brierley, Calvin, Pont, Jamie, Hernandez-Castro, Julio C. (2022) Hunting High or Low: Evaluating the Effectiveness of High-Interaction and Low-Interaction Honeypots. In: 12th International Workshop on Socio-Technical Aspects in Security (STAST 2022). . pp. 15-31. (In press) (KAR id:102122)

Abstract

Honeypots are cybersecurity mechanisms that are set up as decoys in networks to lure and monitor attackers trying to compromise vulnerable systems. Two commonly used honeypot designs are high-interaction and low-interaction honeypots, which differ in the amount of interplay that the attackers are allowed to do. So far, the effectiveness of high-interaction and low-interaction honeypots has been understudied, making it difficult for security teams to choose between different honeypot technologies. The aim of this paper is to compare the effectiveness of high-interaction and low-interaction honeypots through real-world data. We deployed multiple Elasticsearch honeypot implementations to collect data: a closed-source high-interaction honeypot developed by the authors, and three types of open-source low-interaction honeypots (namely Elastichoney, Delilah and Elasticpot). The collected data came from 48 instances of high-interaction honeypots and 111 instances of low-interaction honeypots, over a period of 14 days. We found that low-interaction honeypots captured only a fraction of the attacks that high-interaction honeypots can catch. On the other hand, low-interaction honeypots are simpler, more efficient to run due to their low usage of resources, and easier to deploy. In our dataset, high-interaction honeypots captured 76.12% of the total attack packets and attracted 70.61% of the unique attacker IPs. In comparison, low-interaction honeypots performed a lot worse in collecting attack data; they only managed to capture 23.88% of the total attack packets and attracted 29.39% of the unique attacker IPs. In this paper, we present an experiment that evaluated and compared the effectiveness of high-interaction and low-interaction honeypots in terms of the amount and the type of information collected from attacks targeting them. It follows from our findings that it would be wiser to either concentrate solely on using high-interaction honeypots, or to increase the effectiveness of low-interaction ones by automatically changing each static value during deployment and/or by increasing the mimicking capabilities of low-interaction honeypots.

Item Type: Conference or workshop item (Proceeding)
Uncontrolled keywords: Security, honeypot, high-interaction, low-interaction, decision-making, comparative study
Subjects: Q Science > QA Mathematics (inc Computing science)
Divisions: Divisions > Division of Computing, Engineering and Mathematical Sciences > School of Computing
University-wide institutes > Institute of Cyber Security for Society
Funders: University of Kent (https://ror.org/00xkeyj56)
Depositing User: Budi Arief
Date Deposited: 18 Jul 2023 14:32 UTC
Last Modified: 19 Jul 2023 09:50 UTC
Resource URI: https://kar.kent.ac.uk/id/eprint/102122 (The current URI for this page, for reference purposes)

University of Kent Author Information

  • Depositors only (login required):

Total unique views for this document in KAR since July 2020. For more details click on the image.