What is a Honey Pot?

1. Introduction

Honeypots are special programs that are written for a sole purpose: to be exploited. Honeypots can emulate the existence of the vulnerability, so the attackers, viruses and worms are attracted to this system which appears to be poorly secured. The honeypots collect as much information as they can on the attacks that come from various sources, which enables us to later analyze and study them a little further. This can be a great tool to use to reveal any zero-day worms that haven’t been discovered yet.

The Wikipedia classifies honeypots in two groups based on a different criterion. The first criterion is based on deployment of the honeypots in which there are two groups of honeypots mentioned below:

• Production honeypots: Are primarily used in the company’s internal network to improve the security of the whole network. They are easy to use, but provide less information about the attacks.
• Research honeypots: These honeypots are very complex, but provide a very detailed information about the attacks and are used by research, military or government organizations.

The second criterion classifies honeypots based on the design criteria and introduces three groups mentioned below:

• Pure honeypots: are full production systems, so no other software needs to be installed.
• High-interaction honeypots: use non-emulated operating systems with multiple services which can be exploited by the attacker. This kind of honeypots requires quite a lot of resources to function, but we can lower the expense by using multiple virtual machines.
• Low-interaction honeypots: emulate the part of the system and services most frequently used. They consume relatively low resources, but the cost can nevertheless be lowered by the use of virtual machines, because multiple VMs can easily be run on one physical computer. These honeypots are a great way to collect the malware that botnets and worms (Read more...)