A Guide to Different Kinds of Honeypots

Honeypots come in many shapes and sizes and are available to mimic lots of different kinds of applications and protocols. We shall take the definition of a honeypot as "a security resource whose value lies in being probed, attacked, or compromised"[Spitzner02]. That is, a honeypot is a system we can monitor to observe how attackers behave, a system which is designed to lure attackers away from more valuable systems and/or a system which is designed to provide early warning of an intrusion to the target network. A honeypot may be used for all three applications at the same time.

The first appearances of honeypots in computer science are possibly in "The Cuckoo's Egg" by Clifford Stoll and in An Evening with Berferd by Bill Cheswick. In the former fake military reports were used as bait for the attackers. The latter is more recognisable as the sort of honeypot we know today, where an attacker is monitored and diverted away from production systems. In this paper we give a brief overview of what is available and highlight some of the key differences between today's honeypots.