Hunting high or low: evaluating the effectiveness of high-interaction and low-interaction honeypots

Honeypots are cybersecurity mechanisms that are set up as decoys in networks to lure and monitor attackers trying to compromise vulnerable systems. Two commonly used honeypot designs are high-interaction and low-interaction honeypots, which differ in the amount of interplay that the attackers are allowed to do. So far, the effectiveness of high-interaction and low-interaction honeypots has been understudied, making it difficult for security teams to choose between different honeypot technologies. The aim of this paper is to compare the effectiveness of high-interaction and low-interaction honeypots through real-world data. We deployed multiple Elasticsearch honeypot implementations to collect data: a closed-source high-interaction honeypot developed by the authors, and three types of open-source low-interaction honeypots (namely Elastichoney, Delilah and Elasticpot). The collected data came from 48 instances of high-interaction honeypots and 111 instances of low-interaction honeypots, over a period of 14 days. We found that low-interaction honeypots captured only a fraction of the attacks that high-interaction honeypots can catch. On the other hand, low-interaction honeypots are simpler, more efficient to run due to their low usage of resources, and easier to deploy. In our dataset, high-interaction honeypots captured 76.12% of the total attack packets and attracted 70.61% of the unique attacker IPs. In comparison, low-interaction honeypots performed a lot worse in collecting attack data; they only managed to capture 23.88% of the total attack packets and attracted 29.39% of the unique attacker IPs. In this paper, we present an experiment that evaluated and compared the effectiveness of high-interaction and low-interaction honeypots in terms of the amount and the type of information collected from attacks targeting them. It follows from our findings that it would be wiser to either concentrate solely on using high-interaction honeypots, or to increase the effectiveness of low-interaction ones by automatically changing each static value during deployment and/or by increasing the mimicking capabilities of low-interaction honeypots.