Network-based high-interaction honeypots

Supervisor(s)Maximilian Hils, MSc


Honeypots are security devices whose value lie in being probed and compromised. While low-interaction honeypots only emulate a very limited subset of a system (e.g. a SSH honeypot that only logs authentication attempts, but never allows further interaction), high-interaction honeypots are usually full-fledged vulnerable systems that are monitored for intrusions.

High-interaction honeypots have traditionally been monitored by installing monitoring rootkits or modified SSH daemons on the device, or by virtual machine introspection. The goal of this thesis is to assess the practical viability of a network-based monitoring approach instead. In this setting, the honeypot is left untouched and all communication with the outside world is transparently intercepted.

The focus of this thesis is open and could be on the development of man-in-the-middle attacks for popular protocols, the implementation and evaluation of honeypot containment strategies, the practical roll-out of high-interaction honeypots, or data analysis on the recorded intrusions.


  • Seifert, C., Welch, I., and Komisarczuk, P. Taxonomy of Honeypots. Victoria University of Wellington, 2006.
  • Nicholson, T. HonSSH. 2017. https://github.com/tnich/honssh.
  • Oosterhof, M. Cowrie Honeypot. 2016. https://github.com/micheloosterhof/cowrie.
  • InfoSecurity, M.R.W. High Interaction Honeypots with Sysdig and Falco. 2017. https://labs.mwrinfosecurity.com/blog/high-interaction-honeypots-with-sysdig-and-falco/.