2015 International Conference on Advances in Computer Engineering and Applications (ICACEA) IMS Engineering
College, Ghaziabad, India
CATCH: Comparison and Analysis of Tools
Covering Honeypots
Bharti Nagpal
Asstt Professor, AIACT&R
Geeta Colony, Delhi
bharti_553@yahoo.com
Nanhay Singh
Associate Professor, AIACT&R
nsingh1973@gmail.com
Abstract—Honeypots act as security resources that are used to
catch malign activities, so they may be anatomized and watched.
During the past few years, they are called as a safeguard of assets
of an organization. They are used to acquire information on
interrupters in a network. This paper gives an introduction to the
honeypots, their classification, detailed study of commercial as
well as open source honeypots tools and comparison between
them. This paper may be helpful for readers to secure their
resources from intruders by using the freely available honeypots
tools.
Keywords – Honeypots, Honeypot tools, Production Honeypots,
Research Honeypots.
I. INTRODUCTION
With the increase use of cyberspace and the increasing
execution of distributed systems, most of methods and mesh
presently are sensitive to rise of security risk. There are very
less administrators who are not agreed that security has turn
into a top option for them over the last decade. Presently in the
corporate sector there are all kinds of tools and solution to
preserve the organisation mesh safe from the various attacks.
Over and above many freely available tools and software are
being evolved with new risks emerging every day.
Most of the large network organizations incorporated with
firewalls and IDS in order to preserve their resources from the
unauthorized and intruders activities. IDS is used to trace the
attackers activities in order to identify the unauthorized activity
but sometimes it fails to identify the new methods, virus and
worms used by the attackers because of complex encryption
used. Therefore, Security experts initiated the efforts for new
solutions; they desired to attract bad people into decoy server
and try to track their activities. This resulted into Honeypot
technology.
978-1-4673-6911-4/15/$31.00©2015 IEEE
783
Naresh Chauhan
Professor, CSE Deptt, YMCAUST
Faridabad, Haryana
nareshchauhan19@yahoo.com
Pratima Sharma
Student, CSE Deptt, AIACT&R
pratima.sharma1491@gmail.com
The Honeypot is a decoy server or real system that present
inside the network and exposed to internet that simulates
utilities like http, ftp, SSH, SMTP and many others. The
concept behind is to show up the system to attacker to attack,
probe and compromised the system. It also logs the methods,
packets or activity used by the attacker to attack the system.
Because the idea was initiated few years back therefore very
few corporate and freely tools are available in the market.
Some of the open source products are BOF, deception toolkit
and honeyd. In this paper, we discussed about the honeypot
technology along with its classification. We also give a
comparative study of various open source and commercial
honeypots tools.
II. TYPE OF HONEYPOTS
Honeypots are classified on the basis of their
implementation environment and on the basis of level of
interaction. These classification criteria eases understanding
their operation and uses when it comes to planning an
implementation of one of them inside a network or IT
infrastructure. Level of interaction classification divides the
honeypots software on the basis of its interaction to the real
system of the network or it works on the simulated version of
the real computer system. Implementation classification
describes the honeypots software used for production purpose
or for research purpose.
In Table 1. we make a comparison between the different
types of honeypots on the basis of risk level, maintenance and
configuration, installation, tools deployments, implementation
and information collection.
 2015 International Conference on Advances in Computer Engineering and Applications (ICACEA) IMS Engineering College,
Ghaziabad, India

TABLE I. COMPARISON BETWEEN TYPES OF HONEYPOTS

Terms On the basis of Level of Interaction On the basis of Implementation Environment

Low interaction Medium interaction High interaction Production Honeypots Research Honeypots
Honeypots Honeypots Honeypots

Definition
Exertion of installation
and configuration
Low interaction Medium interaction High interaction Production honeypots Research honeypots
honeypots provide the honeypots are more honeypots provide the provide simulated provide real services in
emulated or simulated advanced than low level real operating system services and operating order to get huge
environment to honeypots, but less services to the attackers. system to work with. information about the
attackers. advanced than high level attackers.
honeypots.
It is easy to install and It is complex than low It is very difficult to Production honeypots It is difficult to install
configure. interaction honeypot but install and configure. installation and and configure.
easier as compare to high configuration depend
interaction honeypots. upon the organization.

Implementation and It is very easy to It involves medium It requires complex It requires medium level It is very difficult to
maintenance implement and implementation and method for process for deploy.
maintain because of maintenance. implementation and implementation and
easy functionality and maintenance process. maintenance.
design.

Collection of Information Limited collection of Medium information Extensive collection of Medium collection of Huge collection of
information gathering information information attackers details

Risk level Low interaction Medium interaction It involves very high risk It involves high risk of It involves less risk
honeypots involve involves risk because of of revealing important losing organization because it is designed
very less risk because combination of both low information to the resources to the for research purpose.
of providing simulated and high level interaction attacker because it attackers.
services to attackers honeypots. provides real services
and operating system to
the attackers.

Tools deployed BackOfficer Friendly, Specter Mantrap, honeynets NetBait Bigeye

Honeyd, KFsensor.

III. HONEYPOTS TOOLS Fig. 1 Types of Honeypot Tools

NetBait A. Commercial honeypot tools

Netbait: It is a tool designed for securing the

Mantrap
organization network which is based on the honeypot
technology that is netbait lure the attackers by displaying
Commercial
Specter the false information on the system and trap them by
honeypots tools
identifying the new methods or approaches used by them
to compromise the system. In this way it may be used as a
KFsensor production honeypot for securing the company resources
or as a research honeypot for identifying the new
attacking methods.
Types of Back officer
Honeypots Friendly Mantrap: It is a high level interaction honeypot
Tools designed by Resource Technologies. Mantrap uses the
Bait n cage concept for trapping the attackers. It creates the
switch multiple virtual cages from the fully functional operating
system from which attacker unable to exit and attack the
Labrea host system. This method provides the flexible and robust
Tarpit solution for securing the real environment.
Open source
honeypot tools Honeyd Specter: It is an intrusion detection system. It
emulates a vulnerable system, giving a target to bait
Deception
784
Toolkit
 2015 International Conference on Advances in Computer Engineering and Applications (ICACEA) IMS Engineering
College, Ghaziabad, India

attackers away from the production computer system. It
also gives various utilities such as FTP, SMTP, POP3,
HTTP, and TELNET in the form of trap to the attackers
and also logs the activities without knowing that they are
communicated to a decoy computer system. It logs all the
activities of the attackers and notifies the administrator.
KFsensor: It is a honeypot based intrusion detection
system especially designed for window based operating
system. It also contain many innovative and unique
characteristics such as remote management, signature
based engine, monitors multiple ports by using banner
technology etc.
B. Open source honeypot tools
Back Officer Friendly: It is a simple and freely
available honeypot tools that is easy to install, configure
and requires low maintenance. It supports seven services
like TCP, Http, Black orifice etc. It runs on any windows
machine including window 98 and window 95.
Bait and switch: It is an easy available honeypot tool
that is designed for luring the attackers in order to identify
the most commonly used method for compromising the
system. It is available in multiple versions and version
incorporates with new features.
Labrea Tarpit: It acts as a decoy system in the
network to log the activity of the attacker and notify the
security expert for the same. It is a low level interaction
honeypot that works on the emulated operating system to
lure the intruders.
Honeyd: It is a honeypot tool developed by
Neils Provos of the University of Michigan. It is a freely
available and low interaction honeypot designed for
working in the simulated environment in order to store
details about the attacker like IP address of the attacker,
tool used, port used for attacking, attacking method etc.
Deception Toolkit: The inventor of Deception
toolkit is Fred Cohen. The DTK is capable of simulating a
wide variety of services on a system, and is capable of
masquerading as several different hosts as well, giving it
the capabilities of being a Honey Net.

TABLE II. COMPARISON ANALYSIS OF HONEYPOT TOOLS

TERMS Types of Honeypots Services Supported Log File Support Platform Support Notification Capability
TOOLS
Netbait Production honeypots TCP or UDP Yes, it logs all the activities Macintosh, Linux It uses logging as well as
and Research of the attackers. and window alerting mechanism
honeypots operating system

Mantrap High interaction It uses the cage services that are Yes Run on virtual It provides stealth
honeypots used for creating mirror copies system monitoring with
of master OS outstanding notification
capability
Specter Medium interaction FTP, SMTP, POP3, HTTP, and Yes Window XP Outstanding notification
honeypots TELNET capability
KFsensor Low interaction Testing for open proxy servers, Yes Window based It uses logging as well as
honeypots Dameware, myDoom and operating system alerting mechanism
blaster worm detection.

BackOfficer Low interaction It supports http, ftp, telnet or No, it does not log the Run on any No remote logging,
friendly honeypots mail in total 7 services. methods used by the windows including alerting or configuring
attackers rather it response windows 95 and personality
instantly. windows 98
Bait n Switch Production honeypots It monitors network activities. Yes Run on Linux It uses logging as well as
operating system alerting mechanism
Labrea Tarpit Low interaction Stop the automated attack by Yes Run on Ubuntu It uses logging as well as
honeypots scanning the network for unused operating system alerting mechanism
IP addresses, capturing them
and marked them as spam.
Honeyd Low interaction Immunization from worm and Yes Window and Linux No built in mechanism for
honeypots spam operating system alerting

Deception toolkit High interaction DTK uses TCP wrapper service Yes Executes on Linux It uses logging as well as
honeypots in order to block unusual traffic and Window based alerting mechanism
on active ports. operating system

785
 2015 International Conference on Advances in Computer Engineering and Applications (ICACEA) IMS Engineering College,
Ghaziabad, India

IV. CONCLUSION

Honeypot tools are used for attracting and trapping

attackers, storing information and notifying alerts when
attackers are interacting with these tools. The approaches of
attackers provide useful data for analysing their attacking
ways, techniques and methods. Since honeypots only stores
and archive information and packets used by them, they do not
increase the burden to existing network bandwidth. However,
honeypots do have their disadvantages. Because they only
track and store approaches that directly communicates with
them, they cannot identify the attacks against other computers
in the network. Furthermore, honeypots installation and
configuration process require enough planning that may
introduce more threats to an existing network. Presence of
honeypots tools in the network also increases the risk of loss of
resources due to the interaction of the attackers to the system.
This is perhaps the most controversial disadvantage of
honeypots. As a whole, honeypot tools provide a better
security along with intrusion detection system.
REFERENCES

[1] Liu Dongxia and Zhang Yongbo,”An Intrusion Detection System Based
on Honeypot Technology,” International Conference on Computer
Science and Electronics Engineering, pp. 451-454, IEEE CS.
[2] Chao-Hsi Yeh and Chung-Huang Yang., “Design and Implementation of
Honeypot Systems Based on Open-Source Software,” Proceedings of the
IEEE International Symposium Communications and Information
Technology, Sapporo, Japan, 26-29 October, pp. 265-266.
[3] Zhang Li-juan., “Honeypot-based Defense System Research and
Design,” International Conference on Information and Communications
Security, Springer Lecture Notes in Computer Science, Sept. 2003, pp.
124-135.
[4] Yuqing Mai, Radhika Upadrashta and Xiao Su., “J-Honeypot: A Java-
Based Network Deception Tool with Monitoring and Intrusion
Detection,” Proceedings of the International Conference on Information
Technology: Coding and Computing, 2004 IEEE.
[5] Jun-feng TIAN, Jian-ling WANG, Ren-ling LI, Xiao-hui YANG, “A
Study of Intrusion Signature Based on Honeypot,” Proceedings of the
Sixth International Conference on Parallel and Distributed Computing,
Applications and Technologies.
[6] Jon Lucenius., “Installing, Configuring, and Testing the Deception Tool
Kit on Mac OS X,” SANS Institute InfoSec Reading Room.
[7] Honeyd, http://www.honeyd.org/, 2008.
[8] Zhang Chao., “Honeynet and intrusion detection and firewall linkage
techniques,” Technology market economy, 2007 (3): 42-44.
[9] Zheng Junjie, Xiao Jun mold, Liu Zhihua., “Based on Honeypot
technology, network intrusion detection system,” University of
Electronic Science and Technology, 2007,36 (2): 257-259.
[10] “Specter Honeypot Tool,” [online]
http://www.specter.com/introduction50.htm.
[11] “Netbait tool,” [online] http://netbaitinc.com/products/nbserv_faq.shtml.
[12] “KFsensor tool,” [online] http://www.keyfocus.net/kfsensor/features.php.

786