Honeytrap Forensic Tools in Network Forensic Analysis

Subject: Law
Pages: 9
Words: 2451
Reading time:
10 min
Study level: College


Network infrastructure is constantly under threat and it is the role of network administrator to ensure that the system is protected from threats and vulnerabilities. Honeytraps which comprise of Honeypots and honeynets have been proposed as effective tools for network forensics since they assist by capturing data and analyzing it so as to identify attacks and/or intrusions. Even so, there exist a significant number of challenges that administrators face when implementing honeynets. This paper shows the various challenges and how they may negatively impact on network security as well as forensic efforts.

The challenges may make the honeytrap a liability for the network system by exposing it to compromise or making the owners incur costs without any returns. Overcoming these challenges is therefore paramount for the honeytraps to be beneficial. By addressing these challenges, the honeytrap can be better utilized. This in turn results in the increased security of a network system since effective network forensics can be run therefore identifying and catching security threats as well as identify vulnerabilities in a network system. With this in mind, the paper goes on to show how the challenges may be overcome to as to enhance the advantages of honeytraps to the administrators.


As the value of networks has increased over the years, the likelihood of their attack from hackers has also risen significantly. Considering the importance of computer networks to organizations and individuals alike and the significant risk that compromised networks pose, it is imperative that attacker be identified and stopped by the network administrator. In addition to this, countermeasures must be developed to enable for the detection and prevention of attacks and where possible, take legal action against the perpetrators of the attack. A major prerequisite to protecting a system is the gathering of information on vulnerabilities and gaining an insight into the strategies employed by attackers.

Presenting prospective attackers with honeynets which are easy target that are in actual fact traps is one of the tools that is been utilized to enable covert monitoring of intruders. Even so, honeynets present a number of challenges to the network administrator. This paper shall discuss the various challenges involved in the use of honeytrap forensic tools in network forensic analysis. The paper shall then offer solutions to these challenges so as to demonstrate that honeynets are an effective method to identify attackers, system vulnerabilities and attack strategies therefore providing a basis for improved security as well as catching attackers.

Honeypots and Honeynets: a Brief Introduction

While there is no single agreed on definition of the term honeypot, the most commonly used definition is provided by Lance Spitzner (2007) as “a security resource whose value lies in being probed, attacked or compromised”. As such, a honeypot is a device that is exposed on a network with the aim of attracting unauthorized traffic. A honey net on the other hand is a network of honeypots with a firewall, which controls the movement in and out of the network, attached to it. Once a honeynet has been compromised by an intruder, the system collects data on the attack and from this, the administrator can study the techniques used to perpetrate the attack as well as the tools used for the intrusion. The system may also provide the means with which to trace the traffic back to the intruder’s computer.

The value of the honeypot is in its being “compromised” by a hacker and therefore, the honeypot must look as authentic to a hacker as a real system would. A honeynet is therefore made up of a standard production system and a number of computers just like an intranet to a real organization would have. So as to save on resources, the administrator may make use of operating system emulators such as VMware to simulate a number of computer systems in one physical system (Krasser, Grizzard & Owen, 2005).

Honeypots can be categorized into two broad groups: production honeypots and research honeypots. The difference between the two categorizations springs from the role that the honeypot plays in a system. Production honey-pots are used to avert risk to organizational resources by presenting a kind of “red-herring” for the intruders to compromise (Karthik et al., 2005). Research honeypots on the other hand are meant to gather as much information from attackers as possible. Production honeypots assist in mitigating the risk that organizations face and provide evidence of malicious attempts which may be used in a court of law. Research honeypots are excellent tools to use as a basis for validating an organizations security set up since potential threats and risks are assessed to enable administrators make the best security decisions.

Challenges Involved in Using Honeytraps

Attackers mostly target a few particular ports in a network system. Even so, Pouget and Dacier (2005) reveal that the volume of data on traffic that is accumulated from the attacks is great. The administrator is therefore required to shift through huge volumes of data in the honeypot logs and most of the contents are similar and this result work overload for the administrator. In addition to this, Intrusion detection systems are triggered unnecessarily by the frequent attacks therefore creating ambient noise in log files that distracts the administrator from new or rare phenomena that might warrant special attention.

For honeypots to be effective in their primary objective which is to lure hackers into perpetrating attacks, they must look and feel as authentic as a real system would. To achieve this, administrators correlate the honeypots with the host operating system. This authenticity can be achieved through the use of High-involvement honeypots that make the entire OS along with installed services accessible to the intruder. This unlimited access allows for more data to be captured and subsequently analyzed. However, this correlation creates a real danger of the attacker breaking out from the virtual environment and into the host operating system.

If such a thing were to happen, the attacker who was purposely lured into the network would have access to data and resources that are vital to the organization and he can therefore compromise the entire system leading to losses. This is contrary to the aim of the basic principle that honeypots should be implemented such that when compromised, the honeypot cannot be used to attack a real system (Pouget, Dacier & Debar, 2003).

Honeypots result in the interception of a lot of data from the intruder. To track the activities of the intruder, the analysis of the various data received is necessary. Conclusive forensics would require a person to go through enormous numbers data that needs analysis. Erbacher reveals that some organizations process huge amounts of data that requires forensics and current analysis capabilities “are completely lacking in their ability to analyze such large volumes of data” (Erbacher et al., 2006, p.3). As such, security personnel have to decide on what data merits their attention since they are incapable of going through all the data available.

In some instances, the intruders use encrypted connections to carry out their attacks. Baumann and Plattner (2002) affirm that the effectiveness of honeypots is greatly diminished when attacks are carried out through encrypted connections. While the administrator will be able to see the logins and even listen in on the unauthorized traffic, it is at times impossible to decipher the information that is captured from the attacker’s packets.

The administrator will therefore be unable to analyze the data from the hacker. This inability to read the attacker’s packets may result in the attacker carrying out actions like taking over the entire system without the administrator realizing it. Loss of control over the honeypot by the controller can render the honeypot unbeneficial since its main purpose is to capture unauthorized activity.

Network forensic is concerned with “the collection and analysis of data from computer systems, networks, communication streams and storage media in a manner admissible in a court of law” (Kessler, 2007). The network forensic investigation begins with the evidence obtained from the honeytrap set out. Yasinsac and Monzano (2002, p.6) assert that the goal of the investigations is to “produce a damage report and a signature for the blackhat”. For this to occur, This process is greatly hampered when only a partial signature is obtained. Such a scenario can occur especially when a production honey-pots with limited capabilities is employed.


As has been noted, administrators are often overwhelmed by alerts from many security systems and they may lack the capacity to go through the data obtained from honeynets. Pouget and Dacier (2005) suggest that tools fingerprinting can be used to identify the specific tool being used by the intruder. Tools fingerprinting is based on the premise that each cluster of attack can be associated to a specific attack tool.

By identifying the signatures to frequently used tools of attack, the administrator can extract these well-known attacks and turn attention to rare and strange attacks. Fingerprints can have extended scripts which can help determine whether an attack is automated or manual (Vallis & Al-Lawati, 2010). Such information is very important to an administrator since it can assist in determining the vulnerabilities that malware is targeting.

To counter the problem caused by having too much traffic in the honeypots logs, the root cause which is the most basic cause of the attack can be identified. This root cause can then be related to a specific attack tool and all the data from this can be clustered into a group through the Root Cause Analysis approach (Pouget & Dacier, 2005). Using this approach, the root causes are grouped together into clusters and as a consequence of this, the number of alerts issued by the intrusion detection system reduce significantly. The administrator can therefore react to new threat that may need attention as opposed to being bogged down by threats from a single source.

SweetBait which is an automated signature generator can be used to detect signatures from multiple sources and process them so as to detect any similarities that may be contained (Portokalidis et al., 2006). The density of generated alerts by the intrusion detection system is then used as the means with which to determine which attacks to monitor more closely. The administrator can therefore have a more focused approach in analyzing the data provided by honeypots.

As has been stated, the honeypot can be used to carry out a DOS attack with legal consequences for the honeypot owner. The reason why an attacker can carry out DOS is because honeypots do not have the ability to limit the outgoing traffic. This problem can b solved by placing a firewall in front of the honeypot and imposing rules on how much traffic can be allowed to flow from the particular system.

By putting such measures in place, the risk of a hacker using the honeypot as a platform from which to carry out a DOS is greatly decreased. In addition to this, one can make use of commercially available hardware to enhance the “realness” of the honeypot without compromising the real system. Commercial Hardware like “Smoke Detector” mimics vulnerable elements on a network so as to attract and detect inappropriate activities without compromising the real system (Pouget, Dacier & Debar, 2003).

To avoid risks of intruder breaking out of the honeypot and wrecking havoc on the real system, a low-involvement honeypot (also referred to as a low-interaction honeypot) can be used. This system only emulates systems and services running and does not provide a real OS for the attacker to operate (Carter, 2004). This will greatly decrease the range of operations that an intruder can perform while still enabling the administrator to obtain useful information about the intruder. The data that can be obtained from low interaction honeypots includes: date and time of attack and the IP address of the attackers. The attack pattern of the intruder can also be revealed from these kinds of honeypots.

Most of the challenges associated with Honeynets arise from a lost of control of data by the administrator. Loss of control gives the intruder the ability to launch attacks on non-honeynet resources. GenII data control honeynets can be used to overcome this significant set back. GenII give the administrator more control of the data in the honeynet system and as such, action can be taken to stop the intruder from compromising the system.

To begin with, GenII systems enable the centralization of data capture and collection by having all the requirements combined onto one device. GenII also allows for the modifying of packets as they travel through a gateway (Meghanathan et al., 2009). In the event that an attacker has taken over a system and attempts to launch an attack on non-honeynet systems, the administrator can modify the attack so as to render it ineffective.

Discussion and Conclusion

There are a number of problems that can be faced when using honeypots for network forensics. The GenII tools are especially efficient since they allow the administrator to diffusing any attacks launched from the honeynet system without arousing the suspicion of the attacker. this allows the administrator to continue gathering information that may be used for forensic purposes from the attacker. The use of fingerprintig is also very versatile since it gives the administrator the means with which to isolate the new attacks and hence perform analysis on them as opposed to having to analyze similar attacks.

Owing to the critical nature of networks in today’s society, the security of network infrastructure is of great importance. Preventive and detective measures should therefore be employed to improve security. This paper set out to discuss one of the forensic tools that can be used to enhance security; honeynets. It has been demonstrated that honeypots can be used to identify attackers and even take legal action against them. These tools can also be used to identify vulnerabilities of a system therefore give the administrator the chance to take protective measures.

While honeynets are a potent weapon that IT security personnel can use to protect a system from attacks, this paper has demonstrated that the they present a number of challenges. Failing to deal with these challenges may even compromise the system further and result in legal charges against the owners of the honeynet. Use of honeypots as a forensic tool for gathering evidence that can be used in court should be done in a manner that does not infringe on the rights of the individual so as to make the evidence admissible to court. The intruder should also be made aware that data might be monitored so as to legitimize the information obtained from honeynet lots. By doing this, the benefits that honeytraps bring can be fully reaped therefore leading to an even more secure network.


Baumann, R. & Plattner, C. (2002). “White Paper: Honeypots”. Mega Security Research.

Carter, W. L. (2004). “Setting up a Honeypot Using a Bait and Switch Router”. Sans White Papers.

Erbacher, RF., Christiansen, K. & Sundberg, A. (2006). Visual Network Forensic Techniques and Processes. Department of Computer Science, Utah State University, Logan.

Karthik, S., Samudrala, B. and Yang, A.T. (2005). Design of Network Security Projects Using Honeypots. Journal of Computing Sciences in Colleges, 20(4).

Krasser, S., Grizzard, B. J. & Owen, H.L. (2005). The Use of Honeynets to Increase Computer Network Security and User Awareness. Haworth Press.

Kessler, G. (2007). “Online Education in Computer and Digital Forensics”. Proceedings of the 40th Hawaii International Conference on System Sciences.

Meghanathan, N., Allam, S.R. & Moore, A.L. (2009). “Tools and techniques for network forensics”. International Journal of Network Security & Its Applications (IJNSA), Vol.1, No.1.

Portokalidis, G., Slowinska, A. & Bos, H. (2006). “Argos: an Emulator for Fingerprinting Zero-Day Attacks”. Eurosys. 1081.

Pouget, F. Dacier, M. & Debar, H. (2003). “Honeypot: a comparative survey”. Eurecom Report, RR-03-81.

Pouget, F. & Dacier, M. (2005). “Honeypot-based Forensics”. Institute Eurécom 2229.

Spitzner, L. (2007). “The Honeynet Project: Trapping the Hackers”. IEEE Security & Privacy, 1 (2). 15-23.

Vallis, C. & Al-Lawati, M. (2010). “Developing Robust VoIP Router Honeypots Using Device Fingerprints”. Security Research Center Conferences.

Yasinsac, A. & Manzano, Y. (2002). Honeytraps, A Network Forensic tool. Security & Privacy, vol. 6, no. 2.