Due to rapid growth of information and transfer messages, network security has become an increasingly important part of modern society. Traditional security tools, methods and techniques applied in protection are currently becoming increasingly ineffective. It is due to the fact that hackers’ communities are several steps ahead of security mechanisms (firewalls, sandboxes etc.). Therefore it is necessary to collect and investigate as much information as possible about these communities.

From this point of view, honeypot seems to be very useful tool [1]. It can be defined as “a system that has been deployed on a network for the purpose of logging and studying attacks on itself” [2]. The most widespread classification is classification based on the level of interaction. There are low-level interaction and high-level interaction honeypots. On one hand, low-level interaction honeypots emulate the characteristics of network services or a particular operating system. On the other hand, a complete operating system with all services is used to get more accurate information about attacks and attackers. This type of honeypot is called high-level interaction honeypot.

Concept of honeypot is extended by a special kind of high-level interaction honeypot – honeynet. It is a highly controlled network of honeypots [3]. The honeynet can be also referred to as “a virtual environment, consisting of multiple honeypots, designed to deceive an intruder into thinking that he or she has located a network of computing devices of targeting value” [4]. The honeynet is composed of four core elements [2, 4, 5]:

• Data control – purpose of this element is to control the attackers’ activities,

• Data capture – monitors and logs all of the attackers’ activitiesthe,

• Data collection – purpose of this element is to capture and collect all information from multiple honeynets,

• Data analysis – purpose of this element is to analyse, understand and track the attacks and their activities.