{"id":6066,"date":"2025-09-10T12:39:31","date_gmt":"2025-09-10T10:39:31","guid":{"rendered":"https:\/\/cyberawareness.sk\/?p=6066"},"modified":"2026-03-27T12:29:46","modified_gmt":"2026-03-27T11:29:46","slug":"data-collection-and-data-analysis-in-honeypots-and-honeynets","status":"publish","type":"post","link":"https:\/\/cyberawareness.sk\/en\/2025\/09\/10\/data-collection-and-data-analysis-in-honeypots-and-honeynets\/","title":{"rendered":"Data Collection and Data Analysis in Honeypots and Honeynets"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"6066\" class=\"elementor elementor-6066\">\n\t\t\t\t<div class=\"elementor-element elementor-element-fa18013 e-flex e-con-boxed e-con e-parent\" data-id=\"fa18013\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t<div class=\"elementor-element elementor-element-9f6d137 e-con-full e-flex e-con e-child\" data-id=\"9f6d137\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-ad5fbe9 elementor-widget elementor-widget-ucaddon_square_icon_box\" data-id=\"ad5fbe9\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"ucaddon_square_icon_box.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\n<!-- start Icon Box -->\n\t\t<link id='font-awesome-css' href='https:\/\/cyberawareness.sk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/font-awesome6\/fontawesome-all.min.css' type='text\/css' rel='stylesheet' >\n\t\t<link id='font-awesome-4-shim-css' href='https:\/\/cyberawareness.sk\/wp-content\/plugins\/unlimited-elements-for-elementor\/assets_libraries\/font-awesome6\/fontawesome-v4-shims.min.css' type='text\/css' rel='stylesheet' >\n\t\t<link id='uc_ac_assets_file_blox_boxed_small_square_icon_box_css_0-css' href='https:\/\/cyberawareness.sk\/wp-content\/uploads\/ac_assets\/blox-boxed-small-square-icon-box\/blox-boxed-small-square-icon-box.css' type='text\/css' rel='stylesheet' >\n\n<style>\/* widget: Icon Box *\/\n\n#uc_square_icon_box_elementor_ad5fbe9 * { \n\tbox-sizing: border-box; \n}\n\n#uc_square_icon_box_elementor_ad5fbe9{\n\tfont-family: inherit;\n    transition:0.3s;\n    position:relative;\n}\n\n#uc_square_icon_box_elementor_ad5fbe9 .blox-boxed-small-square-icon-box-icon{\n\t\n\tposition:relative;\n    display:flex;\n    justify-content:center;\n    align-items:center;\n    transform:rotate(0deg);\n    z-index:2;\n}\n#uc_square_icon_box_elementor_ad5fbe9 .ue-icon {\n  display:inline-block;\n}\n#uc_square_icon_box_elementor_ad5fbe9 .blox-boxed-small-square-icon-box-icon > div{\n\t\n\tposition:relative;\n    display:flex;\n    justify-content:center;\n    align-items:center;\n    transform:rotate(-0deg);\n}\n#uc_square_icon_box_elementor_ad5fbe9 .ue-icon-inner{\n    line-height:1em;\n\t} \t\n\n\n#uc_square_icon_box_elementor_ad5fbe9 .ue-icon-inner svg{\n    height:1em;\n    width:1em;\n\t} \t\n\t\n.blox-boxed-small-square-icon-box-heading{\n\tfont-size:21px;\n\t}\n\n\n#uc_square_icon_box_elementor_ad5fbe9:hover\n{\n  position:relative;\n  z-index:1;\n}\n\n\n#uc_square_icon_box_elementor_ad5fbe9 .ue_box_button\n{\n  text-align:center;\n  text-decoration:none;\n  display:inline-block;\n  transition:0.3s;\n}\n\n\n#uc_square_icon_box_elementor_ad5fbe9 span.line\n{\n  display:block;\n  position:absolute;\n  top:0;\n  left:0;\n  width:0px;\n  transition:0.3s;\n}\n\n#uc_square_icon_box_elementor_ad5fbe9:hover span.line\n{\n  width:100%;\n}\n\n#uc_square_icon_box_elementor_ad5fbe9 .ue-title-separator span\n{\n  display:inline-block;\n  transition:0.3s;\n}\n\n\n\n\n\n<\/style>\n\n<div class=\"square_icon_box \" id=\"uc_square_icon_box_elementor_ad5fbe9\">\n  \n  \t\t  \n  \n              <div class=\"ue-icon\">\n       <a style=\"display:inline-block; text-decoration:none;\" href=\"https:\/\/scholar.google.com\/citations?view_op=view_citation&amp;#038;hl=sk&amp;#038;user=JXxir4oAAAAJ&amp;#038;cstart=20&amp;#038;pagesize=80&amp;#038;sortby=pubdate&amp;#038;citation_for_view=JXxir4oAAAAJ:kNdYIx-mwKoC\" >         <div class=\"blox-boxed-small-square-icon-box-icon\" style=\"background-color: ;\">\n           <div class=\"ue-icon-inner\"><i class='fas fa-link'><\/i><\/div>\n         <\/div>\n       <\/a>       <\/div>\n         \n  \t\t        <div class=\"blox-boxed-small-square-icon-box-heading\">\n        \tLink to Google Scholar\n        <\/div>\n          \n  \t\t  \n  \n          \n  \t\t        \n          \n  \t\t  \n<\/div>\n<!-- end Icon Box -->\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8e851db elementor-widget elementor-widget-text-editor\" data-id=\"8e851db\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><b>Authors: <\/b>Pavol Sokol, Patrik Pekar\u010d\u00edk, Tom\u00e1\u0161 Bajto\u0161<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-79e945b elementor-widget elementor-widget-heading\" data-id=\"79e945b\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Abstract<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-b77c4c2 elementor-widget elementor-widget-text-editor\" data-id=\"b77c4c2\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>Honeypots and honeynets are unconventional security tools to study techniques,<br \/>methods, tools, and goals of attackers. Therefore, data analysis is an important part<br \/>of honeypots and honeynets. In paper we focus on analysis of data collected from<br \/>different honeypots and honeynets. We discuss framework to analyse honeypots\u2019<br \/>and honeynets\u2019 data. Also, we outline a secure way to transfer collected data from<br \/>honeypots to the analysis itself. At last, we propose a framework for analysis of<br \/>attack based on data collected by honeypots and honeynets.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-e5a0a23 elementor-widget elementor-widget-heading\" data-id=\"e5a0a23\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h3 class=\"elementor-heading-title elementor-size-default\">Introduction<\/h3>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-413ae1c elementor-widget elementor-widget-text-editor\" data-id=\"413ae1c\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>The traditional ways of defence (e.g. firewalls, IDS, IPS) are becoming less and less<br \/>effective. It is due to the changing nature of the attackers\u2019 behaviour, methods, and<br \/>tools. Therefore the attackers are several steps ahead of defensive mechanisms.<br \/>From this perspective, we need to find new approaches to protect information and<br \/>infrastructure of the organizations. One of the effective approaches to protect them<br \/>is concept of honeypots and honeynets.<br \/>A honeypot is \u201ca computing resource, whose value is in being attacked\u201d [1]. Lance<br \/>Spitzner defines honeypots as \u201can information system resource whose value lies in<br \/>unauthorized or illicit use of that resource\u201d [2]. Honeypots are a very useful tool for<br \/>learning about tools, procedures, targets, and methods of attackers.<br \/>For the purpose of this paper, we classify the honeypots according to their level of<br \/>interaction and role. The first classification is based on the role of honeypot.<br \/>According to this classification, honeypots are divided in server-side honeypots and<br \/>client-side honeypots. Server-side honeypots are useful in detecting new exploits,<br \/>collecting malware, and enriching research of the threat analysis (e.g. Conpot [3]).<br \/>On the other hand, honeypots for client-side attacks are called client-side (e.g.<br \/>Thug [4]). The prime motive of client-side honeypots is to identify and detect<br \/>malicious activities across the Internet [5].<br \/>The second classification is based on the level of interaction. The level of<br \/>interaction can be defined as the range of possibilities that a honeypot allows an<br \/>attacker to have. The low-interaction honeypots detect attackers using software<br \/>emulation of characteristics of a particular operating system and network services<br \/>on the host operating system. Advantage of this approach is in a better control over<br \/>attacker\u2019s activities, since attacker is limited to software running on a host operating<br \/>system. On the other hand, disadvantageous about this approach is the fact that the<br \/>low-interaction honeypot emulates service, or couple of services, but it does not<br \/>emulate complete operating system. Examples of this type of honeypots are<br \/>Dionaea [6], HoneyD [7].<br \/>Honeypots that offer attackers more ability to interact than do the low-interaction<br \/>honeypots, but less functionality than high-interaction solutions, are called<br \/>medium-interaction honeypots. They can \u201eexpect certain activity and are designed<br \/>to give certain responses beyond what a low-interaction honeypot would give\u201d [1].<br \/>Examples of this type of honeypot is Kippo [8].<br \/>In order to get more information about attackers, their methods and attacks, we use<br \/>a complete operating system with all services. This type of honeypot is called high<br \/>interaction honeypot. Main aim of this type of honeypot is to provide the attacker<br \/>access to a real operating system [9]. Examples of this type of honeypots are<br \/>HonSSH [10], Sebek [11].<br \/>The concept of honeypots is extended by honeynets. Honeynet can be defined as<br \/>\u201ca highly controlled network of honeypots\u201d [12]. At present, complete honeynet,<br \/>running on a single computer in virtual environment is used [12]. This type of<br \/>honeynet is defined as a virtual honeynet.<br \/>To successfully deploy a honeynet, we must correctly deploy the honeynet<br \/>architecture. There is \u201cno single rule on how one should deploy this architecture\u201d<br \/>[13]. There are three core elements of the honeynet architecture that define<br \/>honeynet architecture [2,12]:<br \/>\uf0b7 Data capture- monitors and logs all activities of attacker within the<br \/>honeynet.<br \/>\uf0b7 Data control- purpose of which is to control and contain the activity of<br \/>attacker.<br \/>\uf0b7 Data collection- all data are captured and stored in one central location.<br \/>The first two core functions are the most important, and they are applicable to<br \/>every honeynet deployment. The last core function- data collection- is applied by<br \/>organization in case that organization has the multiple honeynets in distributed<br \/>environments.<br \/>Some authors [14,15] add data analysis to the above-mentioned core elements.<br \/>Data analysis is an ability of honeynet to analyse the data, which is being collected<br \/>from it. Data analysis is used for \u201cunderstanding, analysing, and tracking the<br \/>captured probes, attacks or some other malicious activities\u201d [1]. Example of this<br \/>core element is combination of security devices, such as firewall (IPtables),<br \/>intrusion prevention system (Cisco IPS) and intrusion detection system (Snort,<br \/>Suricata), where this security devices can analyse the network traffic in detail, and<br \/>return the result of analysis in a visible way. In this paper we focus on data analysis.<br \/>Deployment and usage of honeypots and honeynets brings many benefits, e.g. the<br \/>possibility of discovering new forms of attacks. On the other hand, usage of<br \/>honeypots and honeynets brings about some problems. The primary motivation for<br \/>elaborating this paper is the fact that there are several problems in field of analysis<br \/>of data. There are a lot of implementations of honeypots that collect data. In most<br \/>cases they use different format for their storage, or collected data differ. Therefore,<br \/>it is difficult to analyse the attack from various types of honeypots. Another<br \/>problem represents a secure way of transferring the collected data from honeypots<br \/>to the analysis itself.<br \/>To formalize the scope of our work, we state three research questions:<br \/>\uf0b7 How to collect data for their further analysis securely?<br \/>\uf0b7 How to analyse data from different types of honeypots?<br \/>\uf0b7 How to analyse incident according to data collected from honeypots?<br \/>This paper is organized into five sections. In Section II, it is focused on the papers<br \/>related to data analysis of honeypots and honeynets. Section III is the main part of<br \/>paper. It provides framework for data analysis. In this section, answers to the first<br \/>and the second research question are provided. Section IV outlines incident<br \/>taxonomy, based on honeypots\u2019 and honeynets\u2019 data. In this section, the third<br \/>research question is answered. Section V concludes the paper and contains<br \/>suggestions for future work.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Authors: Pavol Sokol, Patrik Pekar\u010d\u00edk, Tom\u00e1\u0161 Bajto\u0161<\/p>","protected":false},"author":9,"featured_media":5713,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"full-width","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[15],"tags":[],"class_list":["post-6066","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-clanky","entry","has-media"],"_links":{"self":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts\/6066","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/comments?post=6066"}],"version-history":[{"count":8,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts\/6066\/revisions"}],"predecessor-version":[{"id":8856,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/posts\/6066\/revisions\/8856"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/media\/5713"}],"wp:attachment":[{"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/media?parent=6066"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/categories?post=6066"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cyberawareness.sk\/en\/wp-json\/wp\/v2\/tags?post=6066"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}