How advanced traffic identification complements honeypot networks

Stephan Klokow portrait

by Stephan Klokow
published on: 20.04.2021

Honeypot networks are fake IT systems used to bait cyberattackers, learn from them and consequently improve actual cybersecurity. They consist of IT assets such as applications, APIs or ports that appear to be legitimate. They are also designed with a well-placed vulnerability to attract hackers. Once a hacker is in the network, the honeypot allows for monitoring and analyzing the malicious activity.

Honeypot networks can be monitored over short or longer time spans: In the course of a short-term or low-interaction deployment, the honeypot simply creates vectors of common attacks and gathers basic information on possible cyber threats. For a long-term or high-frequency deployment, the attacker is engaged for several days or weeks, allowing to gather more comprehensive information. However, since the honeypot network is not connected to real assets, the intruders do not cause any damage. The information collected is used for making the actual network unassailable against these and other, similar attacks.

Honeypot networks and honeypots are designed to appear only in advanced weak-point searches or to be detected by threat actors using advanced attack methods. That way, any activity registered by honeypot networks clearly points to malicious intent. Honeypots should not include real traffic or transaction data.

Types of honeypots

More specifically, there are different types of honeypot traps. Some honeypots imitating applications or APIs invite malware or spyware. These are usually deployed in a short term, just as spam honeypots, where an email address is set up to attract spam and phishing requests, which can then be blocked or deflected.

Prominent long-term honeypots are those provided by decoy databases, for example. Routine security tools such as firewalls are sometimes unable to detect intruders using structured query language (SQL) injections against a database. By setting up a database honeypot, it is possible to address SQL vulnerabilities. Some honeypot web clients search for hostile servers proactively, so that actual clients can evade them. Finally, there are honeynets, which are networks of honeypots. These can be used to investigate attacks that occur across a variety of vectors or assets, such as distributed denial-of-service (DDoS) attacks.

DPI for honeypots

Deep packet inspection (DPI) is a mechanism for classifying IP network traffic to smartly complement the offerings of honeypots and, more broadly, deception technologies. It identifies the traffic source, applications and protocols, application attributes (video, calls, chats), speed and latency as well as other traffic specifications for both plain and encrypted communication. Our DPI engine R&S®PACE 2, for example, provides these insights in real time.

Unlimited traffic filtering

Real-time traffic filtering by DPI allows for identifying malicious activity such as continuous page requests (indicating DDoS), unauthorized password resets and login attempts (indicating data theft). R&S®PACE 2 is especially capable of filtering large amounts of data, processing a throughput of 14 Gbps per core and classifying traffic in only a few nanoseconds. Such capacities provide visibility into the great depth of an IT system—from OSI layers 3–7 and beyond—and protect against vulnerabilities. Based on advanced analysis, it also provides other information for honeypot networks, such as the origin, the frequency and the pattern of attacks as well as the targeted assets.

The high accuracy rate of R&S®PACE 2 is key for honeypot networks. It is an important determinant in ascertaining whether traffic in the honeypot network is actually malicious or not. In addition, DPI compares the incoming traffic against a pre-existing library of signatures known to indicate threats, such as malware, spyware, phishing/spam, web crawlers or SQL injections. The library behind R&S®PACE 2 is updated every week, allowing the honeypot network to always keep up with the latest tricks of cybercriminals thanks to the latest DPI insights.

Dealing with encryption

A growing threat for cybersecurity are encrypted attacks. According to a research by ZScaler, encrypted cyberattacks increased by over 260 % in the first nine months of 2020, with the greatest impact in healthcare, followed by finance and insurance, manufacturing, government and services.[1] In other words, encrypted attacks are a growing problem across the board. It is obvious why encryption is used maliciously: If traffic is encrypted, even if detected, it cannot be classified by simple techniques. This is again where DPI comes into play. By combining metadata extraction, pattern matching, behavioral and statistical analysis and machine learning (ML), the R&S®PACE 2 engine is able to classify the content of encrypted traffic, enabling honeypot networks to detect underlying threats in real time.

Fake vs. real attacks

Honeypots, as ingenious as they may sound, are only effective as long as they appear genuine to the attackers. Nowadays, cybercriminals can identify honeypots through the presence of intrusion detection systems (IDS), firewalls and file names that indicate fake assets. Subsequently, they create a high level of apparent engagement within these honeypots, diverting attention from parts of the corporate network targeted by the actual attacks. In these cases, DPI can be invaluable. Its lightweight form factor allows for network-wide deployment, enabling it to analyze concurrent attacks across the network by matching them in terms of patterns, types and timings. In doing so, it identifies fake attacks and alerts network managers.

Last but not the least, incorporating a DPI engine into the security mix along with a honeypot allows for a more streamlined and efficient security process. A company may already be impervious to certain kinds of cyberattacks and want to find out more about only certain types. A honeypot might not be customizable to offer such fine-grained visibility. However, since DPI can examine contents of network traffic down to the smallest detail, it is possible to filter out attacks and threats that are currently not of interest. Sifting through all the data traffic, DPI saves time and effort.

Honeypot networks are different from other networks. They are entirely designed to lure threats and gather information about them secretly. For such networks, DPI is a great asset. It identifies malicious activity almost instantaneously, helping honeypot networks to detect threats as soon as they enter the network. Hence, DPI is one of the best complementary technologies for any honeypot network. After all, we know that nothing can beat DPI in the battle of intelligence.

Download our white paper on why network security solutions require DPI technology.


[1] 2020 State of Encrypted Attacks - ZScaler - 2020 -

Stephan Klokow portrait

Stephan Klokow

Contact me on LinkedIn

Stephan holds a degree in computer science and has more than 13 years of leadership experience in IT as well as product and software development. Since 2017, he has been the director of DPI at ipoque. As part of his professional career, he has been responsible for the development of digital products and solutions for smart home and IoT technology and has lead national and international IT projects. When he's not at work, he spends time with his family. You might also bump into him on the soccer field or at the gym.


Related material

ipoque blog - discover the latest news and trends in IP network analytics

Sign up for our newsletter

Stay informed about the latest news and insights from ipoque