{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,20]],"date-time":"2026-04-20T10:25:38Z","timestamp":1776680738335,"version":"3.51.2"},"reference-count":54,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2023,9,30]],"date-time":"2023-09-30T00:00:00Z","timestamp":1696032000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"name":"COM3, an Interreg project"},{"name":"North Sea Programme of the European Regional Development Fund of the European Union"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,9,30]]},"abstract":"<jats:p>Honeypots are decoy systems that lure attackers by presenting them with a seemingly vulnerable system. They provide an early detection mechanism as well as a method for learning how adversaries work and think. However, over the past years, several researchers have shown methods for fingerprinting honeypots. This significantly decreases the value of a honeypot; if an attacker is able to recognize the existence of such a system, they can evade it. In this article, we revisit the honeypot identification field, by providing a holistic framework that includes state-of-the-art and novel fingerprinting components. We decrease the probability of false positives by proposing a rigid multi-step approach for labeling a system as a honeypot. We perform extensive scans covering 2.9 billion addresses of the IPv4 space and identify a total of 21,855 honeypot instances. Moreover, we present several interesting side findings such as the identification of around 355,000 non-honeypot systems that represent potentially misconfigured or unpatched vulnerable servers (e.g., SSH servers with default password configurations and vulnerable versions). We ethically disclose our findings to network administrators about the default configuration and the honeypot developers about the gaps in implementation that lead to possible honeypot fingerprinting. Last, we discuss countermeasures against honeypot fingerprinting techniques.<\/jats:p>","DOI":"10.1145\/3584976","type":"journal-article","created":{"date-parts":[[2023,2,21]],"date-time":"2023-02-21T11:14:53Z","timestamp":1676978093000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":25,"title":["Gotta Catch \u2019em All: A Multistage Framework for Honeypot Fingerprinting"],"prefix":"10.1145","volume":"4","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5720-5504","authenticated-orcid":false,"given":"Shreyas","family":"Srinivasa","sequence":"first","affiliation":[{"name":"Aalborg University"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1903-2921","authenticated-orcid":false,"given":"Jens Myrup","family":"Pedersen","sequence":"additional","affiliation":[{"name":"Aalborg University"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-5068-9158","authenticated-orcid":false,"given":"Emmanouil","family":"Vasilomanolakis","sequence":"additional","affiliation":[{"name":"Technical University of Denmark"}]}],"member":"320","published-online":{"date-parts":[[2023,10,6]]},"reference":[{"key":"e_1_3_5_2_2","first-page":"848","article-title":"A new procedure to detect low interaction honeypots","volume":"4","author":"Aguirre-Anaya E.","year":"2014","unstructured":"E. Aguirre-Anaya, G. Gallegos-Garc\u00eda, Nicol\u00e1s Solano Luna, and Luis A. Villa Vargas. 2014. A new procedure to detect low interaction honeypots. International Journal of Electrical and Computer Engineering 4 (2014), 848\u2013857.","journal-title":"International Journal of Electrical and Computer Engineering"},{"key":"e_1_3_5_3_2","volume-title":"Alexa\u2014An Amazon Company","year":"2020","unstructured":"Amazon. 2020. Alexa\u2014An Amazon Company. Amazon. https:\/\/www.alexa.com\/topsites."},{"key":"e_1_3_5_4_2","unstructured":"Ofir Arkin Fyodor Yarochkin and Meder Kydyraliev. 2003. The Present and Future of Xprobe2\u2014The Next Generation of Active Operating System Fingerprinting . SYS-Security Groups."},{"key":"e_1_3_5_5_2","volume-title":"Proceedings of the 14th USENIX Security Symposium (USENIX Security\u201905)","author":"Bethencourt John","year":"2005","unstructured":"John Bethencourt, Jason Franklin, and Mary Vernon. 2005. Mapping Internet sensors with probe response attacks. In Proceedings of the 14th USENIX Security Symposium (USENIX Security\u201905). USENIX Association, Baltimore, MD. https:\/\/www.usenix.org\/conference\/14th-usenix-security-symposium\/mapping-internet-sensors-probe-response-attacks."},{"key":"e_1_3_5_6_2","volume-title":"The National Vulnerability Database (NVD): Overview","author":"Booth Harold","year":"2013","unstructured":"Harold Booth, Doug Rike, and Gregory Witte. 2013. The National Vulnerability Database (NVD): Overview. Technical Report. National Institute of Standards and Technology."},{"key":"e_1_3_5_7_2","unstructured":"Bogdan Botezatu. 2018. New Hide\u2019n Seek IoT Botnet Using Custom-Built Peer-to-Peer Communication Spotted in the Wild. Retrieved March 1 2023 from https:\/\/www.bitdefender.com\/blog\/labs\/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild\/."},{"key":"e_1_3_5_8_2","volume-title":"Umbrella Popularity List","year":"2020","unstructured":"Cisco. 2020. Umbrella Popularity List. Cisco. Retrieved March 1, 2023 from https:\/\/umbrella-static.s3-us-west-1.amazonaws.com\/index.html."},{"key":"e_1_3_5_9_2","unstructured":"Cymmetria. 2016. MTPot. Retrieved March 1 2023 from https:\/\/github.com\/Cymmetria\/MTPot."},{"key":"e_1_3_5_10_2","unstructured":"Debian. 2020. Debian Project. Debian Project. Retrieved March 1 2023 from https:\/\/www.debian.org\/mirror\/list."},{"key":"e_1_3_5_11_2","unstructured":"Decester. 2000. An SSH Honeypot. Retrieved March 1 2023 from https:\/\/github.com\/desaster\/kippo."},{"key":"e_1_3_5_12_2","volume-title":"DomainTools Whois Lookup","year":"2022","unstructured":"DomainTools. 2022. DomainTools Whois Lookup. Retrieved March 1, 2023 from https:\/\/whois.domaintools.com\/."},{"key":"e_1_3_5_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813703"},{"key":"e_1_3_5_14_2","volume-title":"Proceedings of the 22nd USENIX Conference on Security (SEC\u201913)","author":"Durumeric Zakir","year":"2013","unstructured":"Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. 2013. ZMap: Fast Internet-wide scanning and its security applications. In Proceedings of the 22nd USENIX Conference on Security (SEC\u201913). USENIX Association, 605\u2013620."},{"key":"e_1_3_5_15_2","unstructured":"Ubuntu. 2020. Official Archive Mirrors for Ubuntu. Retrieved March 1 2023 from https:\/\/launchpad.net\/ubuntu\/+archivemirrors."},{"key":"e_1_3_5_16_2","volume-title":"The Apache Software Foundation","author":"Foundation The Apache","year":"2020","unstructured":"The Apache Foundation. 2020. The Apache Software Foundation. Apache.org. https:\/\/apache.org\/history\/mirror-history.html."},{"key":"e_1_3_5_17_2","unstructured":"GNU.org. 2020. GNU Operating System . GNU.org. Retrieved March 1 2023 from https:\/\/www.gnu.org\/prep\/ftp.en.html."},{"key":"e_1_3_5_18_2","unstructured":"Robert David Graham. 2014. MASSCAN: Mass IP Port Scanner. Retrieved March 1 2023 from https:\/\/github.com\/robertdavidgraham\/masscan."},{"key":"e_1_3_5_19_2","volume-title":"Proactive Detection of Security Incidents, Report","author":"Grudziecki T.","year":"2012","unstructured":"T. Grudziecki, P. Jacewicz, \u0141. Juszczyk, P. Kijewski, and P. Pawli\u0144ski. 2012. Proactive Detection of Security Incidents, Report. ENISA. https:\/\/www.enisa.europa.eu\/publications\/proactive-detection-report."},{"key":"e_1_3_5_20_2","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2012.738375"},{"key":"e_1_3_5_21_2","unstructured":"Hipo. 2020. GITHUB . Hipo. Retrieved March 1 2023 from https:\/\/github.com\/Hipo\/university-domains-list."},{"key":"e_1_3_5_22_2","first-page":"237","volume-title":"Proceedings of the 2014 IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI\u201914)","author":"Holik Filip","year":"2014","unstructured":"Filip Holik, Josef Horalek, Ondrej Marik, Sona Neradova, and Stanislav Zitta. 2014. Effective penetration testing with metasploit framework and methodologies. In Proceedings of the 2014 IEEE 15th International Symposium on Computational Intelligence and Informatics (CINTI\u201914). IEEE, Budapest, Hungary, 237\u2013242."},{"key":"e_1_3_5_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/IAW.2005.1495930"},{"key":"e_1_3_5_24_2","article-title":"Automatic identification of honeypot server using machine learning techniques","volume":"2019","author":"Huang Cheng","year":"2019","unstructured":"Cheng Huang, Jiaxuan Han, Xing Zhang, and Jiayong Liu. 2019. Automatic identification of honeypot server using machine learning techniques. Security and Communication Networks 2019, 5 (2019), 1\u20138.","journal-title":"Security and Communication Networks"},{"key":"e_1_3_5_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3544216.3544249"},{"key":"e_1_3_5_26_2","first-page":"615","volume-title":"Proceedings of the International Symposium on Recent Advances in Intrusion Detection","author":"Kr\u00e4mer Lukas","year":"2015","unstructured":"Lukas Kr\u00e4mer, Johannes Krupp, Daisuke Makita, Tomomi Nishizoe, Takashi Koide, Katsunari Yoshioka, and Christian Rossow. 2015. AmpPot: Monitoring and defending against amplification DDoS attacks. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection. 615\u2013636."},{"key":"e_1_3_5_27_2","unstructured":"Gordon Lyon. 2021. NMap Network Mapper. Retrieved March 1 2023 from https:\/\/nmap.org\/."},{"key":"e_1_3_5_28_2","unstructured":"Majestic. 2021. The Majestic Million . Majestic. Retrieved March 1 2023 from https:\/\/majestic.com\/reports\/majestic-million."},{"key":"e_1_3_5_29_2","first-page":"134","volume-title":"Proceedings of the 2019 IFIP\/IEEE Symposium on Integrated Network and Service Management (IM\u201919)","author":"Morishita Shun","year":"2019","unstructured":"Shun Morishita, Takuya Hoizumi, Wataru Ueno, Rui Tanabe, Carlos Ga\u00f1\u00e1n, Michel J. G. van Eeten, Katsunari Yoshioka, and Tsutomu Matsumoto. 2019. Detect me if you... oh wait. An Internet-wide view of self-revealing honeypots. In Proceedings of the 2019 IFIP\/IEEE Symposium on Integrated Network and Service Management (IM\u201919). IEEE, Arlington, VA, 134\u2013143."},{"key":"e_1_3_5_30_2","unstructured":"Marcin Nawrocki Matthias W\u00e4hlisch Thomas C. Schmidt Christian Keil and Jochen Sch\u00f6nfelder. 2016. A survey on honeypot software and data analysis. arxiv:1608.06249 [cs.CR] (2016)."},{"key":"e_1_3_5_31_2","unstructured":"Michel Oosterhof. 2016. Cowrie SSH\/Telnet Honeypot. Retrieved March 1 2023 from https:\/\/github.com\/micheloosterhof\/cowrie."},{"key":"e_1_3_5_32_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11761-018-0252-2"},{"key":"e_1_3_5_33_2","unstructured":"The Honeynet Project. 2021. The Honeynet Project. Retrieved March 1 2023 from https:\/\/www.honeynet.org."},{"key":"e_1_3_5_34_2","unstructured":"Rapid7. 2021. Recog. https:\/\/github.com\/rapid7\/recog."},{"key":"e_1_3_5_35_2","unstructured":"L Rist. 2009. Glastopf project . The Honeynet Project. Retrieved March 1 2023 from https:\/\/www.honeynet.org\/projects\/old\/glastopf\/."},{"key":"e_1_3_5_36_2","volume-title":"CONPOT ICS\/SCADA Honeypot","author":"Rist Lukas","year":"2013","unstructured":"Lukas Rist, Johnny Vestergaard, Daniel Haslinger, A. Pasquale, and J. Smith. 2013. CONPOT ICS\/SCADA Honeypot. The Honeynet Project. Retrieved March 1, 2023 from http:\/\/conpot.org\/."},{"key":"e_1_3_5_37_2","unstructured":"SHODAN. 2021. Honeypot or Not? Retrieved March 1 2023 fromhttps:\/\/honeyscore.shodan.io."},{"key":"e_1_3_5_38_2","unstructured":"Lance Spitzner. 2000. Passive Fingerprinting . Tech Solvency."},{"key":"e_1_3_5_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSECP.2003.1193207"},{"key":"e_1_3_5_40_2","doi-asserted-by":"publisher","DOI":"10.1145\/3433174.3433599"},{"key":"e_1_3_5_41_2","volume-title":"Proceedings of the 26th European Symposium on Research in Computer Security (ESORICS\u201921).","author":"Srinivasa Shreyas","year":"2021","unstructured":"Shreyas Srinivasa, Jens Myrup Pedersen, and Emmanouil Vasilomanolakis. 2021. RIoTPot: A modular hybrid-interaction IoT\/OT honeypot. In Proceedings of the 26th European Symposium on Research in Computer Security (ESORICS\u201921). Springer, Darmstadt."},{"key":"e_1_3_5_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2020.3044576"},{"key":"e_1_3_5_43_2","unstructured":"Dino Tools. 2010. Web Honeypot. Retrieved March 1 2023 from https:\/\/github.com\/DinoTools\/dionaea\/."},{"key":"e_1_3_5_44_2","volume-title":"Kali Tools","author":"Van Hauser","year":"2021","unstructured":"Hauser Van and Kessler Roland. 2021. Kali Tools. THC.org. Retrieved March 1, 2023 from https:\/\/www.thc.org\/thc-hydra\/."},{"key":"e_1_3_5_45_2","doi-asserted-by":"publisher","DOI":"10.1145\/2659651.2659663"},{"key":"e_1_3_5_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/NOMS.2016.7502992"},{"key":"e_1_3_5_47_2","doi-asserted-by":"crossref","first-page":"279","DOI":"10.1109\/CNS.2016.7860495","volume-title":"Proceedings of the 2016 IEEE Conference on Communications and Network Security (CNS\u201916)","author":"Vasilomanolakis E.","year":"2016","unstructured":"E. Vasilomanolakis, M. Stahn, C. G. Cordero, and M. M\u00fchlh\u00e4user. 2016. On probe-response attacks in collaborative intrusion detection systems. In Proceedings of the 2016 IEEE Conference on Communications and Network Security (CNS\u201916). IEEE, Florence, 279\u2013286."},{"key":"e_1_3_5_48_2","volume-title":"Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT\u201918)","author":"Vetterl Alexander","year":"2018","unstructured":"Alexander Vetterl and Richard Clayton. 2018. Bitter harvest: Systematically fingerprinting low- and medium-interaction honeypots at Internet scale. In Proceedings of the 12th USENIX Workshop on Offensive Technologies (WOOT\u201918). USENIX Association, Baltimore, MD. https:\/\/www.usenix.org\/conference\/woot18\/presentation\/vetterl."},{"key":"e_1_3_5_49_2","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2019.00049"},{"key":"e_1_3_5_50_2","volume-title":"Proceedings of the Network and Distributed System Security Symposium (NDSS\u201907)","author":"Vogt Ryan","year":"2007","unstructured":"Ryan Vogt, John Aycock, and Michael J. Jacobson Jr. 2007. Army of botnets. In Proceedings of the Network and Distributed System Security Symposium (NDSS\u201907). NDSS, San Diego, CA."},{"key":"e_1_3_5_51_2","doi-asserted-by":"publisher","DOI":"10.1504\/IJICS.2010.031858"},{"key":"e_1_3_5_52_2","volume-title":"The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems","author":"Wilhoit Kyle","year":"2015","unstructured":"Kyle Wilhoit and Stephen Hilt. 2015. The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems. Black Hat."},{"key":"e_1_3_5_53_2","doi-asserted-by":"publisher","DOI":"10.1145\/3372318.3372322"},{"key":"e_1_3_5_54_2","unstructured":"GitHub. 2020. ZMap: Sample Applications. Retrieved March 1 2023 from https:\/\/github.com\/zmap\/zmap\/wiki\/Sample-Applications."},{"key":"e_1_3_5_55_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2006.38"}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3584976","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3584976","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T16:37:07Z","timestamp":1750178227000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3584976"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,9,30]]},"references-count":54,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2023,9,30]]}},"alternative-id":["10.1145\/3584976"],"URL":"https:\/\/doi.org\/10.1145\/3584976","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"value":"2692-1626","type":"print"},{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,9,30]]},"assertion":[{"value":"2022-07-06","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2022-12-15","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-10-06","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}