Architectural analysis and customised deployment of deceptive cowrie and conpot honeypots

Author Identifiers

Warren Cabral
ORCID: 0000-0002-5270-0020

Date of Award


Degree Type


Degree Name

Master Of Computing And Security By Research


School of Science

First Advisor

Dr Leslie F Sikos

Second Advisor

Professor Craig Valli


Honeypots are progressively becoming a fundamental cybersecurity tool to detect, prevent, and record new threats and attack methodologies used by attackers to penetrate systems. A honeypot is a deceptive or fake computer system that presents itself as a real computer system with actual sensitive information. A range of open-source honeypots are available today, such as Cowrie and Conpot, which can be easily downloaded and deployed within minutes—with default settings. Cowrie is a medium-interaction secure shell (SSH) and Telnet honeypot intended to log brute force and shell interaction attacks. In contrast, Conpot is a low-interaction SCADA honeypot, which attempts to mimic an active SCADA system. These honeypots operate on a standardised configuration file that encompass options for deployment such as hostnames, IPs, network services, protocols, applications, and fingerprint information. These options are convoluted and must be used in an integrated and granular fashion to make the deception presented by the honeypot to be plausible and effective. The current issue with the default configurations is that it is easily detected by adversaries using default parameters, automated scripts and scanners such as Shodan and NMAP. Nonetheless, cybersecurity specialists deploy most honeypots with default configurations. This is because modern systems do not provide a standard framework for optimal deployment of these honeypots based on the various configuration options available to produce a non-default configuration. Hence, default honeypot deployments are counterproductive and a surplus network resources and personnel.

A quantitative empirical learning approach driven by a quasi-experimental methodology was undertaken to develop a solid understanding about the deceptive capabilities of the Cowrie and Conpot honeypots. This was accomplished by developing a framework created from the analysis of numerous Cowrie and Conpot configurations and linking these artefacts to their deceptive potential. This framework provides for customised honeypot configuration, thereby enhancing their functionality to achieve a high degree of deceptiveness and realism. Thereafter, these configured honeypots were then deployed in association with banners and firewall rules to prevent Shodan and NMAP detections and to prevent attackers from acknowledging default parameters. The results of these deployments show an exponential increase in attackerhoneypot interaction in comparison to their subsequent default implementations. In turn, they inform and educate cybersecurity audiences how important it is to deploy honeypots with advanced deceptive configurations to bait cybercriminals and mitigate counterproductive distributions.

Access Note

Access to the following sections of this thesis is not available:

3.2.2 RP-2: Conduct Experiments Conpot Observations

3.5 Limitations

4.2 Conpot Deployment Results

5.1.2 Conpot Indicators

5.2.2 Conpot Granular Configurations

6.3 Final Remarks and Future Work

Access to this thesis is restricted. Please see the Access Note below for access details.