Editing Honeypot (computing) (section)

== Honeypot detection ==
Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed counter-weapons. As detection systems would likely use unique characteristics of specific honeypots to identify them, such as the property-value pairs of default honeypot configuration,<ref>{{cite conference |title=Review and Analysis of [[Cowrie (honeypot)|Cowrie]] Artefacts and Their Potential to be Used Deceptively |last1=Cabral |first1=Warren |last2=Valli |first2=Craig | last3=Sikos | first3=Leslie | last4=Wakeling |first4=Samuel |date=2019 |publisher=IEEE |book-title=Proceedings of the 2019 International Conference on Computational Science and Computational Intelligence |pages=166–171 |doi=10.1109/CSCI49370.2019.00035|isbn=978-1-7281-5584-5 }}</ref> many honeypots in use utilise a set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software; a situation in which [[wikt:Special:Search/versionitis|"versionitis"]] (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. [[Fred Cohen]], the inventor of the [[Deception Toolkit]], argues that every system running his honeypot should have a deception port which adversaries can use to detect the honeypot.<ref name="dtk">{{cite web|title=Deception Toolkit|url=http://all.net/dtk/index.html|work=All.net|access-date=14 June 2013|year=2013}}</ref> Cohen believes that this might deter adversaries. Honeypots also allow for early detection of legitimate threats. No matter how the honeypot detects the exploit, it can alert you immediately to the attempted attack.<ref>{{Cite book |date=2005 |title=Honeypots for Windows |url=http://dx.doi.org/10.1007/978-1-4302-0007-9 |doi=10.1007/978-1-4302-0007-9|isbn=978-1-59059-335-6 }}</ref>