Unknown detection mechanism of Shodan’s Honeyscore for identifying honeypots

Determine the exact algorithmic method and criteria used by Shodan’s Honeyscore service to detect and classify Internet-exposed devices as honeypots based on their observed fingerprints and service responses, in order to assess and improve the stealthiness of distributed high-interaction physical IoT honeypots such as SIPHON.

Background

Shodan is a search engine that scans Internet-exposed devices and fingerprints their services. It provides a Honeyscore service that heuristically labels devices as likely honeypots, which attackers may use to avoid decoys. In this work, the authors deployed SIPHON, a distributed high-interaction physical IoT honeypot, and monitored whether Shodan flagged their wormhole IPs as honeypots.

While most SIPHON wormholes were not labeled as honeypots by Shodan and received low Honeyscores, the precise detection strategy Shodan employs is not disclosed. Understanding that method is important for evaluating the stealth and realism of high-interaction honeypots and for designing deployments that resist automated honeypot detection.

References

The exact method how Shodan is detecting honeypots is unknown to us, but most likely it is a heuristic based on well-known open source honeypot tools.

SIPHON: Towards Scalable High-Interaction Physical Honeypots  (1701.02446 - Guarnizo et al., 2017) in Subsection “Hiding the honeypot character,” Section “A distributed IP-Camera Honeypot”