Nowadays, networked applications are ubiquitous, ranging from small, single purpose Internet of things (IoT) devices, over outsourced cloud services, up to complex application landscapes. Systems or resources associated with a networked application may offer public interfaces for potentially untrusted parties to interact with, often in the form of hypertext transfer protocol (HTTP) requests. Systems may be insecure either due to configuration, such as publicly known and unchanged default passwords, or because of security vulnerabilities, both disclosed and zero-days (e.g., a security hole). Hence, insecure systems may pose a significant challenge for security professionals. For example, it is often unknown which class of systems are currently targeted by malicious parties, until it is too late.
Low-interaction honeypots (LIHPs) are considered as a tool to monitor malicious activities and detect previously unknown attacks. A low-interaction honeypot is a dedicated networked application that emulates the appearance and behavior of a real system. Further, the low-interaction honeypot exposes public interfaces and behavior that are same or similar to the real system with the goal to observe unsolicited malicious traffic. To get a comprehensive insight in the current attack landscape, it may be necessary to emulate a large range of systems and applications. However, the set-up of the low-interaction honeypot for a system may be a non-trivial task as the generation and configuration of the honeypot is a manual task. Also, the generation and operation of individual non-trivial low-interaction honeypots may be complex in respect of both required manual effort and computational resources.