International Journal of Electrical and Computer Engineering (IJECE) Vol. 4, No. 6, December 2014, pp. 848~857 ISSN: 2088-8708  848 Journal homepage: http://iaesjournal.com/online/index.php/IJECE A New Procedure to Detect Low Interaction Honeypots Eleazar Aguirre-Anaya 1 , Gina Gallegos-Garcia 2 , Nicolás Solano Luna 3 , Luis Alfonso Villa Vargas 4 1, 4 Center for Research in Computing 2, 3 Department of Research and Graduate Studies, Electrical and Mechanical Engineering School Instituto Politécnico Nacional, Mexico City, Mexico Article Info ABSTRACT Article history: Received Sep 21, 2014 Revised Nov 14, 2014 Accepted Nov 22, 2014 Honeypots systems are an important piece of the network security infrastructure and can be deployed to accomplish different purposes such as: network sensing, capturing and learning about 0-day exploits, capturing and analyzing of black hat techniques, deterring black hats and data gathering for doing statistical analysis over the Internet traffic, among others. Nevertheless, all honeypots need to look like real systems, due to if a honeypot is unmasked, it loses its value. This paper presents a new procedure to detect low interaction honeypots, through HTTP request, regardless honeypot architecture. It is important to mention that Low Interaction Honeypots network services need to be improved in order to get trustworthy information. Otherwise, it should consider data obtained by low interaction honeypots like inaccurate and unreliable information. Keyword: Fingerprint Honeypot Systems Low interaction Remote Network Systems Signatures Copyright © 2014 Institute of Advanced Engineering and Science. All rights reserved. Corresponding Author: Gina Gallegos-Garcia, Department of Research and Graduate Studies, Electrical and Mechanical Engineering School – Instituto Politécnico Nacional. Av. Sta Ana 1000. Sn. Fco. Culhuacan. Coyoacán. 04430. Mexico City, Mexico. Email: ggallegosg@ipn.mx 1. INTRODUCTION Nowadays, honeypots systems are important components in the organization’s whole security infrastructure. They can be used to help sense and mitigate security events. In [1], the author gives the de facto definition: 'A honeypot is a security resource whose value lies on being probed, attacked and compromised'. However, if a honeypot is detected, it loses all its value. In other words, if honeypots were susceptible to be detected, the Black hat Community could post a list of known honeypots systems letting others black hats avoid those systems and focus on real systems. Honeypot systems are used to research over malware propagation and new intrusion techniques used by black hats. They can give the possibility to detect and analyze 0-day exploits or to obtain information related to malware such as: propagation methods or even their source code. Moreover, a honeypot could act like an alarm system because any received connection, from a host inside organizational network, is an unequivocal indication that information security mechanisms have been evaded or there is an insider attacker. This information could be used to design contention methods against malware, to improve network security mechanism, to define new security policies or change some of them. Additionally to that, the managers could take better IT decisions to search about security infrastructure or to deploy new IT services for clients and partners of each organization. However, it is an important task to keep honeypot systems unidentified in order to collect information from the network and reach its goals. Nowadays, honeypot's remote detection is not an easy task because the detection of uncommon environments depends on the black hat’s skills. In example, detecting a decrease in the speed of the returning packets over the network, a limited amount of commands in the service or the operating system, limited