This systematic review aims to dive into high interaction honeypots for Microsoft SQL Server. Topics covered include various honeypot environments (bare-metal, virtual machine, container) and monitoring methods (network-based, VMM-based, honeypot-based) to understand how to effectively monitor encrypted communications. The main focus is to compare different data monitoring techniques for high-interaction honeypots, especially considering the challenges posed by encrypted protocols such as TDS used by Microsoft SQL Server. This research identifies limitations in current research and proposes the use of encrypted MITM proxies as a potential solution. Ultimately, this research highlights the need for further research in this area due to the limited existing literature on high interaction honeypots for Microsoft SQL Server.

[1] CrowdStrike, “CrowdStrike Global Threat Report 2024,” CrowdStrike, Inc., 2024.

[2] G. Pestana and S. Sofou, “Data Governance to Counter Hybrid Threats against Critical Infrastructures,” Smart Cities, vol. 7, no. 4, pp. 1857–1877, Jul. 2024, doi: 10.3390/smartcities7040072.

[3] A. Nikiforova, “Data security as a top priority in the digital world: preserve data value by being proactive and thinking security first,” Mar. 18, 2023, arXiv: arXiv:2206.06814. doi: 10.48550/arXiv.2206.06814.

[4] Huawei Technologies Co., Ltd., Database Principles and Technologies – Based on Huawei GaussDB. Singapore: Springer Nature Singapore, 2023. doi: 10.1007/978-981-19-3032-4.

[5] Check Point, “Check Point Cyber Security Report,” Check Point Software Technologies, Ltd., 2024.

[6] K. Swani, L. Labrecque, and E. Markos, “Are B2B data breaches concerning? Consequences of buyer’s or firm’s data loss on buyer and supplier related outcomes,” Ind. Mark. Manag., vol. 119, pp. 43–61, May 2024, doi: 10.1016/j.indmarman.2024.03.007.

[7] The MITRE Corporation, “Exploitation of Remote Services, Technique T1210 - Enterprise,” MITRE ATT&CK®. Accessed: Dec. 02, 2024. [Online]. Available: https://attack.mitre.org/versions/v16/techniques/T1210/

[8] L. Spitzner, “Honeypots: catching the insider threat,” in 19th Annual Computer Security Applications Conference, 2003. Proceedings., Las Vegas, Nevada, USA: IEEE, 2003, pp. 170–179. doi: 10.1109/CSAC.2003.1254322.

[9] Q. Sun et al., “Research and Application of High Interaction Deception Defense and Traceability Based on RASP Technology,” presented at the 2024 2ND INTERNATIONAL CONFERENCE ON MOBILE INTERNET, CLOUD COMPUTING AND INFORMATION SECURITY, MICCIS 2024, 2024, pp. 48–52. doi: 10.1109/MICCIS63508.2024.00016.

[10] X. Yang, J. Yuan, H. Yang, Y. Kong, H. Zhang, and J. Zhao, “A Highly Interactive Honeypot-Based Approach to Network Threat Management,” Future Internet, vol. 15, no. 4, 2023, doi: 10.3390/fi15040127.

[11] W. Bythwood, A. Kien, I. Vakilinia, and IEEE, “Fingerprinting Bots in a Hybrid Honeypot,” in State University System of Florida, 2023, pp. 76–80. doi: 10.1109/SoutheastCon51012.2023.10115143.

[12] J. Franco, A. Aris, B. Canberk, and A. S. Uluagac, “A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and Cyber-Physical Systems,” IEEE Commun. Surv. Tutor., vol. 23, no. 4, pp. 2351–2383, 2021, doi: 10.1109/COMST.2021.3106669.

[13] N. Ilg, P. Duplys, D. Sisejkovic, and M. Menth, “A survey of contemporary open-source honeypots, frameworks, and tools,” J. Netw. Comput. Appl., vol. 220, p. 103737, Nov. 2023, doi: 10.1016/j.jnca.2023.103737.

[14] DB-Engines, “Ranking of the most popular relational database management systems worldwide, as of June 2024,” Statista, Inc. Accessed: Nov. 29, 2024. [Online]. Available: https://www.statista.com/statistics/1131568/worldwide-popularity-ranking-relational-database-management-systems/

[15] A. Akhtar, “Popularity Ranking of Database Management Systems,” 2023, arXiv. doi: 10.48550/ARXIV.2301.00847.

[16] R. Zdonczyk, “Honeypot Recon: Global Database Threat Landscape | Trustwave.” Accessed: Dec. 08, 2024. [Online]. Available: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-global-database-threat-landscape/

[17] V. Narayan, A. Raj, and V. Muskan, “Exploitation of SQL Common Language Runtime Assemblies: A Novel Attack Vector for Compromising Microsoft SQL Server Environments,” in 2024 15th International Conference on Computing Communication and Networking Technologies (ICCCNT), Kamand, India: IEEE, Jun. 2024, pp. 1–6. doi: 10.1109/ICCCNT61001.2024.10725944.

[18] S. C. Sethuraman, T. G. Jadapalli, D. P. V. Sudhakaran, and S. P. Mohanty, “Flow based containerized honeypot approach for network traffic analysis: An empirical study,” Comput. Sci. Rev., vol. 50, p. 100600, Nov. 2023, doi: 10.1016/j.cosrev.2023.100600.

[19] M. J. Page et al., “The PRISMA 2020 statement: an updated guideline for reporting systematic reviews,” BMJ, vol. 372, p. n71, Mar. 2021, doi: 10.1136/bmj.n71.

[20] N. Memari, S. J. B. Hashim, and K. B. Samsudin, “Towards virtual honeynet based on LXC virtualization,” in 2014 IEEE Region 10 Symposium, 2014, pp. 496–501. doi: 10.1109/TENCONSpring.2014.6863084.

[21] H. Gjermundrod and I. Dionysiou, “CloudHoneyCY - An Integrated Honeypot Framework for Cloud Infrastructures,” in University of Nicosia, I. Raicu, O. Rana, and R. Buyya, Eds., 2015, pp. 630–635. doi: 10.1109/UCC.2015.110.

[22] S. Schindler, B. Schnor, T. Scheffler, and IEEE, “Taming the IPv6 Address Space with Hyhoneydv6,” in University of Potsdam, 2015, pp. 113–118.

[23] M. Zemene and P. Avadhani, “Implementing High Interaction Honeypot to Study SSH Attacks,” in Andhra University, J. Mauri, S. Thampi, M. Wozniak, O. Marques, D. Krishnaswamy, S. Sahni, C. Callegari, H. Takagi, Z. Bojkovic, M. Vinod, N. Prasad, J. Calero, J. Rodrigues, X. Que, N. Meghanathan, R. Sandhu, and E. Au, Eds., 2015, pp. 1898–1903.

[24] M. Valicek, G. Schramm, M. Pirker, S. Schrittwieser, and IEEE, “Creation and Integration of Remote High Interaction Honeypots,” in St. Polten University of Applied Sciences, 2017, pp. 50–55. doi: 10.1109/ICSSA.2017.21.

[25] V.-M. A. Mäntysaari, “Planning and Implementation of Honeypot System - Building of a bogus Microsoft SQL Server,” Bachelor’s Thesis, Turku University of Applied Sciences, 2020. [Online]. Available: https://www.theseus.fi/bitstream/handle/10024/353709/Planning%20and%20implementation%20of%20honeypot%20system.pdf

[26] J. Buzzio-Garcia, “Creation of a High-Interaction Honeypot System based-on Docker containers,” in 2021 Fifth World Conference on Smart Trends in Systems Security and Sustainability (WorldS4), 2021, pp. 146–151. doi: 10.1109/WorldS451998.2021.9514022.

[27] M. Knöchel, S. Wefel, and IEEE, “Analysing Attackers and Intrusions on a High-Interaction Honeypot System,” in Martin Luther University Halle Wittenberg, 2022, pp. 433–438. doi: 10.1109/APCC55198.2022.9943718.

[28] S. Sentanoe and H. Reiser, “SSHkex: Leveraging virtual machine introspection for extracting SSH keys and decrypting SSH network traffic,” Forensic Sci. Int.-Digit. Investig., vol. 40, Apr. 2022, doi: 10.1016/j.fsidi.2022.301337.

[29] M. Abbas-Escribano, H. Debar, and ACM, “An Improved Honeypot Model for Attack Detection and Analysis,” in IMT - Institut Mines-Telecom, 2023. doi: 10.1145/3600160.3604993.

[30] C. Munteanu, S. J. Saidi, O. Gasser, G. Smaragdakis, and A. Feldmann, “Fifteen Months in the Life of a Honeyfarm,” in Proc. ACM SIGCOMM Internet Meas. Conf. IMC, Association for Computing Machinery, 2023, pp. 282–296. doi: 10.1145/3618257.3624826.

[31] L. Baresi, G. Quattrocchi, and N. Rasi, “A qualitative and quantitative analysis of container engines,” J. Syst. Softw., vol. 210, p. 111965, Apr. 2024, doi: 10.1016/j.jss.2024.111965.

[32] V. S. D. Priya and S. S. Chakkaravarthy, “Containerized cloud-based honeypot deception for tracking attackers,” Sci. Rep., vol. 13, no. 1, p. 1437, Jan. 2023, doi: 10.1038/s41598-023-28613-0.

[33] M. Oosterhof, cowrie/Cowrie. (Dec. 14, 2024). Python. Cowrie. Accessed: Dec. 15, 2024. [Online]. Available: https://github.com/cowrie/cowrie

[34] A. S. Bozkir, E. Tahillioglu, M. Aydos, and I. Kara, “Catch them alive: A malware detection approach through memory forensics, manifold learning and computer vision,” Comput. Secur., vol. 103, p. 102166, Apr. 2021, doi: 10.1016/j.cose.2020.102166.

[35] Microsoft Corporation, “[MS-TDS]: Tabular Data Stream Protocol,” Microsoft Corporation, v20241119, Nov. 2024. Accessed: Dec. 26, 2024. [Online]. Available: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-tds/b46a581a-39de-4745-b076-ec4dbb7d13ec

[36] T. Favale, D. Giordano, I. Drago, and M. Mellia, “What Scanners do at L7? Exploring Horizontal Honeypots for Security Monitoring,” in 2022 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), Jun. 2022, pp. 307–313. doi: 10.1109/EuroSPW55150.2022.00037.

[37] T. Sochor, M. Zuzcak, and P. Bujok, “Analysis of attackers against windows emulating honeypots in various types of networks and regions,” in 2016 Eighth International Conference on Ubiquitous and Future Networks (ICUFN), 2016, pp. 863–868. doi: 10.1109/ICUFN.2016.7537159.