As a typical deception defense tool, honeypots are widely used to lure active attacks and capture malicious behaviors for security investigation. However, there is always a trade-off between the security risk and data capture ability in the context of honeypot. Since a high-interaction honeypot can capture more data while needs to expose more information system resources, which brings greater security risk. On the other hand, a low-/medium-interaction honeypot will only expose limited resources (e.g., empty or fake vulnerable services) to the attacker, but it can only attract and capture shallow malicious behaviors, such as access attempts, port scanning, etc. This project aims to address this problem by enhancing the data capture ability while still use low-/medium-interaction honeypots. The prospective outcomes include the real attack data caught by the honeypots using advanced techniques like covert attack connection manipulation, attack spoofing with dynamic shellcode analysis, etc.