[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ skip to main content
10.1145/3558482.3590195acmconferencesArticle/Chapter ViewAbstractPublication PageswisecConference Proceedingsconference-collections
research-article
Public Access

HoneyIoT: Adaptive High-Interaction Honeypot for IoT Devices Through Reinforcement Learning

Published: 28 June 2023 Publication History

Abstract

As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic.To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called em HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses.HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.

References

[1]
N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani. Demystifying IoT security: An Exhaustive Survey on IoT Vulnerabilities and a First Empirical Look on Internet-Scale IoT Exploitations. IEEE Commun. Surveys & Tutorials, April 2019.
[2]
O. Alrawi, C. Lever, M. Antonakakis, and F. Monrose. SoK: Security Evaluation of Home-Based IoT Deployments. IEEE Symp. on Security and Privacy, May 2019.
[3]
O. Alrawi, C. Lever, K. Valakuzhy, R. Court, K. Snow, F. Monrose, and M. Antonakakis. The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle. USENIX Security Symp., 2021.
[4]
M. Ozmen, X. Li, A. Chu, Z. Celik, and X. Zhang B. Hoxha. Discovering IoT Physical Channel Vulnerabilities. ACM CCS, 2022.
[5]
M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, et al. Understanding the Mirai Botnet. USENIX Security Symp., 2017.
[6]
Mozi Botnet Accounts for Majority of IoT Traffic. https://threatpost.com/mozibotnet-majority-iot-traffic/159337/.
[7]
Nmap: Open-source network scanner. https://nmap.org/.
[8]
Shodan Honeyscore. https://honeyscore.shodan.io/.
[9]
Send-Safe Honeypot Hunter. http://www.send-safe.com/honeypot-hunter.html.
[10]
Y. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow. IoTPOT: Analysing the Rise of IoT Compromises. USENIX Workshop on Offensive Technol., 2015.
[11]
Masscan. https://github.com/robertdavidgraham/masscan.
[12]
Shodan: Search Engine for the Internet of Everything . https://www.shodan.io/.
[13]
J. Franco, A. Aris, B. Canberk, and S. Uluagac. A Survey of Honeypots and Honeynets for Internet of Things, Industrial Internet of Things, and CyberPhysical Systems. IEEE Commun. Surveys & Tutorials, August 2021.
[14]
S. Morishita, T. Hoizumi, W. Ueno, R. Tanabe, C. Gañán, M. van Eeten, K. Yoshioka, and T. Matsumoto. Detect Me If You. . . Oh Wait. An Internet-Wide View of Self-Revealing Honeypots. IFIP/IEEE Symp. on Integrated Network and Service Management, 2019.
[15]
A. Vetterl, and R. Clayton. Bitter Harvest: Systematically Fingerprinting Lowand Medium-interaction Honeypots at Internet Scale. USENIX Workshop on Offensive Technol., 2018.
[16]
M. Zamiri-Gourabi, Ali R. Qalaei, and B. Azad. Gas What? I Can See Your GasPots. Studying the Fingerprintability of ICS Honeypots in the Wild. Annual Industrial Control System Security Workshop, 2019.
[17]
X. Feng, Q. Li, H. Wang, and L. Sun. Acquisitional Rule-based Engine for Discovering Internet-of-Things Devices. USENIX Security Symp., 2018.
[18]
D. Seamus, M. Schukat, and E. Barrett. Using Reinforcement Learning to Conceal Honeypot Functionality. European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, 2018.
[19]
F. Araujo and T. Taylor. SysFlow: Scalable System Telemetry for Improved Security Analytics. IEEE International Conference on Big Data, 2020.
[20]
J. Schulman, F. Wolski, P. Dhariwal, A. Radford, and O. Klimov. Proximal Policy Optimization Algorithms. CoRR, abs/1707.06347, Mon 2017.
[21]
V. Mnih, K. Kavukcuoglu, D. Silver, A. Rusu, J. Veness, M. Bellemare, A. Graves, M. Riedmiller, A. Fidjeland, G. Ostrovski, et al. Human-level control through deep reinforcement learning. Nature, Feb 2015.
[22]
V. Mnih, A. Badia, M. Mirza, A. Graves, T. Lillicrap, T. Harley, D. Silver, and K. Kavukcuoglu. Asynchronous Methods for Deep Reinforcement Learning. International Conference on Machine Learning (ICML), 2016.
[23]
G. Brockman, V. Cheung, L. Pettersson, J. Schneider, J. Schulman, J. Tang, and W. Zaremba. Openai gym. arXiv preprint arXiv:1606.01540, 2016.
[24]
A. Raffin, A. Hill, A. Gleave, A. Kanervisto, M. Ernestus, and N. Dormann. StableBaselines3: Reliable Reinforcement Learning Implementations. Journal of Machine Learning Research, Nov 2021.
[25]
S. Marchal, M. Miettinen, T. Nguyen, A. Sadeghi, and N. Asokan. AuDI: Toward Autonomous IoT Device-Type Identification Using Periodic Communication. IEEE Journal on Selected Areas in Commun. (JSAC), March 2019.
[26]
X. Jin, S. Manandhar, K. Kafle, Z. Lin, and A. Nadkarni. Understanding IoT Security from a Market-Scale Perspective. ACM CCS, 2022.
[27]
A. Continella, Y. Fratantonio, M. Lindorfer, A. Puccetti, A. Zand, C. Kruegel, and G. Vigna. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. NDSS, 2017.
[28]
S. Needleman and C. Wunsch. A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, Mar 1970.
[29]
VirusTotal. https://www.virustotal.com/.
[30]
Snare: Super Next generation Advanced reactive honeypot. https://github.com/mushorg/snare.
[31]
T-Pot - The All In One Honeypot Platform. https://github.com/telekomsecurity/tpotce.
[32]
J. Guarnizo, A. Tambe, S Bhunia, M. Ochoa, N. Tippenhauer, A. Shabtai, and Y. Elovici. Siphon: Towards Scalable High-Interaction Physical Honeypots. ACM Workshop on Cyber-Physical System Security (CPSS), 2017.
[33]
B. Wang, Y. Dou, Y. Sang, Y. Zhang, and J. Huang. IoTCMal: Towards a Hybrid IoT Honeypot for Capturing and Analyzing Malware. In IEEE Int'l Conf. on Commun. (ICC), 2020.
[34]
S. Kyung, W. Han, N. Tiwari, V. Dixit, L. Srinivas, Z. Zhao, A. Doupé, and G. Ahn. HoneyProxy: Design and implementation of next-generation honeynet via SDN. IEEE Conf. on Commun. and Network Security (CNS), 2017.
[35]
A. Zarca, J. Bernabe, A. Skarmeta, and J. Calero. Virtual IoT HoneyNets to mitigate cyberattacks in SDN/NFV-enabled IoT networks. IEEE Journal on Selected Areas in Commun., April 2020.
[36]
N. Provos. Honeyd: A virtual honeypot framework. USENIX Security Symp., 2004.
[37]
P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling. The nepenthes platform: An efficient approach to collect malware. USENIX RAID, 2006.
[38]
M. Hakim, H. Aksu, A. Uluagac, and K. Akkaya. U-PoT: A Honeypot Framework for UPnP-Based IoT Devices. IEEE Int'l Performance Computing and Commun. Conf. (IPCCC), 2018.
[39]
C. Guan, X. Chen, G. Cao, S. Zhu, and T. La Porta. HoneyCam: Scalable HighInteraction Honeypot for IoT Cameras Based on 360-Degree Video. IEEE Conf. on Commun. and Network Security (CNS), 2022.
[40]
A. Vetterl, and R. Clayton. Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days. APWG Symp. on Electronic Crime Research, 2019.
[41]
F. Dang, Z. Li, Y. Liu, E. Zhai, Q. Chen, T. Xu, Y. Chen, and J. Yang. Understanding Fileless Attacks on Linux-Based IoT Devices with HoneyCloud. ACM MobiSys, 2019.
[42]
A. Tambe, Y. Aung, R. Sridharan, M. Ochoa, N. Tippenhauer, A. Shabtai, and Y. Elovici. Detection of Threats to IoT Devices Using Scalable VPN-Forwarded Honeypots. ACM Conference on Data and Application Security and Privacy (CODASPY), 2019.
[43]
T. Luo, Z. Xu, X. Jin, Y. Jia, and X. Ouyang. IoTCandyJar: Towards an IntelligentInteraction Honeypot for IoT Devices. Black Hat, 2017

Cited By

View all
  • (2024)VDH: a dynamic honeynet technology based on game theoryFourth International Conference on Machine Learning and Computer Application (ICMLCA 2023)10.1117/12.3029002(43)Online publication date: 22-May-2024
  • (2024)MySQL-Pot: A LLM-Based Honeypot for MySQL Threat Protection2024 9th International Conference on Big Data Analytics (ICBDA)10.1109/ICBDA61153.2024.10607309(227-232)Online publication date: 16-Mar-2024
  • (2024)Exploring Deception Techniques in Safeguarding IoT Networks from Intruders2024 International Conference on Communication, Computer Sciences and Engineering (IC3SE)10.1109/IC3SE62002.2024.10593377(348-353)Online publication date: 9-May-2024
  • Show More Cited By

Index Terms

  1. HoneyIoT: Adaptive High-Interaction Honeypot for IoT Devices Through Reinforcement Learning

      Recommendations

      Comments

      Please enable JavaScript to view thecomments powered by Disqus.

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      WiSec '23: Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks
      May 2023
      394 pages
      ISBN:9781450398596
      DOI:10.1145/3558482
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 28 June 2023

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. honeypot
      2. internet of things
      3. reinforcement learning
      4. security

      Qualifiers

      • Research-article

      Funding Sources

      • U.S. Army Combat Capabilities Development Command Army Research Laboratory

      Conference

      WiSec '23

      Acceptance Rates

      Overall Acceptance Rate 98 of 338 submissions, 29%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)298
      • Downloads (Last 6 weeks)71
      Reflects downloads up to 01 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)VDH: a dynamic honeynet technology based on game theoryFourth International Conference on Machine Learning and Computer Application (ICMLCA 2023)10.1117/12.3029002(43)Online publication date: 22-May-2024
      • (2024)MySQL-Pot: A LLM-Based Honeypot for MySQL Threat Protection2024 9th International Conference on Big Data Analytics (ICBDA)10.1109/ICBDA61153.2024.10607309(227-232)Online publication date: 16-Mar-2024
      • (2024)Exploring Deception Techniques in Safeguarding IoT Networks from Intruders2024 International Conference on Communication, Computer Sciences and Engineering (IC3SE)10.1109/IC3SE62002.2024.10593377(348-353)Online publication date: 9-May-2024
      • (2024)HoneyLLM: Enabling Shell Honeypots with Large Language Models2024 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS62487.2024.10735663(1-9)Online publication date: 30-Sep-2024

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media