Abstract
Honeypots have been used as decoy devices to understand the dynamics of threats on networks and their impacts. However, the questions of whether and how honeypots can elicit rich human attacker behaviors have not been investigated systematically. These capabilities are especially important for Internet of Things devices given the limited knowledge about attacker goals.
This chapter attempts to answer three questions. Can an Internet of Things honeypot that gradually adapts or increases its emulation sophistication elicit richer human attacker behaviors over time? Is it possible to engage human attackers using dynamically-adapting Internet of Things honeypots? Does the large amount of data captured by honeypots embody patterns that can enable security analysts to understand attacker intentions on Internet of Things devices?
To answer the questions, a new approach is presented for creating an adaptive honeypot ecosystem that gradually increases the sophistication of honeypot interactions with adversaries based on observed data. The approach is employed to design custom honeypots that mimic Internet of Things devices and an innovative data analytics method is applied to identify attacker behavior patterns and reveal attacker goals. The honeypots in the experiments actively observed real-world attacker behaviors and collected increasingly sophisticated attack data over more than three years. In the case of Internet of Things camera honeypots, human attack activities were observed after adapting the honeypots based on previous attacker behaviors. The data analytics results indicate that the vast majority of captured attack activities share significant similarities, and can be clustered to better understand the goals, patterns and trends of Internet of Things attacks in the wild.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Akamai Technologies, UPnProxy: Blackhat Proxies via NAT Injections, Akamai White Paper, Cambridge, Massachusetts, 2018.
M. Anirudh, S. Thileeban and D. Nallathambi, Use of honeypots for mitigating DoS attacks targeted on IoT networks, Proceedings of the International Conference on Computer, Communications and Signal Processing, 2017.
M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas and Y. Zhou, Understanding the Mirai botnet, Proceedings of the Twenty-Sixth USENIX Security Symposium, pp. 1093–1110, 2017.
A. Anubhav, Masuta: Satori creators’ second botnet weaponizes a new router exploit, NewSky Security, January 23, 2018.
S. Chamotra, R. Sehgal, S. Ror and B. Singh, Honeypot deployment in broadband networks, Proceedings of the International Conference on Information Systems Security, pp. 479–488, 2016.
S. Dowling, M. Schukat and H. Melvin, A ZigBee honeypot to assess IoT cyberattack behavior, Proceedings of the Twenty-Eighth Irish Signals and Systems Conference, 2017.
S. Edwards and I. Profetis, Hajime: Analysis of a Decentralized Internet Worm for IoT Devices, Technical Report, Rapidity Networks, Boulder, Colorado, 2016.
J. Guarnizo, A. Tambe, S. Bhunia, M. Ochoa, N. Tippenhauer, A. Shabtai and Y. Elovici, SIPHON: Towards scalable high-interaction physical honeypots, Proceedings of the Third ACM Workshop on Cyber-Physical System Security, pp. 57–68, 2017.
M. Hakim, H. Aksu, A. Uluagac and K. Akkaya, U-PoT: A honeypot framework for UPnP-based IoT devices, Proceedings of the Thirty-Seventh IEEE International Performance Computing and Communications Conference, 2018.
P. Hanson, L. Truax and D. Saranchak, IoT honeynet for military deception and indications and warnings, in Autonomous Systems: Sensors, Vehicles, Security and the Internet of Everything, M. Dudzik and J. Ricklin (Eds.), International Society for Optics and Photonics (SPIE), Bellingham, Washington, pp. 106431A-1–106431A-11, 2018.
R. Joven and K. Yang, A wicked family of bots, Fortinet Blog/ Threat Research, May 17, 2018.
B. Lingenfelter, I. Vakilinia and S. Sengupta, Analyzing variations among IoT botnets using medium interaction honeypots, Proceedings of the Tenth Annual Computing and Communications Workshop and Conference, pp. 761–767, 2020.
E. Lopez-Morales, C. Rubio-Medrano, A. Doupe, Y. Shoshitaishvili, R. Wang, T. Bao and G. Ahn, Proceedings of the ACM SIGSAC Conference on Computer and Communications Security, pp. 279–291, 2020.
T. Luo, Z. Xu, X. Jin, Y. Jia and X. Ouyang, IoTCandyJar: Towards an intelligent-interaction honeypot for IoT devices, presented at Black Hat USA, 2017.
M. Nawrocki, M. Wahlisch, T. Schmidt, C. Keil and J. Schonfelder, A Survey of Honeypot Software and Data Analysis, arXiv: 1608.06249 (arxiv.org/abs/1608.06249), 2016.
A. Oza, G. Kumar, M. Khorajiya and V. Tiwari, Snaring cyber attacks on IoT devices with a honeynet, in Computing and Network Sustainability, S. Peng, N. Dey and M. Bundele (Eds.), Springer, Singapore, pp. 1–12, 2019.
Y. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama and C. Rossow, IoTPOT: Analyzing the rise of IoT compromises, Proceedings of the Ninth USENIX Workshop on Offensive Technologies, 2015.
A. Pauna, I. Bica, F. Pop and A. Castiglione, On the rewards of self-adaptive IoT honeypots, Annals of Telecommunications, vol. 74(7-8), pp. 501–515, 2019.
T. Seals, IoT attacks skyrocket, doubling in 6 months, Threatpost, September 6, 2021.
Security Response Team, ISTR 23: Insights into the cyber security threat landscape, Symantec Enterprise Blogs/Threat Intelligence, March 21, 2018.
Security Response Team, VPNFilter: New router malware with destructive capabilities, Symantec Enterprise Blogs/Threat Intelligence, May 23, 2018.
H. Semic and M. Sasa, IoT honeypot: A multi-component solution for handling manual and Mirai-based attacks, Proceedings of the Twenty-Fifth Telecommunications Forum, 2017.
A. Tabari, X. Ou and A. Singhal, What are Attackers After on IoT Devices? An Approach Based on a Multi-Phased Multi-Faceted IoT Honeypot Ecosystem and Data Clustering, arXiv: 2112.10974v1 (arxiv.org/abs/2112.10974v1), 2021.
A. Vetterl and R. Clayton, Honware: A virtual honeypot framework for capturing CPE and IoT zero days, Proceedings of the APWG Symposium on Electronic Crime Research, 2019.
B. Wang, Y. Dou, Y. Sang, Y. Zhang and J. Huang, IoTCMal: Towards a hybrid IoT honeypot for capturing and analyzing malware, Proceedings of the IEEE International Conference on Communications, 2020.
M. Wang, J. Santillan and F. Kuipers, ThingPot: An Interactive Internet-of-Things Honeypot, arXiv: 1807.04114 (arxiv.org/abs/1807.04114), 2018.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Tabari, A.Z., Liu, G., Ou, X., Singhal, A. (2023). Revealing Human Attacker Behaviors Using an Adaptive Internet of Things Honeypot Ecosystem. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XIX. DigitalForensics 2023. IFIP Advances in Information and Communication Technology, vol 687. Springer, Cham. https://doi.org/10.1007/978-3-031-42991-0_5
Download citation
DOI: https://doi.org/10.1007/978-3-031-42991-0_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-42990-3
Online ISBN: 978-3-031-42991-0
eBook Packages: Computer ScienceComputer Science (R0)