Juan David Guarnizo
ABSTRACT
In recent years, the emerging Internet-of-Things (IoT) has led to rising concerns about the security of networked embedded devices. In this work, we propose the SIPHON architecture---a Scalable high-Interaction Honeypot platform for IoT devices. Our architecture leverages IoT devices that are physically at one location and are connected to the Internet through so-called \emph{wormholes} distributed around the world. The resulting architecture allows exposing few physical devices over a large number of geographically distributed IP addresses. We demonstrate the proposed architecture in a large scale experiment with 39 wormhole instances in 16 cities in 9 countries. Based on this setup, five physical IP cameras, one NVR and one IP printer are presented as 85 real IoT devices on the Internet, attracting a daily traffic of 700MB for a period of two months. A preliminary analysis of the collected traffic indicates that devices in some cities attracted significantly more traffic than others (ranging from 600 000 incoming TCP connections for the most popular destination to less than 50 000 for the least popular). We recorded over 400 brute-force login attempts to the web-interface of our devices using a total of 1826 distinct credentials, from which 11 attempts were successful. Moreover, we noted login attempts to Telnet and SSH ports some of which used credentials found in the recently disclosed Mirai malware.
- DLink dcs-930l camera vulnerability. http://securityaffairs.co/wordpress/49143/breaking-news/d-link.html. Accessed: 2016-08--10.Google Scholar
- Masscan the internet port scanner. http://tools.kali.org/information-gathering/masscan. Accessed: 2016-08--10.Google Scholar
- 2005. ITU report : The Internet of Things.Google Scholar
- The DecoyPort: Redirecting Hackers to Honeypots. Springer Berlin Heidelberg, September 2007.Google Scholar
- 2016. Gartner report Forecast: IoT Security, Worldwide.Google Scholar
- 2016. IDC report Internet of Things: Security Practices.Google Scholar
- Eric Alata, Vincent Nicomette, Marc Dacier, Matthieu Herrb, et al. Lessons learned from the deployment of a high-interaction honeypot. arXiv preprint arXiv:0704.0858, 2007.Google Scholar
- Eugene Albin. A comparative analysis of the snort and suricata intrusion-detection systems. PhD thesis, Naval Postgraduate School, CA, USA, 2011.Google Scholar
- E. Androulaki, C. Soriente, L. Malisa, and S. Capkun. Enforcing location and time-based access control on cloud-stored data. In Proceedings of Conference on Distributed Computing Systems (ICDCS), June 2014. Google ScholarDigital Library
- Roland Bodenheim, Jonathan Butts, Stephen Dunlap, and Barry Mullins. Evaluation of the ability of the shodan search engine to identify internet-facing industrial control devices. International Journal of Critical Infrastructure Protection, 7(2):114--123, 2014. Google ScholarCross Ref
- Davide Canali and Davide Balzarotti. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In 20th Annual Network & Distributed System Security Symposium (NDSS), 2013.Google Scholar
- Dyn attack 2016. http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/. Accessed: 2016--12-06.Google Scholar
- Wenjun Fan, Zhihui Du, and David Fernández. Taxonomy of honeynet solutions. In SAI Intelligent Systems Conference (IntelliSys), 2015, pages 1002--1009. IEEE, 2015. Google ScholarCross Ref
- Aurélien Francillon, Boris Danev, and Srdjan Capkun. Relay attacks on passive keyless entry and start systems in modern cars. In Proc. Network and Distributed System Security Symp. (NDSS), 2011.Google Scholar
- Julian B. Grizzard, Sven Krasser, and Henry L. Owen. The Use of Honeynets to Increase Computer Network Security and User Awareness. Journal of Security Education, 1(2--3):23--37, 2005.Google Scholar
- M. Guri, Y. Poliak, B. Shapira, and Y. Elovici. JoKER: Trusted detection of kernel rootkits in android devices via JTAG interface. In Proceedings of Trustcom, volume 1, pages 65--73, Aug 2015.Google ScholarDigital Library
- Philip Hane. IPWHOIS: A library for RDAP (HTTP) lookups. https://pypi.python.org/pypi/ipwhois, 2015.Google Scholar
- Thorsten Holz, Markus Engelberth, and Felix Freiling. Learning more about the underground economy: A case-study of keyloggers and dropzones. In European Symposium on Research in Computer Security, pages 1--18. Springer, 2009. Google ScholarCross Ref
- Y-C Hu, Adrian Perrig, and David B Johnson. Packet leashes: a defense against wormhole attacks in wireless networks. In Proc. of the IEEE Conference on Computer Communication (InfoCom), volume 3, pages 1976--1986. IEEE, 2003.Google ScholarCross Ref
- Yih-Chun Hu, Adrian Perrig, and David B Johnson. Wormhole detection in wireless ad hoc networks. Technical Report Tech. Rep. TR01--384, Department of Computer Science, Rice University, 2002.Google Scholar
- Yih-Chun Hu, Adrian Perrig, and David B Johnson. Wormhole attacks in wireless networks. IEEE journal on selected areas in communications, 24(2):370--380, 2006. Google ScholarDigital Library
- Miyoung Kim, Misun Kim, and Youngsong Mun. Design and implementation of the honeypot system with focusing on the session redirection. In International Conference on Computational Science and Its Applications, pages 262--269. Springer, 2004. Google ScholarCross Ref
- I Kotuliak, P Rybár, and P Trúchly. Performance comparison of ipsec and tls based vpn technologies. In Proceedings of Conference on Emerging eLearning Technologies and Applications (ICETA), pages 217--221. IEEE, 2011. Google ScholarCross Ref
- Q. D. La, T. Quek, J. Lee, S. Jin, and H. Zhu. Deceptive attack and defense game in honeypot-enabled networks for the internet of things. IEEE Internet of Things Journal, PP(99):1--1, 2016.Google Scholar
- John C Matherly. SHODAN the computer search engine. https://www.shodan.io. Accessed: 2016-08-01.Google Scholar
- Mirai malware 2016. http://blog.malwaremustdie.org/2016/08/mmd-0056--2016-linuxmirai-just.html. Accessed: 2016--12-04.Google Scholar
- Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. IoTPOT: Analysing the Rise of IoT Compromises. In 9th USENIX Workshop on Offensive Technologies (WOOT). USENIX Association, 2015.Google Scholar
- Radek Píbil, Viliam Lisý, Christopher Kiekintveld, Branislav Bosanský, and Michal Pechoucek. Game Theoretic Model of Strategic Honeypot Selection in Computer Networks, pages 201--220. Springer Berlin Heidelberg, November 2012.Google Scholar
- F Pouget, M Dacier, and VH Pham. on the advantages of deploying a large scale distributed honeypot platform. In Proceedings of the E-Crime and Computer Evidence Conference, 2005.Google Scholar
- Niels Provos. A virtual honeypot framework. In Proc. of the USENIX Security Symposium, 2004.Google ScholarDigital Library
- Niels Provos and Thorsten Holz. Virtual honeypots: from botnet tracking to intrusion detection. Pearson Education, 2007.Google ScholarDigital Library
- Shachar Siboni, Asaf Shabtai, Nils Ole Tippenhauer, Jemin Lee, and Yuval Elovici. Advanced security testbed framework for wearable iot devices. ACM Transactions on Internet Technology (TOIT), 16(4):26, 2016. Google ScholarDigital Library
- Lance Spitzner. The honeynet project: Trapping the hackers. IEEE Security & Privacy, 1(2):15--23, 2003. Google ScholarDigital Library
- Weizhe Zhang and Baosheng Qu. Security architecture of the internet of things oriented to perceptual layer. International Journal on Computer, Consumer and Control (IJ3C), 2(2):37--45, 2013.Google Scholar
Index Terms
- SIPHON: Towards Scalable High-Interaction Physical Honeypots
Recommendations
A scalable and manageable IoT architecture based on transparent computing
AbstractWith the explosion of connected devices, the Internet-of-Things (IoT) is expected to be the fundamental infrastructure of the information society and receives a wide variety of applications in different scenarios. However, the fast-...
Highlights- Propose a layered IoT architecture to provide centralized & efficient resource management.
Utilizing feature selection techniques in intrusion detection system for internet of things
ICFNDS '18: Proceedings of the 2nd International Conference on Future Networks and Distributed SystemsInternet of Things (IoT) represents a system which consists of things in the real world, and sensors attached to or combined to these things, connected to the Internet via wired and wireless network structure. Due to developments in IoT services, ...
A survey of intrusion detection in Internet of Things
Internet of Things (IoT) is a new paradigm that integrates the Internet and physical objects belonging to different domains such as home automation, industrial process, human health and environmental monitoring. It deepens the presence of Internet-...
Comments