TY - GEN
T1 - HoneyIoT
T2 - 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks, WiSec 2023
AU - Guan, Chongqi
AU - Liu, Heting
AU - Cao, Guohong
AU - Zhu, Sencun
AU - La Porta, Thomas
N1 - Funding Information:
This research was partially sponsored by the U.S. Army Combat Capabilities Development Command Army Research Laboratory and was accomplished under Cooperative Agreement Number W911NF-13-2-0045 (ARL Cyber Security CRA).
Publisher Copyright:
© 2023 ACM.
PY - 2023/5/29
Y1 - 2023/5/29
N2 - As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic.To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called em HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses.HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.
AB - As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic.To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called em HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses.HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.
UR - http://www.scopus.com/inward/record.url?scp=85166266104&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85166266104&partnerID=8YFLogxK
U2 - 10.1145/3558482.3590195
DO - 10.1145/3558482.3590195
M3 - Conference contribution
AN - SCOPUS:85166266104
T3 - WiSec 2023 - Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks
SP - 49
EP - 59
BT - WiSec 2023 - Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks
PB - Association for Computing Machinery, Inc
Y2 - 29 May 2023 through 1 June 2023
ER -