Weizhe Zhang,Bin Zhang,Ying Zhou,Hui He,Zeyu Ding

DOI: https://doi.org/10.1109/jiot.2019.2956173

IF: 10.6

2020-05-01

IEEE Internet of Things Journal

Abstract:Internet of Things (IoT) devices are vulnerable against attacks because of their limited network resources and complex operating systems. Thus, a honeypot is a good method of capturing malicious requests and collecting malicious samples but is rarely used on the IoT. Accordingly, this article implements three kinds of honeypots to capture malicious behaviors. First, on the basis of the CVE-2017–17215 vulnerability, we implement a medium-high interaction honeypot that can simulate a specific series of router UPnP services. It has functions, such as service simulation, log recording, malicious sample download, and service self-check. Second, given the limited details available for the simulated UPnP service and to help the honeypot respond to unrecognizable malicious requests, we use the actual IoT device firmware that matches the vulnerability to build a high-interaction honeypot. In addition, we investigate the most exposed SOAP service ports and design corresponding multiport honeypot to improve the capacity of the honeynet, providing a hybrid service from a real device and simulating honeypots. The Docker in the honeynet, which reduces the volume of the honeypot and realizes the rapid deployment of the honeynet, encapsulates all these honeypots. Moreover, the honeynet control center is simultaneously designed to distribute commands and transfer files to each physical node in the honeynet. We implemented the proposed honeynet system and deployed it in practice. We have successfully caught many unknown malicious attacks excluded in the VT, which proved the effectiveness of the proposed framework.

computer science, information systems,telecommunications,engineering, electrical & electronic

Dominik Breitenbacher,Ivan Homoliak,Yan Lin Aung,Nils Ole Tippenhauer,Yuval Elovici

DOI: https://doi.org/10.48550/arXiv.1905.01027

2019-05-03

Abstract:Internet of Things (IoT) devices have become ubiquitous and are spread across many application domains including the industry, transportation, healthcare, and households. However, the proliferation of the IoT devices has raised the concerns about their security, especially when observing that many manufacturers focus only on the core functionality of their products due to short time to market and low-cost pressures, while neglecting security aspects. Moreover, it does not exist any established or standardized method for measuring and ensuring the security of IoT devices. Consequently, vulnerabilities are left untreated, allowing attackers to exploit IoT devices for various purposes, such as compromising privacy, recruiting devices into a botnet, or misusing devices to perform cryptocurrency mining. In this paper, we present a practical Host-based Anomaly DEtection System for IoT (HADES-IoT) that represents the last line of defense. HADES-IoT has proactive detection capabilities, provides tamper-proof resistance, and it can be deployed on a wide range of Linux-based IoT devices. The main advantage of HADES-IoT is its low performance overhead, which makes it suitable for the IoT domain, where state-of-the-art approaches cannot be applied due to their high-performance demands. We deployed HADES-IoT on seven IoT devices to evaluate its effectiveness and performance overhead. Our experiments show that HADES-IoT achieved 100% effectiveness in the detection of current IoT malware such as VPNFilter and IoTReaper; while on average, requiring only 5.5% of available memory and causing only a low CPU load.

Cryptography and Security

Dr. S. Smys,Dr. Haoxiang Wang,Dr. Abul Basar

DOI: https://doi.org/10.36548/JISMAC.2020.4.002

2020-09-30

DECEMBER

Abstract:Internet of things (IoT) is a promising solution to connect and access every device through internet. Every day the device count increases with large diversity in shape, size, usage and complexity. Since IoT drive the world and changes people lives with its wide range of services and applications. However, IoT provides numerous services through applications, it faces severe security issues and vulnerable to attacks such as sinkhole attack, eaves dropping, denial of service attacks, etc., Intrusion detection system is used to detect such attacks when the network security is breached. This research work proposed an intrusion detection system for IoT network and detect different types of attacks based on hybrid convolutional neural network model. Proposed model is suitable for wide range of IoT applications. Proposed research work is validated and compared with conventional machine learning and deep learning model. Experimental result demonstrate that proposed hybrid model is more sensitive to attacks in the IoT network.

Computer Science,Engineering

Xiangjun Meng,Zhifeng Zhao,Rongpeng Li,Honggang Zhang

DOI: https://doi.org/10.1109/wcsp.2017.8171066

2017-01-01

Abstract:Honeynet is deployed to trap attackers and learn their behavior patterns and motivations. Conventional honeynet is implemented by dedicated hardware and software. It suffers from inflexibility, high CAPEX and OPEX. There have been several virtualized honeynet architectures to solve those problems. But they lack a standard operating environment and common architecture for dynamic scheduling and adaptive resource allocation. Software Defined Security (SDS) framework has a centralized control mechanism and intelligent decision making ability for different security functions. In this paper, we present a new intelligent honeynet architecture based on SDS framework. It implements security functions over Network Function Virtualization Infrastructure (NFVI). Under uniform and intelligent control, security functional modules can be dynamically deployed and collaborated to complete different tasks. It migrates resources according to the workloads of each honeypot and power off unused modules. Simulation results show that intelligent honeynet has a better performance in conserving resources and reducing energy consumption. The new architecture can fit the needs of future honeynet development and deployment.

Javier Carrillo-Mondejar Javier Carrillo-Mondejar,José Roldán-Gómez Javier Carrillo-Mondejar,Juan Manuel Castelo Gómez José Roldán-Gómez,Sergio Ruiz Villafranca Juan Manuel Castelo Gómez,Guillermo Suarez-Tangil Sergio Ruiz Villafranca

DOI: https://doi.org/10.53106/160792642024012501010

2024-01-01

網際網路技術學刊

Abstract:Since the inception of the Internet of Things (IoT), the security measures implemented on its devices have been too weak to ensure the appropriate protection of the data that they handle. Appealed by this, cybercriminals continuously seek out for vulnerable units to control, leading to attacks spreading through networks and infecting a high number of devices. On top of that, while the IoT has evolved to provide a higher degree of security, the techniques used by attackers have done so as well, which has led to the need of continuously studying the way in which these attacks are performed to gather significant knowledge for the development of the pertinent security measures. In view of this, we analyze the state of IoT attacks by developing a high-interaction honeypot for SSH and Telnet services that simulates a custom device with the ARM architecture. This study is carried out in two steps. Firstly, we analyze and classify the interaction between the attacker and the devices by clustering the commands that they sent in the compromised Telnet and SSH sessions. Secondly, we study the malware samples that are downloaded and executed in each session and classify them based on the sequence of system calls that they execute at runtime. In addition, apart from studying the active data generated by the attacker, we extract the information that is left behind after a connection with the honeypot by inspecting the metadata associated with it. In total, more than 1,578 malicious samples were collected after 9,926 unique IP addresses interacted with the system, with the most downloaded malware family being Hajime, with 70.5% of samples belonging to it, and also detecting others such as Mirai, Gafgyt, Dofloo and Xorddos.  

computer science, information systems,telecommunications

Irini Lygerou,Shreyas Srinivasa,Emmanouil Vasilomanolakis,George Stergiopoulos,Dimitris Gritzalis

DOI: https://doi.org/10.1007/s10207-022-00605-7

2022-08-08

International Journal of Information Security

Abstract:The exponential growth of internet connected devices in this past year has led to a significant increase in IoT targeted attacks. The lack of proper integration of security in IoT development life cycle along with a plethora of different protocols (e.g., Zigbee, LoRa, MQTT, etc.) have greatly impacted the resilience of such devices against cyber-attacks, a fact also exacerbated by the size and physical hardware structure of these devices. Thus, it is imperative to develop effective and efficient countermeasures that can also be applied post-production to help build resilience in modern IoT systems. Honeypots are prime example of this notion. Being designed to act as vulnerable computer components or systems, they provide useful intelligence regarding potential attackers. Nevertheless, honeypots have seen little use in protection IoT systems and their underlying protocols, especially in cases where honeypots can leverage the decentralized nature of IoT. In this research, we enhance the HosTaGe honeypot to build an IoT protocol honeypot that runs over mobile devices. The purpose of this paper is to introduce a honeypot specifically for IoT communication protocols over public networks that is easy-to-use and utilizes Android devices. The protocol honeypot utilizes the cellular network to establish decentralized, simulated infrastructures of IoT systems over different types of IoT network protocols. We test four IoT network implementations, one for each of the newly implemented MQTT, CoAP and AMQP protocols. Additionally, we upgrade existing Telnet and SSH protocols used in IoT systems to work over the simulated mobile honeypot. We use the virtualized honeypot networks to capture log, and analyze real-world public attacks on these protocols from the internet and provide an interface for interaction with the implemented honeypot.

computer science, information systems, theory & methods, software engineering

Javier Franco,Ahmet Aris,Berk Canberk,A. Selcuk Uluagac

DOI: https://doi.org/10.48550/arXiv.2108.02287

2021-08-04

Cryptography and Security

Abstract:The Internet of Things (IoT), the Industrial Internet of Things (IIoT), and Cyber-Physical Systems (CPS) have become essential for our daily lives in contexts such as our homes, buildings, cities, health, transportation, manufacturing, infrastructure, and agriculture. However, they have become popular targets of attacks, due to their inherent limitations which create vulnerabilities. Honeypots and honeynets can prove essential to understand and defend against attacks on IoT, IIoT, and CPS environments by attracting attackers and deceiving them into thinking that they have gained access to the real systems. Honeypots and honeynets can complement other security solutions (i.e., firewalls, Intrusion Detection Systems - IDS) to form a strong defense against malicious entities. This paper provides a comprehensive survey of the research that has been carried out on honeypots and honeynets for IoT, IIoT, and CPS. It provides a taxonomy and extensive analysis of the existing honeypots and honeynets, states key design factors for the state-of-the-art honeypot/honeynet research and outlines open issues for future honeypots and honeynets for IoT, IIoT, and CPS environments.

Armin Ziaie Tabari,Xinming Ou,Anoop Singhal

DOI: https://doi.org/10.48550/arXiv.2112.10974

2021-12-21

Abstract:The growing number of Internet of Things (IoT) devices makes it imperative to be aware of the real-world threats they face in terms of cybersecurity. While honeypots have been historically used as decoy devices to help researchers/organizations gain a better understanding of the dynamic of threats on a network and their impact, IoT devices pose a unique challenge for this purpose due to the variety of devices and their physical connections. In this work, by observing real-world attackers' behavior in a low-interaction honeypot ecosystem, we (1) presented a new approach to creating a multi-phased, multi-faceted honeypot ecosystem, which gradually increases the sophistication of honeypots' interactions with adversaries, (2) designed and developed a low-interaction honeypot for cameras that allowed researchers to gain a deeper understanding of what attackers are targeting, and (3) devised an innovative data analytics method to identify the goals of adversaries. Our honeypots have been active for over three years. We were able to collect increasingly sophisticated attack data in each phase. Furthermore, our data analytics points to the fact that the vast majority of attack activities captured in the honeypots share significant similarity, and can be clustered and grouped to better understand the goals, patterns, and trends of IoT attacks in the wild.

Cryptography and Security,Machine Learning

Christopher Hecker,Brian Hay

DOI: https://doi.org/10.1109/hicss.2013.110

2013-01-01

Abstract:One of the challenges facing information technology (IT) security professionals is the laborious task of sifting through numerous log files in an attempt to identify malicious traffic and conduct a forensics analysis to determine an appropriate course of action. This process is complicated significantly by the volume of traffic that can be associated with a production device environment. A honeynet can provide a mechanism to identify much of the forensically interesting traffic by creating a representative system to collect traffic data. However, it is challenging to maintain an accurate representation of a dynamic system in order to consistently collect the appropriate data of interest. This research effort addresses a current challenge identified by researchers at the Honeynet Project by describing a methodology for automatically creating and dynamically updating a honeynet in order to facilitate IDS support.

Guannan Guo,Jianwei Zhuge,Mengmeng Yang,Gengqian Zhou,Yixiong Wu

DOI: https://doi.org/10.1109/IINTEC.2018.8695276

2018-01-01

Abstract:Industrial control systems (ICS) have become ubiquitous as cyber-physical systems are widely distributed in critical infrastructures. Yet as the ICS environment evolves and becomes ever more connected, an increasing number of devices are now exposed on the Internet, and the attacking surface and risk increase as well, an attacker who finds an ICS device can cause severe damage to real world easily. In this paper, we deploy high-interaction honeypots using real devices on the Internet to find who is searching the exposed ICS devices and study the discrepancies between different scanners. To gain a more accurate and bigger landscape, instead of performing our own large scale scanning world wide, we provide a survey of ICS devices on the Internet based on historical data collected from multiple data sources. By aggregating and analyzing, we are able to find an even greater number of both ICS devices and honeypots on the Internet compared with any single search engine. We hope to raise the issue of ICS security and inform work on exploring and securing ICS devices on the Internet.

Mariam Ibrahim,Abdallah Al-Wadi,Ruba Elhafiz

DOI: https://doi.org/10.3390/s24113375

IF: 3.9

2024-05-25

Sensors

Abstract:The healthcare industry went through reformation by integrating the Internet of Medical Things (IoMT) to enable data harnessing by transmission mediums from different devices, about patients to healthcare staff devices, for further analysis through cloud-based servers for proper diagnosis of patients, yielding efficient and accurate results. However, IoMT technology is accompanied by a set of drawbacks in terms of security risks and vulnerabilities, such as violating and exposing patients' sensitive and confidential data. Further, the network traffic data is prone to interception attacks caused by a wireless type of communication and alteration of data, which could cause unwanted outcomes. The advocated scheme provides insight into a robust Intrusion Detection System (IDS) for IoMT networks. It leverages a honeypot to divert attackers away from critical systems, reducing the attack surface. Additionally, the IDS employs an ensemble method combining Logistic Regression and K-Nearest Neighbor algorithms. This approach harnesses the strengths of both algorithms to improve attack detection accuracy and robustness. This work analyzes the impact, performance, accuracy, and precision outcomes of the used model on two IoMT-related datasets which contain multiple attack types such as Man-In-The-Middle (MITM), Data Injection, and Distributed Denial of Services (DDOS). The yielded results showed that the proposed ensemble method was effective in detecting intrusion attempts and classifying them as attacks or normal network traffic, with a high accuracy of 92.5% for the first dataset and 99.54% for the second dataset and a precision of 96.74% for the first dataset and 99.228% for the second dataset.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Mohammed Baz

DOI: https://doi.org/10.3390/s22176505

2022-08-29

Abstract:The Internet of Things (IoT) offers unprecedented opportunities to access anything from anywhere and at any time. It is, therefore, not surprising that the IoT acts as a paramount infrastructure for most modern and envisaged systems, including but not limited to smart homes, e-health, and intelligent transportation systems. However, the prevalence of IoT networks and the important role they play in various critical aspects of our lives make them a target for various types of advanced cyberattacks: Dyn attack, BrickerBot, Sonic, Smart Deadbolts, and Silex are just a few examples. Motivated by the need to protect IoT networks, this paper proposes SEHIDS: Self Evolving Host-based Intrusion Detection System. The underlying approach of SEHIDS is to equip each IoT node with a simple Artificial Neural Networks (ANN) architecture and a lightweight mechanism through which an IoT device can train this architecture online and evolves it whenever its performance prediction is degraded. By this means, SEHIDS enables each node to generate the ANN architecture required to detect the threats it faces, which makes SEHIDS suitable for the heterogeneity and turbulence of traffic amongst nodes. Moreover, the gradual evolution of the SEHIDS architecture facilitates retaining it to its near-minimal configurations, which saves the resources required to compute, store, and manipulate the model's parameters and speeds up the convergence of the model to the zero-classification regions. It is noteworthy that SEHIDS specifies the evolving criteria based on the outcomes of the built-in model's loss function, which is, in turn, facilitates using SEHIDS to develop the two common types of IDS: signature-based and anomaly-based. Where in the signature-based IDS version, a supervised architecture (i.e., multilayer perceptron architecture) is used to classify different types of attacks, while in the anomaly-based IDS version, an unsupervised architecture (i.e., replicator neuronal network) is used to distinguish benign from malicious traffic. Comprehensive assessments for SEHIDS from different perspectives were conducted with three recent datasets containing a variety of cyberattacks targeting IoT networks: BoT-IoT, TON-IOT, and IoTID20. These results of assessments demonstrate that SEHIDS is able to make accurate predictions of 1 True Positive and is suitable for IoT networks with the order of small fractions of the resources of typical IoT devices.

Luís Sousa,José Cecílio,Pedro Ferreira,Alan Oliveira

2024-04-06

Abstract:Industrial Control Systems (ICS) constitute the backbone of contemporary industrial operations, ranging from modest heating, ventilation, and air conditioning systems to expansive national power grids. Given their pivotal role in critical infrastructure, there has been a concerted effort to enhance security measures and deepen our comprehension of potential cyber threats within this domain. To address these challenges, numerous implementations of Honeypots and Honeynets intended to detect and understand attacks have been employed for ICS. This approach diverges from conventional methods by focusing on making a scalable and reconfigurable honeynet for cyber-physical systems. It will also automatically generate attacks on the honeynet to test and validate it. With the development of a scalable and reconfigurable Honeynet and automatic attack generation tools, it is also expected that the system will serve as a basis for producing datasets for training algorithms for detecting and classifying attacks in cyber-physical honeynets.

Cryptography and Security

Salma Elhag,Amal Mahmoud Alghamdi,Norah Ahmad Al-Shomrani

DOI: https://doi.org/10.1007/s42979-022-01566-3

2022-12-29

SN Computer Science

Abstract:The Internet of Things (IoT) has evolved to the point that modern enterprises may now deploy large-scale IoT ecosystems, such as the Industrial Internet of Things (IIoT) (IIoT). The IIoT is susceptible to many cyber-attacks that hacker may use to cause significant reputational and financial harm to businesses. An anomaly-based intrusion detection system (IDS) may offer secure, dependable, and efficient IIoT ecosystems by preserving the confidentiality, integrity, and availability of IIoT networks. This study investigates the application of a security model for the IIoT that uses machine learning techniques to improve network and communication security by preventing malicious and infected nodes from spreading and infecting other nodes in the network. In this, four machine learning classifiers (SVM, DT, RF, and kNN) have been used to classify the attacks with three main attack scenarios. The results show that RF has a stable performance and accuracy of 99.5%, while the other classifiers show differences in accuracy and performance with each attack scenario.

Kannan Kirishikesan,Gayakantha Jayakody,Ayesh Hallawaarachchi,Chandana Gamage

DOI: https://doi.org/10.4038/icter.v16i2.7265

2023-12-08

International Journal on Advances in ICT for Emerging Regions (ICTer)

Abstract:Industrial Control Systems (ICSs) are control systems that automate and control industrial processes. ICSs have a high-security risk since most of them are connected to the Internet for remote monitoring and controlling purposes. Compromising ICS can disrupt critical infrastructure supplies, such as water supply, power supply, transportation systems, and manufacturing systems. Programmable Logic Controllers (PLCs) are special computers used in ICSs. Many PLCs do not have built-in security systems. Many ICS application layer protocols are not designed with security in mind. Therefore, external security systems are needed to protect ICSs from cyber-attacks. Identifying the vulnerabilities, malware, and attacking patterns is useful in designing defense-in-depth security systems for ICSs. Honeypots can be used for research purposes as a way of collecting data and can also be used to protect the systems from attackers. In this paper, we present a high-interaction physics-aware ICS research honeypot that has been extended to a production honeypot using Software Defined Networking.

Chen Zhu,Qiang Li,Bin Sun,Xinyu Jin,Yusun Zhou,Muhan Xie

DOI: https://doi.org/10.1109/ISCAS48785.2022.9937256

2022-01-01

Abstract:IoT information security is an introductory course in network security. Safety offensive and defense experiments are the means that students can get in contact with network attacks. Students network security protection awareness and information protection capabilities can be improved by offensive and defense experiments. At present, there is a problem with high update costs, insufficient comprehensive, complicated operation, and insufficient operation. A new way is presented in this paper to improve the current offensive exercise experiments, providing training platform for postgraduate industrial Internet security courses. It achieves this by using Generative Adversarial Networks (GAN) in honeypot to generate a virtual data for industrial equipment simulation, and using support vector machine (SVM), decision tree and other networks to detect intrusion data. And then a visualization platform is established for students to do experiment.

Chuan Sheng,Yu Yao,Qiang Fu,Wei Yang,Ying Liu

DOI: https://doi.org/10.1016/j.cose.2021.102460

2021-12-01

Abstract:The honeynet, as a promising technology, is increasingly used to actively discover novel network viruses in order to provide more effective defense strategies for the protected network in advance. The state-of-the-art network models aim to investigate the mutual effect between the honeynet and the protected network, however they have not fully exploited the potential of the intelligent honeynet. Compared with the conventional honeynet, the intelligent honeynet has made great progress in data control, data analysis, dynamic deployment, etc., which can provide more valuable information and flexible defense mechanisms for network defenders. In this paper, we propose a novel mathematical model of the intelligent honeynet to explore and prevent the propagation of industrial viruses in the Supervisory Control and Data Acquisition (SCADA) network. Through combining the intelligent honeynet with some traditional defense measures, we present a comprehensive and practical defense mechanism for the SCADA network, which can provide active and dynamic system-level and network-level defense. A theoretical analysis is provided to obtain the virus-free and virose equilibriums and demonstrate the locally and globally asymptotic stabilities of the proposed model. Moreover, A large number of numerical experiments are conducted to confirm the theoretical analysis and the superior defense performance of the proposed defense mechanism over the existing models.

computer science, information systems

Abbasgholi Pashaei,Mohammad Esmaeil Akbari,Mina Zolfy Lighvan,Asghar Charmin

DOI: https://doi.org/10.1016/j.rineng.2022.100576

2022-08-08

Results in Engineering

Abstract:Man-in-the-Middle (MITM) and Distributed Denial of Service (DDoS) attacks are significant threats, especially to Industrial Control Systems (ICS). The honeypot is one of the most common approaches to protecting the network against such attacks. This study proposes a Markov Decision Process (MDP) called the state-action-reward-state-action (SARSA) for honeypot design. The proposed system using environmental experiments can achieve greater accuracy and convergence speed than traditional IDSs. Here, we use two types of agents, one for classification and the other for the environment. The environmental agent tries to minimize the rewards given to the classifying agent. Therefore, the classification agent is forced to learn the most complicated policies, increasing its learning capability in the long term. Thus, the proposed method improves the level of interaction for the early detection of honeypots by recording aggressive behavior. It can be especially suitable for very imbalanced datasets. To evaluate the performance of the proposed method, we compare it with two categories of malicious ICS attacks, including MITM and DDoS. The results show that the proposed model is superior to traditional non-linear IDS models in terms of accuracy (<0.99) and F-measure (0.98).

Zhenhua Li,Yafei Dai,Guihai Chen,Yunhao Liu

DOI: https://doi.org/10.1007/978-981-19-6982-9_9

2023-01-01

Abstract:With the wide adoption, Linux-based IoT devices have emerged as one primary target of todays cyber-attacks. Traditional malware-based attacks can quickly spread across these devices, but they are well-understood threats with effective defense techniques such as malware fingerprinting and community-based fingerprint sharing. Recently, fileless attacksattacks that do not rely on malware fileshave been increasing on Linux-based IoT devices and posing significant threats to the security and privacy of IoT systems. Little has been known in terms of their characteristics and attack vectors, which hinders research and development efforts to defend against them. In this chapter, we present our endeavor in understanding fileless attacks on Linux-based IoT devices in the wild. Over a span of twelve months, we deploy 4 hardware IoT honeypots and 108 specially designed software IoT honeypots and successfully attract a wide variety of real-world IoT attacks. We present our measurement study on these attacks, with a focus on fileless attacks, including the prevalence, exploits, environments, and impacts. Our study further leads to multifold insights toward actionable defense strategies that can be adopted by IoT vendors and end users.

Mohammad Al Rawajbeh,Wael Alzyadat,Khalid Kaabneh,Suha Afaneh,Dima Farhan Alrwashdeh,Hamdah Samih Albayaydah,ssam Hamad AlHadid

DOI: https://doi.org/10.5267/j.ijdns.2023.5.001

2023-01-01

International Journal of Data and Network Science

Abstract:In the era of IoT gaining traction, attacks on IoT-enabled devices are the order of the day that emanates the need for more protected IoT networks. IoT's key feature deals with massive amounts of data sensed by numerous heterogeneous IoT devices. Numerous machine learning techniques are used to collect data from different types of sensors on the objects and transform them into information relevant to the application. Furthermore, business and data analytics algorithms help in event prediction based on observed behavior and information. Routing information securely over the internet with limited resources in IoT applications is a key problem. The study proposes a model for detecting network anomalies in IoT devices to enhance the security of the devices. The study employed the IoT Botnet dataset, and K-fold cross-validation tests were used for validating the values of evaluation metrics. The average values of Accuracy, Precision, Recall, and F Score was 97.4.