Professional Documents
Culture Documents
An Iot Honeynet Based On Multi-Port Honeypots For Capturing Iot Attacks
An Iot Honeynet Based On Multi-Port Honeypots For Capturing Iot Attacks
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
1
Abstract—Internet of Things (IoT) devices are vulnerable Distributed denial of service attack (DDoS) services on the
against attacks because of their limited network resources and darknet. Another botnet named Hide’N Seek (HNS), infected
complex operating systems. Thus, honeypot is a good method of nearly a thousand IoT devices by injecting vulnerabilities
capturing malicious requests and collecting malicious samples but
is rarely used on the IoT. Accordingly, this research implements through several remote commands, which have been dis-
three kinds of honeypots to capture malicious behaviors. First , on closed. The botnet named IoTroop, drew on part of Mirai
the basis of the CVE-2017-17215 vulnerability, we implement a (a type of botnet) and launched three consecutive large-scale
medium-high interaction honeypot that can simulate a specific se- DDoS attacks on financial institutions on January 28 in 2018.
ries of router UPnP services. It has functions such as service simu- Moreover, the MikroTik router has resulted in more than
lation, log recording, malicious sample download, and service self-
check. Second, given the limited details available for the simulated 200,000 devices digging without the user’s knowledge due to
UPnP service and to help the honeypot respond to unrecognizable its firmware vulnerabilities.
malicious requests, we use the actual IoT device firmware that The vulnerabilities and number of IoT devices render IoT
matches the vulnerability to build a high-interaction honeypot. attacks easier than traditional cyber-attacks. Existing IoT de-
In addition, we investigate the most exposed SOAP service ports vices are vulnerable to various physical attacks [22], [29],
and design corresponding multi-port honeypot to improve the
capacity of the honeynet, providing a hybrid service from a real such as position-based services [32], [33], [34]. Therefore,
device and simulating honeypots. The Docker in the honeynet, studying lightweight IoT devices as well as communication
which reduces the volume of the honeypot and realizes the rapid encryption schemes is crucial in ensuring their security [23].
deployment of the honeynet, encapsulates all these honeypots. The traditional sandbox and other security protection technolo-
Moreover, the honeynet control center is simultaneously designed gies [31] cannot be realized on the IoT devices because of
to distribute commands and transfer files to each physical node
in the honeynet. We implemented the proposed honeynet system the limited resources of sensor devices and unreliable system
and deployed it in practice. We have successfully caught many [24]. Consequently, the vulnerability of the system is easily
unknown malicious attacks excluded in the VT, which proved found via firmware analysis [25]. It is also vulnerable to side-
the effectiveness of the proposed framework. channel attacks due to the stability of its equipment location
Index Terms—Internet of Things(IoT), honeypot, honeynet, [26]. The security threats to communication networks are
SOAP, Multiport dominated by traditional cyber-attacks, namely, man-in-the-
middle attacks, data theft and replay, counterfeiting, and so
on. In addition, the UPnP, which is extensively used in IoT
I. I NTRODUCTION
devices, also brings many vulnerabilities. IoT devices can use
The Internet of Things (IoT) promotes smart and convenient DHCP to automatically access the Internet and then use the
living. According to a survey [1], the number of IoT devices SSDP protocol to discover devices until the control device
has surpassed 10 billion. However, a huge security breach completes the task [28].
happens in IoT. In 2018, a hacker organization infected more To protect the IoT devices, monitoring the malicious behav-
than ten thousands of IOT devices with two IoT vulnerabilities ior of the IoT and promptly identifying threats are important.
CVE-2017-17215 and CVE-2014-8361, and they even rented We must analyze the malicious behavior, characteristics of
the data, as well as the characteristics of attacks [30], which
Weizhe Zhang is with the School of Science and Technology, Harbin
Institute of Technology, Harbin, China. He is with Cyberspace Security require us to obtain malicious samples of the IoT first.
Research Center, Peng Cheng Laboratory, Shenzhen, China. (e-mail: wz- Honeypot and honeynet are effective methods of capturing
zhang@hit.edu.cn). malicious requests and collecting malicious behavior samples.
Bin Zhang is with the Cyberspace Security Research Center, Peng Cheng
Laboratory, Shenzhen, China (bin.zhang@pcl.ac.cn). Honeypot induces the attack by arranging some hosts, network
Ying Zhou is with the Cyberspace Security Research Center, Peng Cheng services, or information, thereby capturing the attack behavior
Laboratory, Shenzhen, China (e-mail: zhouy01@pcl.ac.cn). and analyzing the tools and methods adopted by the attacker
Hui He is with the School of Science and Technology, Harbin Institute of
Technology, Harbin, China (e-mail: hehui@hit.edu.cn). and inferring the attack intention and motivation. The honeypot
Zeyu Ding is with the School of Science and Technology, Harbin Institute can help the defense party clearly understand the security
of Technology, Harbin, China (e-mail: dzydyx@gmail.com). threats and enhance the security protection capability of the
This work is supported by the Key Research and Development Program for
Guangdong Province 2019B010136001, the Peng Cheng Laboratory Project real system.
of Guangdong Province PCL2018KP004 and PCL2018KP005. (corresponding Yegneswaran et al. [15] proposed a situational awareness
author: Weizhe Zhang) model based on honeynet. They deployed a honeynet system
Copyright (c) 2019 IEEE. Personal use of this material is permitted.
However, permission to use this material for any other purposes must be with MySQL database to save and analyze data, and the
obtained from the IEEE by sending a request to pubs-permissions@ieee.org. BRONIDS is used for analysis. After six months of data
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
2
collection, the experimental results proved that the system the attacker’s request, the process is handed over to the real
could detect botnet scanning and worm outbreaks. honeypot and returns the real output. This research also de-
Ma et al. [16] generated a highly personalized and predictive signed a multi-port honeypot, using a multi-threaded running
blacklist for each network by sharing historical attackers, high-interaction honeypot. Then, any port can return the IoT
which are captured by honeynets in each network. Accord- device configuration file according to the given fingerprint
ingly, different networks can collaboratively detect new attack- information to simulate the real device service. The current
ers because of the shared attacker information. The most likely study proposed a novel architecture of honeypot and honeynet,
attacker in the future will be identified on the basis of their with the following contributions:
attacker’s historical relevance. The defense strategy undergoes • We build interconnected and collaborative honeynet for
a relatively active realization, and the experimental results IoT network. The system simulates IoT device services
show that this method can produce an accurate blacklist. to monitor the security status of the IoT in real time. It
Yongli et al. [17] proposed a new honeynet model, BRHNS can discover and record malicious behaviors and collect
(based on Realm Honeynet), to solve the problem of non- malicious samples of the IoT.
cooperation and weak real-time performance in honeynet. • In the proposed hybrid honeynet, we develop a medium-
BRHNS utilized the cooperation between Realms and shared high interactive honeypot with a high-interaction honey-
the new intrusion rules. It also updated the Intrusion Detection pot using real firmware services based on the popular
Systems (IDS) rule-lib in real-time and improved the detection CVE-2017-17215 vulnerability. Moreover, we design a
efficiency of IDS. Accordingly, it effectively reduced the work- multi-port interactive honeypot on the basis of the most
load of honeynet and improved the efficiency of a honeynet. exposed SOAP port in 2018.
Experimental results show that the BRHNS is much faster than • We encapsulate the honeypot with Docker for the pro-
formal honeynets. posed honeynet to ensure the security of the physical
Honeypot captures many attacks that are difficult to handle machine and facilitate rapid deployment.
manually; therefore, some researchers proposed using data The rest of work is structured as follows. The next section
mining techniques to analyze the recorded traffic and extract proposes related works. The method section depicts the pro-
useful information. Ghourabi et al. [18] provided a data posed honeypots and honeynet. Consecutively, we dissect the
analysis tool on the basis of the clustering algorithm. The conducted evaluation and activity observed with the honeynet
main idea is to extract useful information from data captured in the evaluation section. Finally, we conclude our work and
by the honeypot. The data are then clustered by the Density- future outlook in the final section.
Based Spatial Clustering of Applications with Noise algorithm
to classify the captured packets. Then, a human expert verifies
II. R ELATED WORK
the extracted suspicious packets. This solution is useful for
detecting novel routed attacks. A. Honeypot
Huang et al. [19] indicated that positive interactions on Niels [3] proposed a classic honeypot framework Honeyd
the honeynet could yield mature attack samples, but such ; the latter can simulate real computers under the network
honeynet is highly expensive and poses high risks against the layer as shown in Fig.1. It consists of the traffic allocation
development of the honeynet. Therefore, they applied Semi- units, protocol processing units, and fingerprint matching units.
Markov Decision Process to describe an attacker’s random The traffic allocation units send the packet to an established
transition and their stay time in the honeynet. Subsequently, honeypot or a default route. The protocol processing units
they weighed the rewards and risks. Adaptive long-term partic- can simulate the TCP, UDP and ICMP protocols, and so on.
ipation policies have also been developed to demonstrate risk The fingerprint matching units are used to fight fingerprint
avoidance, cost-effectiveness, and time efficiency. Numerical identification tools, which can prevent hackers from discover-
results show that this adaptive interaction strategy can be used ing the honeypot. The free IP address of the current network
to attract attackers quickly, with the capacity to obtain valuable can be regarded as the virtual address of the honeypot, and
threat information in a long time with a low penetration rate. many honeypots can be deployed on a single host because it
However, the existing honeynet systems are designed for the is lightweight.
traditional Internet and are inappropriate for IoT systems. In Paul et al. [4] proposed another classic honeypot framework
addition, owing to the changing form of the attack, we must called Nepentes. Nepenthes stimulates only parts of the pro-
design a new honeypot to capture the attacks. To capture a tocol instead of a complete one, and it adopts a ShellCode
complete attack and avoid hackers from stopping due to long detection mechanism to discover injected malicious code. The
periods of unresponsiveness, this research proposes a medium- framework is replaced by Dionaea [5], which is implemented
high interactive honeypot that uses the internal execution of via Python language to simulate vulnerability services and
the vulnerability service as a black box and only returns capture malicious attacks.
the output. Such proposition avoids the simulation of the Rist et al. [6] developed a Web honeypot called Glastopf,
service, reduces the workload of the security personnel, and which attempts to respond directly to the requestors, thus
improves the capability of the honeypot to interact with the avoiding the simulation of the service and reducing the work-
external network. Accordingly, the current study develops a load of security personnel. Based on this work, the Glastopf
high-interaction honeypot running real IoT firmware. When regards the CVE-2017-17215 vulnerability as a black box,
the high-interaction simulation honeypot fails to respond to which shall only respond to the attacker. The limitations
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
3
B. Honeynet
External network
Spitzner et al. [7] proposed honeynet due to the limitations
of a single virtual honeypot. The honeynet system is a net-
work that includes multiple honeypots as well as multiple
Honeyd
Network Port
deployment nodes. It is a network that consists of behavior
recording, alarm and analysis, management communication,
Flow
Database Distribution
Fingerprint and other mechanisms. It contains real systems to capture
Matching Unit
Unit further attacks, facilitating the understanding of hacker’s attack
Protocol methods and security incidents. Artail et al. [35] proposed a
Processing Unit hybrid honeynet system to improve the IDS, in which the low-
and high-interaction honeypots are all deployed to protect the
network.
Fig. 1. The work flow of Honeyd Curran et al. [8] pointed out several major characteristics
of honeynet: (1) Defects and vulnerabilities in certain areas
as well as some un-security measures, which easily hold
honeynet vulnerable to attacks by hackers, frequently exist in
of this method prompt the current research to develop a honeynet. (2) A honeynet is not a service network, thereby
high interactive honeypot that operates real IoT firmware. rendering traffic monitoring in the honeynet system unsafe.
When medium-high-interaction honeypots cannot respond to (3) The honeynet system should be capable of recording any
an attacker’s request, the process will be handed over to the connections, requests, responses, services, logs, and so on,
high-interaction honeypot. for the security personnel to perform subsequent analysis.
(4) Every honeypot in the honeynet system is under strict
In the field of IoT, scholars have begun to study the control; it can be traced and restored. (5) Security measures
honeynet system to collect malicious IoT behaviors. YMP between the honeynet system and the external network must
et al. [11] simulated the TELNET login process to create be in place to prevent malicious behaviors after the honeypot
an IoT honeypot that attracted TELNET attacks against IoT is compromised. Moreover, Kevin et al. believed that the
devices with different CPU architectures. While collecting honeynet system does not need to actively lure attacks, which
data through the deployed honeynet, they discovered five is conducive to ensuring the authenticity of the data obtained
different malware families, the largest of which can infect up by the honeypot.
to nine different IoT devices with different CPU architectures. For conventional honeynet, many scholars have conducted
Anirudh et al. [12] designed a honeypot model as a bait for research on intrusion detection and data analysis. Hu [9]
the main server, thereby shifting the DoS attacks in the IoT proposed an attack behavior analysis method based on an
network and improving the performance of the IoT device. attack graph. He used the attack graph for honeynet security
Muhammad et al. [13] introduced an IoT honeypot framework detection and introduced the key element of network topology;
based on the UPnP protocol. They used device description files he improved the clustering algorithm to classify the alarms.
to automate honeypots, and they can allow multiple instances In addition, he improved the DFS encoding technology and
to be deployed on a single physical machine. We refer to this migrated it to the field of directed graphs. Finally, Hu syn-
architecture, select device files to make honeypots, and further thesized the network and topology information to identify the
capture IoT malicious attacks. Hansen et al.[14] extended the warning information. For data analysis in protected content,
concept of the IoT honeypot and presented a honeynet system for example, the position-based services and queries are highly
with a hybrid of virtual and real devices. The system used dependent on processing speed with content security. Sangaiah
machine learning algorithms for traffic analysis and predicted et al. [34] used machine learning for roaming PBS users.
the opponent’s next activity. Medhane et al. [33] proposed parallel architecture in position
Unlike the Internet which is based on the HTTP protocol, monitoring system, and position confidentiality conserving
IoT typically uses a lighter SOAP protocol for exchanging algorithm is used to protect the content [32].
information in a distributed computing environment. Dai et Agrawal et al. [10] proposed a method for monitoring rogue
al. [20] designed and implemented a SOAP-based transac- wireless access based on a shadow honeynet as shown in Fig.2.
tion management protocol (TMP), including supported oper- The concept of a shadow honeynet comes from a shadow
ations, interface definitions for these operations, implementa- honeypot, which refers to a copy of the software or system
tion structures, and processing of the protocol. SOAP-based actually intended to be protected. The copy shares the internal
TMP can maximize the extensively used technologies such as state with the subject. The framework consists of three parts,
HTTP, XML, and SOAP, and thus can have extensive use. namely, a filtering engine, an anomaly sensor, and a shadow
Riedel et al. [21] transformed the lengthy parts binding with honeypot.
SOAP to the semantics of a specific network platform. Taking In the field of IoT, Oza et al. [36] implemented an authoriza-
Radio Frequency Identification technology as an example, it tion mechanism in honeynet, thereby enabling them to solve
converts the semantics of Remote Procedure Call into a reader the issue of man-in-the-middle attacks in IoT. Ammar et al.
query. [37] proposed honeyIo3 model in ICS/SCADA systems, and
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
4
Hardware Master A
honeypot controller Master B
Process Honeypot controller
General Service
state Shadow
CVE honeypot
SOAP multiport
CVE honeypot
honeypot
Intrusion Sensor
3K\VLFDO+RVW&
External
network
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
5
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
6
The functions of the above parts work together to form C. High Interactive Honeypot
the core of honeypot, complete the basic functions of the The medium-high interactive honeypot described in the
honeypot, and simulate the real IoT devices and services. previous section simulates the SOAP protocol based on wsgi.
2) Honeypot Daemon: This class defines a base class However, when the simulation protocol fails to process re-
Daemon to open, close, restart, and initialize. It also provides quests, an attacker is likely to interrupt the connection be-
the external interface to control honeypot. cause the expected response is not received. Consequently,
Considering that the Daemon class is out of the terminal, the honeypot fails to capture the subsequent injection code
the standard information flow is redirected to an empty file. and malicious sample. Therefore, a high interactive honeypot
The default value of pidfile attribute is “/tmp/tmp.pid”, which is developed to handle requests using a completely realis-
saves the process number of the current process. The system tic exploitable IoT firmware to handle requests that cannot
can determine if the process already exists to ensure singleton be processed by mid-high interactive emulation honeypots.
mode. Moreover, running the captured malicious samples is possible
The function daemonize is used to initialize the Daemon because of the integrity of its services.
instance. First, whether it already exists by pidfile is deter- The qemu environment is used to assemble the kernel file
mined; then, the buffer is flushed, and the standard stream vmlinux-2.6.32-5-4kc-malta and disk image debian-squeeze-
is discarded. Finally, the pidfile is guaranteed removal at the mips-standard.qcow2. After booting successfully, the change
end of the process through the atexit.register and signal.signal root command is used to switch the root directory and run the
functions. The static function throws SystemExit exception. UPnP and mic services. It provides the same SOAP service
The start function calls the daemonize function to initialize, as a real-world vulnerability IoT device. The device firmware-
catches the abnormal operation, and outputs an error message. based SOAP service honeypot can be implemented by adding
The stop function takes a process number from a pidfile and the above request record and sample download module to the
kills it. The restart function continuously calls stop and start system.
functions to restart.
3) Daemon Service: The class MyDaemon is defined in D. Multi-port Honeypot
the Daemon module, which inherits the Daemon class in scar- SOAP vulnerability involves UPnP’s device architecture,
library. Then, it starts the honeypot core service when the SOAP service, and HTTP protocol. Attackers use multiple
instance is in operation. In the main function, an instance of ports to attack. To collect these samples, we obtain the banner
the class MyDaemon is created. The start of the honeypot information of several IoT devices affected by the vulnerability
daemon and the core of the honeypot are controlled by the through the collection of IoT device information. The latter
corresponding functions of the instance. The class PotCore is is used to match the device type and select the response
also defined to provide an interface to the daemon externally. content of the malicious request. Table IV describes the device
The main function is called by calling the subprocess.Popen information.
function. That is, the external instance of the class MyDaemon
TABLE IV
is not directly called, but the instance of PotCore is called. The L OG F ORMAT
instance of PotCore calls the instance of MyDaemon through
its own method to implement the indirect call. Port Banner Device Files
Number
4) Honeypot Monitor: The Honeypot Monitor module calls 2048 Net-OS 5.xx UPnP/1.0 gatedesc.xml
the timer-handle-web-detect-fun function to check the honey- 3183 Net-OS 5.xx UPnP/1.0 gatedesc.xml
5000 nginx desc-DSM-eth0.xml
pot function. This function regularly accesses the honeypot 5000 Linux/2.6.12 UPnP/1.0 Public-UPNP-
simulation service, detects its running state, determines ex- NETGEAR-UPNP/1.0 gatedesc.xml
ceptions such as timeouts and connection errors, and calls the 5000 1.11.0-R UPnP/1.0 MiniUP- rootDesc.xml
nPd/1.4
PotCore class object to restart honeypot when an exception 5500 Tenda UPnP/1.0 rootDesc.xml
occurs. The start-service interface is also provided for external miniupnpd/1.0
calls. 5555 RomPager/4.07 UPnP/1.0 DeviceDescription.xml
35510 Net-OS 5.xx UPnP/1.0 gatedesc.xml
5) Other Modules: The configuration module is the hon- 49152 Linux/2.6.32.11, UPnP/1.0, gatedesc.xml
eypot configuration file, which defines some parameters and Portable SDK for UPnP
reduces the workload of secondary development. Specifically, devices/1.6.6
52869 ipos/7.0 UPnP/1.0 TL- igd.xml
it includes honeypot name, log output directory, honeypot core, WR841N/11.0
honeypot self-check delay, and self-check cycle. 52869 miniupnpd/1.5 UPnP/1.5 picsdesc.xml
52881 OS 1.0 UPnP/1.0 Realtek/V1.3 simplecfg.xml
main.py is the entry of the entire honeypot framework. It 54147 Net-OS 5.xx UPnP/1.0 gatedesc.xml
calls the start method of the PotCore class instance to open 55567 Net-OS 5.xx UPnP/1.0 gatedesc.xml
the daemon and then calls the self-check.start-service of pot-
monitor function to start the SOAP service self-check. To implement the multi-port honeypot, this research adopts
Tc.sh calls the tc tool to limit traffic and prevent the the threading module to achieve multi-threaded operation.
honeypot from being compromised due to DDoS attacks. The Then, any port can return the IoT device configuration file
main.py is called in this research and is the outermost entrance according to the given fingerprint information to simulate the
of the honeypot. real device service.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
7
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
8
V. C ONCLUSION
Fig. 5. Analysis for captured scan behaviors On the basis of the CVE-2017-17215 vulnerability exploited
by large-scale botnets, we develop a medium-high interaction
honeypot, which can implement SOAP service interaction, log
Russia
India
recording, sample download, and service self-check. For the
Japan request that the honeypot could not be processed, a high-
France interaction honeypot based on real firmware is designed.
USA Moreover, to expand the processing capability of the honeynet,
Italy
the multi-port honeypot is developed using the most exposed
SOAP service port in 2018, and we simulate different types of
IoT devices. Finally, the rapid deployment of the honeynet is
achieved by packaging the honeypot as a Docker image. The
honeynet system has been on stable operation for nearly half
a year in 2019, providing a large number of logs, malicious
samples, and other materials.
Fig. 6. Analysis for captured inject behaviors Owing to the timeliness of vulnerabilities, a necessity arises
to carry out ongoing track and research of IoT vulnerabilities,
security incidents, and analysis of hacker attacks. In terms
A total of 332 different IPs are observed to scan and of honeynet, the intelligence and automation of the system
inject the honeypot. As shown in Fig.5, the source IPs of require further strengthening as well as efficiency.
scan behaviors are shown, and the most scan behaviors are
from Japan. Fig.6 the distribution of countries for injecting R EFERENCES
behaviors, and most inject attacks are from the US. Nine IPs [1] Pa Y M P, Suzuki S, Yoshioka K, et al. IoTPOT: Analysing the Rise of
are identified in the suspect sample download center or C2 IoT Compromises. USENIX WOOT 2015. USENIX Association, 2015.
[2] Nguyen H T, Franke K. Adaptive Intrusion Detection System via Online
server found in the records, which are from different countries. Learning. International Conference on Hybrid Intelligent Systems. IEEE,
Apart from these IPs, the honeypot also captures a threat 2013:271-277.
domain named cnc.arm7plz.xyz. Fig.7 shows the distribution [3] Provos N. A Virtual Honeypot Framework. USENIX Security Sympo-
sium. 2004, 173(2004):1-14.
of these servers, and most servers are deployed in the USA. [4] Baecher P, Koetter M, Holz T, et al. The nepenthes platform: An
Honeypots download several IoT malicious samples from efficient approach to collect malware. International Workshop on Recent
these servers. These samples were not captured by VT during Advances in Intrusion Detection. Springer, Berlin, Heidelberg, 2006:
165-184.
capture, indicating that honeypots can capture the latest threats [5] Nepenthes Development Team. Dionaea. http://dionaea.carnivore.it/,
2011-05-15.
[6] Rist L, Vetsch S, Kossin M, et al. Know your tools: Glastopf-a dynamic,
low-interaction web application honeypot. The Honeynet Project, 2010,
Russia 4.
Japan [7] Honeywell project. Know Your Enemy: Learning about Security Threats.
USA Addison Wesley, 2004.
UK [8] Curran K, Morrissey C, Fagan C, et al. Monitoring hacker activity with
Italy a Honeynet. International Journal of Network Management, ACM, 2005,
15(2):123-134.
[9] Shuangshuang H. Honeynet-based attack analysis [D]. Beijing Univer-
sity of Posts and Telecommunications, 2015.
[10] Agrawal N, Tapaswi S. Wireless Rogue Access Point Detection Using
Shadow Honeynet. Wireless Personal Communications, Springer, 2015,
83(1):551-570.
[11] Pa Y M P, Suzuki S, Yoshioka K, et al. IoTPOT: A Novel Honeypot
for Revealing Current IoT Threats. Journal of Information Processing,
2016, 24(3):522-533.
[12] Anirudh M, Thileeban S A, Nallathambi D J. Use of honeypots for mit-
igating DoS attacks targeted on IoT networks. International Conference
Fig. 7. Sever distribution of malicious samples on Computer, Communication and Signal Processing. IEEE, 2017:1-4.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
9
[13] Hakim M A, Aksu H, Uluagac A S, et al. U-PoT: A Honeypot Weizhe Zhang is currently a professor in the School
Framework for UPnP-Based IoT Devices. International Performance of Computer Science and Technology at Harbin
Computing and Communications Conference. IEEE, 2018: 1-8. Institute of Technology, China, and director in the
[14] Hanson P J, Truax L, Saranchak D D. IOT honeynet for military Cyberspace Security Research Center, Pengcheng
deception and indications and warnings. Autonomous Systems: Sensors, Laboratory, Shenzhen, China. His research interests
Vehicles, Security, and the Internet of Everything. International Society are primarily in cyberspace security, cloud comput-
for Optics and Photonics, 2018, 10643: 106431A. ing, and high-performance computing. He has pub-
[15] Yegneswaran V, Barford P, Paxson V. Using honeynets for internet lished more than 130 academic papers in journals,
situational awareness. Proceedings of the Fourth Workshop on Hot books, and conference proceedings. He is a senior
Topics in Networks. 2005: 17-22. member of the IEEE and a lifetime member of the
[16] Ma X, Zhu J, Wan Z, et al. Honeynet-based collaborative defense using ACM.
improved highly predictive blacklisting algorithm. World Congress on
Intelligent Control and Automation. IEEE, 2010: 1283-1288.
[17] Yongli L, Shufang W, Jie Z, et al. Model and evaluation of a new
Honeynet. IEEE Symposium on Robotics and Applications. IEEE, 2012:
574-576.
[18] Ghourabi A, Abbes T, Bouhoula A. Data analyzer based on data mining Bin Zhang received his Ph.D. degree in Department
for honeypot route. International Conference on Computer Systems and of Computer Science and Technology, Tsinghua
Applications. IEEE, 2010: 1-6. University, China in 2012. He worked as a post doc-
[19] Huang L, Zhu Q. Adaptive Honeypot Engagement through Reinforce- tor in Nanjing Telecommunication Technology Insti-
ment Learning of Semi-Markov Decision Processes. arXiv preprint tute from 2014 to 2017. He is now a researcher in the
arXiv:1906.12182, 2019. Cyberspace Security Research Center of Peng Cheng
[20] Dai G. Design and implementation on SOAP-based things management Laboratory. He publishes more than 30 papers in
protocol for internet of things. Proceedings of the World Congress on refereed international conferences and journals. His
Intelligent Control and Automation. IEEE, 2012: 4305-4308. current research interests focus on network anomaly
[21] Riedel T, Fantana N, Genaid A, et al. Using web service gateways and detection, Internet architecture, and its protocols,
code generation for sustainable IoT system development. Internet of network traffic measurement, information privacy
Things. IEEE, 2010: 1-8. security, etc.
[22] Baoyun Wang. Review of Internet of Things. Journal of Electronic
Measurement and Instruments,2009,23(12):1-7.
[23] Buchmann, Johannes, et al. High-Performance and Lightweight Lattice-
Based Public-Key Encryption. Proceedings of ACM International Work-
shop on IoT Privacy, Trust, and Security. ACM. 2016:2-9.
[24] Weber R H. Internet of Things – New security and privacy challenges. Ying Zhou received a bachelor’s degree in com-
Computer Law and Security Report, 2010, 26(1):23-30. puter science and technology from Dalian University
[25] Andrei C, Zaddach J, Francillon A, et al. A Large-Scale Analysis of of Technology In 2016, and a master’s degree in
the Security of Embedded Firmwares. Proceedings of Usenix Security computer science and technology from Harbin Insti-
Symposium, 2014:95-110. tute of Technology in 2019. She has been working
[26] Vasyltsov I, Lee S. Entropy extraction from bio-signals in healthcare IoT. in PengCheng Laboratory, Shenzhen, China since
Proceedings of the ACM Workshop on IoT Privacy, Trust, and Security. 2019.
ACM, 2015: 11-17.
[27] Zhu Y, Yan J, Tang Y, et al. Joint Substation-Transmission Line
Vulnerability Assessment Against the Smart Grid. IEEE Transactions
on Information Forensics and Security, 2017, 10(5):1010-1024.
[28] Fang Liu. A Brief Analysis of UPnP Agreement. Inner Mongolia Science
and Technology and Economy, 2009(17):72-73.
[29] Yu S, Gu G, Barnawi A, et al. Malware propagation in large-scale
networks. IEEE Transactions on Knowledge and data engineering. IEEE,
2014, 27(1):170-179.
Hui He is Ph.D. Supervisor in the School of Com-
[30] Yu S, Wang G, Zhou W. Modeling malicious activities in cyber space.
puter Science and Technology,Harbin Institute of
IEEE network. IEEE, 2015, 29(6):83-87.
Technology. She is a member of the IEEE, ACM and
[31] Yu S, Tian Y, Guo S, et al. Can we beat DDoS attacks in clouds?.
CCF. She conducts research in network and informa-
IEEE Transactions on Parallel and Distributed Systems, IEEE, 2013,
tion technology, big data processing and analysis and
25(9):2245-2254.
mobile network Computing. She has published more
[32] Medhane D V, Sangaiah A K. PCCA: position confidentiality con-
than fifty scientific papers. She has accomplished
serving algorithm for content-protection in e-governance services and
many projects such as National High Technology
applications. IEEE Transactions on Emerging Topics in Computational
Research and Development Program and National
Intelligence, IEEE, 2018, 2(3):194-203.
Science Foundation Projects.She has won 2 second
[33] Vishwasrao M D, Sangaiah A K. ESCAPE: effective scalable clustering
prizes Provincial Science and Technology Progress
approach for parallel execution of continuous position-based queries
Awards.
in position monitoring applications. IEEE Transactions on Sustainable
Computing, IEEE, 2017, 2(2):49-61.
[34] Sangaiah A K, Medhane D V, et al. Enforcing position-based confiden-
tiality with machine learning paradigm through mobile edge computing
in real-time industrial informatics. IEEE Transactions on Industrial
Informatics, IEEE, 2019, 15(7):4189-4196.
[35] Artail H, Safa H, Sraj M, et al. A hybrid honeypot framework for Zeyu Ding received a bachelor’s degree from Harbin
improving intrusion detection systems in protecting organizational net- Engineering University in 2017, and a master’s de-
works. computers & security, Elsevier, 2006, 25(4):274-288. gree from Harbin Institute of Technology in 2019.
[36] Oza A D, Kumar G N, Khorajiya M, et al. Snaring Cyber Attacks His research direction is cyberspace security.
on IoT Devices with Honeynet. Computing and Network Sustainability.
Springer, Singapore, 2019, 7: 1-12.
[37] Ammar Z, AlSharif A. Deployment of IoT-based honeynet model. Pro-
ceedings of the 6th International Conference on Information Technology:
IoT and Smart City. ACM, 2018: 134-139.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.