Detection of Threats to IoT Devices using Scalable VPN-forwarded Honeypots

Attacks on Internet of Things (IoT) devices, exploiting inherent vulnerabilities, have intensified over the last few years. Recent large-scale attacks, such as Persirai, Hakai, etc. corroborate concerns about the security of IoT devices. In this work, we propose an approach that allows easy integration of commercial off-the-shelf IoT devices into a general honeypot architecture. Our approach projects a small number of heterogeneous IoT devices (that are physically at one location) as many (geographically distributed) devices on the Internet, using connections to commercial and private VPN services. The goal is for those devices to be discovered and exploited by attacks on the Internet, thereby revealing unknown vulnerabilities. For detection and examination of potentially malicious traffic, we devise two analysis strategies: (1) given an outbound connection from honeypot, backtrack into network traffic to detect the corresponding attack command that caused the malicious connection and use it to download malware, (2) perform live detection of unseen URLs from HTTP requests using adaptive clustering. We show that our implementation and analysis strategies are able to detect recent large-scale attacks targeting IoT devices (IoT Reaper, Hakai, etc.) with overall low cost and maintenance effort.

[1]  Georgios Kambourakis,et al.  DDoS in the IoT: Mirai and Other Botnets , 2017, Computer.

[2]  Earlence Fernandes,et al.  Security Analysis of Emerging Smart Home Applications , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[3]  Roksana Boreli,et al.  Network-level security and privacy control for smart-home IoT devices , 2015, 2015 IEEE 11th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[4]  Towards a definition of the Internet of Things ( IoT ) , 2015 .

[5]  Thommen George Karimpanal,et al.  Identification and off-policy learning of multiple objectives using adaptive clustering , 2017, Neurocomputing.

[6]  Dale C. Rowe,et al.  A survey SCADA of and critical infrastructure incidents , 2012, RIIT '12.

[7]  Roksana Boreli,et al.  Smart-Phones Attacking Smart-Homes , 2016, WISEC.

[8]  Tongbo Luo,et al.  IoTCandyJar : Towards an Intelligent-Interaction Honeypot for IoT Devices , 2017 .

[9]  Tsutomu Matsumoto,et al.  IoTPOT: A Novel Honeypot for Revealing Current IoT Threats , 2016, J. Inf. Process..

[10]  Felix C. Freiling,et al.  Learning More about the Underground Economy: A Case-Study of Keyloggers and Dropzones , 2009, ESORICS.

[11]  Iyatiti Mokube,et al.  Honeypots: concepts, approaches, and challenges , 2007, ACM-SE 45.

[12]  Yuval Elovici,et al.  SIPHON: Towards Scalable High-Interaction Physical Honeypots , 2017, CPSS@AsiaCCS.

[13]  Srinivasan Seshan,et al.  Handling a trillion (unfixable) flaws on a billion devices: Rethinking network security for the Internet-of-Things , 2015, HotNets.

[14]  Salvatore J. Stolfo,et al.  A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan , 2010, ACSAC '10.

[15]  Hsinchun Chen,et al.  Uninvited Connections: A Study of Vulnerable Devices on the Internet of Things (IoT) , 2014, 2014 IEEE Joint Intelligence and Security Informatics Conference.

[16]  Roksana Boreli,et al.  An experimental study of security and privacy risks with emerging household appliances , 2014, 2014 IEEE Conference on Communications and Network Security.

[17]  Daniel Jeswin Nallathambi,et al.  Use of honeypots for mitigating DoS attacks targeted on IoT networks , 2017, 2017 International Conference on Computer, Communication and Signal Processing (ICCCSP).