Attack Detection and Forensics Using Honeypot in IoT Environment

  • Rajesh Kumar ShrivastavaEmail author
  • Bazila Bashir
  • Chittaranjan Hota
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11319)


The Internet of Things (IoT) is a collection of tiny devices deployed with sensors. IoT automates embedded devices and controls them over the Internet. Ubiquitous deployment of IoT introduces a vision for the next generation of the Internet where users, computing systems, and everyday objects possessing sensing and actuating capabilities cooperate with unprecedented convenience and economic benefits. Due to the increased usage of IoT devices, the IoT networks are vulnerable to various security attacks by remote login (like SSH and Telnet). This paper focuses on capturing the attacks on IoT devices using Cowrie honeypot. We employ various machine learning algorithms, namely, Naive Bayes, J48 decision tree, Random Forest and Support Vector Machine (SVM) to classify these attacks. This research classifies attacks into various categories such as malicious payload, SSH attack, XOR DDoS, Spying, Suspicious and clean. Feature selection is carried out using subset evaluation and best first search. Once features are selected, we use the proposed SVM model and evaluate its performance with baseline models like Random Forest, Naive Bayes, J48 decision tree. The trained model’s fitness is evaluated on the basis of various metrics such as accuracy, sensitivity, precision, and F-score, where accuracy varies from 67.7% to 97.39%. This work exhibits the inclusion of machine learning module to classify attacks by analyzing the exhibit behavior. In the end, we discuss our observations of honeypot forensics over the commands executed by the attacker to execute malicious attack.


Honeypot Machine learning Honeypot forensics Behavior analysis 



This work was supported by Department of Electronics and Information Technology (DeitY), Govt. of India and Netherlands Organization for Scientific research (NWO), Netherlands.


  1. 1.
    Brankovic, A., Falsone, A., Prandini, M., Piroddi, L.: A feature selection and classification algorithm based on randomized extraction of model populations. IEEE Trans. Cybern. 48(4), 1151–1162 (2018)CrossRefGoogle Scholar
  2. 2.
    Fan, W., Du, Z., Fernández, D., Villagrá, V.A.: Enabling an anatomic view to investigate honeypot systems: a survey. IEEE Syst. J. (2017)Google Scholar
  3. 3.
    Fraunholz, D., Krohmer, D., Anton, S.D., Schotten, H.D.: Investigation of cyber crime conducted by abusing weak or default passwords with a medium interaction honeypot. In: 2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security), pp. 1–7. IEEE (2017)Google Scholar
  4. 4.
    Fraunholz, D., Zimmermann, M., Hafner, A., Schotten, H.D.: Data mining in long-term honeypot data. In: 2017 IEEE International Conference on Data Mining Workshops (ICDMW), pp. 649–656. IEEE (2017)Google Scholar
  5. 5.
    Kuman, S., Groš, S., Mikuc, M.: An experiment in using IMUNES and Conpot to emulate honeypot control networks. In: Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1262–1268. IEEE (2017)Google Scholar
  6. 6.
    Levine, J.G., Grizzard, J.B., Owen, H.L.: Using honeynets to protect large enterprise networks. IEEE Secur. Priv. 2(6), 73–75 (2004)CrossRefGoogle Scholar
  7. 7.
    Lin, Y.-D., Lee, C.-Y., Wu, Y.-S., Ho, P.-H., Wang, F.-Y., Tsai, Y.-L.: Active versus passive malware collection. Computer 47(4), 59–65 (2014)Google Scholar
  8. 8.
    Mushtakov, R.E., Silnov, D.S., Tarakanov, O.V., Bukharov, V.A.: Investigation of modern attacks using proxy honeypot. In: 2018 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus), pp. 86–89. IEEE (2018)Google Scholar
  9. 9.
    Paradise, A., et al.: Creation and management of social network honeypots for detecting targeted cyber attacks. IEEE Trans. Comput. Soc. Syst. 4(3), 65–79 (2017)CrossRefGoogle Scholar
  10. 10.
    Sadasivam, G.K., Hota, C., Anand, B.: Classification of SSH attacks using machine learning algorithms. In: 2016 6th International Conference on IT Convergence and Security (ICITCS), pp. 1–6. IEEE (2016)Google Scholar
  11. 11.
    Zanella, A., Bui, N., Castellani, A., Vangelista, L., Zorzi, M.: Internet of things for smart cities. IEEE Internet Things J. 1(1), 22–32 (2014)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Rajesh Kumar Shrivastava
    • 1
    Email author
  • Bazila Bashir
    • 1
  • Chittaranjan Hota
    • 1
  1. 1.Birla Institute of Technology and Science-PilaniHyderabadIndia

Personalised recommendations