Attack Detection and Forensics Using Honeypot in IoT Environment
The Internet of Things (IoT) is a collection of tiny devices deployed with sensors. IoT automates embedded devices and controls them over the Internet. Ubiquitous deployment of IoT introduces a vision for the next generation of the Internet where users, computing systems, and everyday objects possessing sensing and actuating capabilities cooperate with unprecedented convenience and economic benefits. Due to the increased usage of IoT devices, the IoT networks are vulnerable to various security attacks by remote login (like SSH and Telnet). This paper focuses on capturing the attacks on IoT devices using Cowrie honeypot. We employ various machine learning algorithms, namely, Naive Bayes, J48 decision tree, Random Forest and Support Vector Machine (SVM) to classify these attacks. This research classifies attacks into various categories such as malicious payload, SSH attack, XOR DDoS, Spying, Suspicious and clean. Feature selection is carried out using subset evaluation and best first search. Once features are selected, we use the proposed SVM model and evaluate its performance with baseline models like Random Forest, Naive Bayes, J48 decision tree. The trained model’s fitness is evaluated on the basis of various metrics such as accuracy, sensitivity, precision, and F-score, where accuracy varies from 67.7% to 97.39%. This work exhibits the inclusion of machine learning module to classify attacks by analyzing the exhibit behavior. In the end, we discuss our observations of honeypot forensics over the commands executed by the attacker to execute malicious attack.
KeywordsHoneypot Machine learning Honeypot forensics Behavior analysis
This work was supported by Department of Electronics and Information Technology (DeitY), Govt. of India and Netherlands Organization for Scientific research (NWO), Netherlands.
- 2.Fan, W., Du, Z., Fernández, D., Villagrá, V.A.: Enabling an anatomic view to investigate honeypot systems: a survey. IEEE Syst. J. (2017)Google Scholar
- 3.Fraunholz, D., Krohmer, D., Anton, S.D., Schotten, H.D.: Investigation of cyber crime conducted by abusing weak or default passwords with a medium interaction honeypot. In: 2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security), pp. 1–7. IEEE (2017)Google Scholar
- 4.Fraunholz, D., Zimmermann, M., Hafner, A., Schotten, H.D.: Data mining in long-term honeypot data. In: 2017 IEEE International Conference on Data Mining Workshops (ICDMW), pp. 649–656. IEEE (2017)Google Scholar
- 5.Kuman, S., Groš, S., Mikuc, M.: An experiment in using IMUNES and Conpot to emulate honeypot control networks. In: Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1262–1268. IEEE (2017)Google Scholar
- 7.Lin, Y.-D., Lee, C.-Y., Wu, Y.-S., Ho, P.-H., Wang, F.-Y., Tsai, Y.-L.: Active versus passive malware collection. Computer 47(4), 59–65 (2014)Google Scholar
- 8.Mushtakov, R.E., Silnov, D.S., Tarakanov, O.V., Bukharov, V.A.: Investigation of modern attacks using proxy honeypot. In: 2018 IEEE Conference of Russian Young Researchers in Electrical and Electronic Engineering (EIConRus), pp. 86–89. IEEE (2018)Google Scholar
- 10.Sadasivam, G.K., Hota, C., Anand, B.: Classification of SSH attacks using machine learning algorithms. In: 2016 6th International Conference on IT Convergence and Security (ICITCS), pp. 1–6. IEEE (2016)Google Scholar