Optimizing IoT Cyber Attack Analytics with Adaptive Honeynets Seamus Dowling

Discipline of IT, College of Engineering & Informatics, NUI Galway, Galway, Ireland seamus.dowling@gmit.ie

Keywords: Mathematics and Statistics; Computer Science and Information Technology;

Abstract Honeypots are deployed to capture cyber attack data for analysis of attacker behaviour. Understanding this behaviour informs the implementation of more robust security measures. Honeypots and honeynets are developed and deployed on different attack vectors to capture data. Large volumes of information can result from a honeypot deployment, often obfuscating relevant attack behaviour. This extended abstract summarises on-going research into honeynet deployments and cyber attack analytics. It presents analysis and results from a large dataset collected by a bespoke IoT honeypot. It proposes a new data centric framework for honeynet development, which can target specific attack behaviour and improve data collection and analytics. 1. Introduction

A honeypot is an analytical tool first and foremost. It is deceptive and its role is to collect attack information. This information can be analysed retrospectively to determine the modus operandi of attackers. Honeypots can lure an attacker from one honeypot to another, forming a Honeynet. A honeynet provides the mechanism to detain an attacker for longer, gaining more insight into attack behaviour. Spitzner defined ‘honeypot’ as being a ‘security resource whose value lies in being probed, attacked or compromised’ [1]. Honeypots have evolved to meet the changing landscape of cyber threats. Recently, Internet of Things (IoT) environments attract bots and malicious code targeting IoT end devices [2]. This extended abstract summarises the development and deployment of a honeypot targeting IoT malware. It also analyses the large dataset collected by the honeypot. During its deployment, over 6 million lines of malicious activity were captured in 367 log files. The analysis and subsequent papers on a) attack types and b) temporal variances are summarised and presented in sections 2 and 3 respectively. Analysis of this dataset is made more difficult with the inadvertent capture of irrelevant malware on the SSH attack vector. R programming and Linux scripting was required to remove irrelevant data and categorize remaining attacks. To improve data collection, Section 4 presents research and the subsequent paper, which proposes a data centric model and framework for adaptive honeynet development. It categorizes and validates smart objects for a smart city system against this framework and demonstrates the decision making process for an adaptive honeynet. This framework can be used to create honeynets that proactively assess specific cyberattack behaviour.

2. ZigBee Honeypot to assess IoT Cyberattack Behaviour

The explosion of IoT deployments provides more opportunity for malware compromise. ZigBee is one wireless technology utilised in IoT. A “zigbee-gateway” honeypot with ZigBee communications simulated using embedded honeytokens [3], was designed on a Kippo distro and deployed on an SSH attack vector. There were 31328 command attempts and 5368 downloads on the honeypot, which Kippo stored and recorded. By sandboxing the downloaded files, observing shell interactions and consulting threat advisories, it was possible to identify different attack types. These attack types are presented in Fig 1.

Figure 1. Honeypot attack types.

Automated attack types were collated, identified and examined. Individual random attacks exhibited obvious human cognition and were also collated and examined. Dictionary, Recon, Failed and Launch attacks did not present any ZigBee specific knowledge. Dictionary attacks continuously probed with username/password combinations; Failed attacks made an initial connection but failed on authentication and generated a different log pattern; Recon checked for SFTP capabilities; Launch was a generic command requesting an IP flood to a victim IP. The Bruteforce and Botnet provided better material for examination. The downloaded files were sandboxed and the scripts were analysed. They demonstrated automated methods to gather information on variables such as compilers, CPU and operating systems. They either reported back to a command and control or attempted to download and install further files, depending on the variables. Both treated the honeypot as an SSH device primarily and concentrated on compromising it in that regard. Individual attacks did show interest in the honeytokens and attempted to manipulate them. The small numbers involved suggest a general interest in the files rather than any specific knowledge towards ZigBee networks. Resulting paper from this research has been submitted to the IEEE sponsored Irish Signals and Systems Conference [4].

3. Using Analysis of Temporal Variances within a Honeypot Dataset to better predict Attack Type Probability

The honeypot outlined in section 2 was located at time zone GMT and the dataset was analyzed for temporal variances. Fig. 2 depicts the locations of all attack sources along with the quantities and temporal variances (blue line) associated with all attacks.

Figure 2. Attack temporal variances

Section 2 identified the attack types from the dataset. The Dictionary attacks were responsible for nearly 94% of all honeypot activity as they continuously tried to compromise the honeypot with sequential usernames and passwords. Kippo recorded the Dictionary attacks but the events do not provide any further information for analysis. They distort the legitimate ‘failed’ attack attempts and were removed from the dataset. The remaining types were extracted and evaluated as individual data subsets. It was possible to ascertain the date and time stamp of each attack type from the subsets and generate individual temporal variances. The probability of an occurrence of one attack type against others, at a particular hour, was then calculated (Fig. 3).

Figure 3. Probability of attack occurrence per hour

To test these probabilities, 240 random attacks were taken from the dataset representing 10 samples for each of the 24 hours. These 240 samples were examined for their attack type. They were collated and compared favourably with the probabilities associated with Fig.6. Automating and scheduling the process daily could dynamically keep the honeypot relevant. A honeypot could use this process to adopt various security levels for certain times of the day to collect more relevant data without compromising itself or accidently contributing to further attacks. The resulting paper from this research was presented at the IEEE sponsored World Congress on Internet Security 2016 [5]

4. Data-Centric Framework for Adaptive Smart City Honeynets

Smart cities provide authorities with the ability to manage city infrastructure and services more efficiently, for the betterment of its citizens. The implementation of IoT concepts into all elements of city living brings great benefits but also great risks. Millions of deployed smart devices and sensors will process large volumes of data, by collecting, collating and transmitting over wired and wireless media. For malware developers, this dramatically increases the number of devices that can be compromised and the number of attack vectors that can be used. Honeypots traditionally have been used to capture this malware to analyse how it works and to give insight into the modus operandi of developers and cyber attackers. The diversity of smart objects requires a new framework for the development of smart city honeynets. This research examined existing models of honeynet development. It improved upon the development model by taking a data-centric view of smart objects and creating a new framework based on this view (Fig. 4).

Figure 4: Framework for Smart City Honeynets

The research validated the new framework by categorizing smart objects according to the data-centric model and presented examples of protocols and objects for each category. It also identified the adaptive functionality of the decision making process for honeynets developed using this framework. This framework can be used to create adaptive honeynets that proactively assess specific cyberattack behaviour on smart cities, producing better datasets for analysis. The resulting paper from this research has been submitted to Smart Cities Symposium Prague 2017 [6].

5. References [1] Spitzner, L., 2003. Honeypots: tracking hackers (Vol. 1). Reading: Addison-Wesley. [2] Yin Minn Pa, 2015, “IoTPOT: Analysing the Rise of IoT Compromises”, 9th USENIX Workshop on Offensive Tech. [3] Spitzner, Lance. "Honeytokens: The Other Honeypot. 2003." [Online] http://www. securityfocus. com/infocus/1713 [4] Irish Signals and Systems Conference. [Online] Available: http://www.issc.ie/site/view/7/home/ [5] Dowling, S. Schukat, M., Melvin, H. “Using analysis of temporal variances within a honeypot dataset to better predict attack type probability”, Proceedings of the IEEE World Congress on Internet Security, (WorldCIS 2016), in press [6] Smart Cities Symposium Prague [Online] Available: http://akce.fd.cvut.cz/en/scsp2017