IEEE INTERNET OF THINGS JOURNAL, VOL. 7, NO.

5, MAY 2020 3991

An IoT Honeynet Based on Multiport Honeypots

for Capturing IoT Attacks
Weizhe Zhang , Senior Member, IEEE, Bin Zhang, Ying Zhou , Hui He, Member, IEEE, and Zeyu Ding

Abstract—Internet of Things (IoT) devices are vulnerable breach happens in IoT. In 2018, a hacker organization infected
against attacks because of their limited network resources and more than 10 000 IOT devices with two IoT vulnerabilities
complex operating systems. Thus, a honeypot is a good method CVE-2017-17215 and CVE-2014-8361, and they even rented
of capturing malicious requests and collecting malicious samples
but is rarely used on the IoT. Accordingly, this article imple- distributed denial-of-service attack (DDoS) services on the
ments three kinds of honeypots to capture malicious behaviors. darknet. Another botnet named Hide’N Seek (HNS) infected
First, on the basis of the CVE-2017-17215 vulnerability, we imple- nearly 1000 IoT devices by injecting vulnerabilities through
ment a medium-high interaction honeypot that can simulate a several remote commands, which have been disclosed. The
specific series of router UPnP services. It has functions, such botnet named IoTroop drew on part of Mirai (a type of bot-
as service simulation, log recording, malicious sample download,
and service self-check. Second, given the limited details avail- net) and launched three consecutive large-scale DDoS attacks
able for the simulated UPnP service and to help the honeypot on financial institutions on January 28, 2018. Moreover, the
respond to unrecognizable malicious requests, we use the actual MikroTik router has resulted in more than 200 000 devices
IoT device firmware that matches the vulnerability to build a digging without the user’s knowledge due to its firmware
high-interaction honeypot. In addition, we investigate the most vulnerabilities.
exposed SOAP service ports and design corresponding multiport
honeypot to improve the capacity of the honeynet, providing The vulnerabilities and number of IoT devices render
a hybrid service from a real device and simulating honeypots. IoT attacks easier than traditional cyberattacks. Existing IoT
The Docker in the honeynet, which reduces the volume of the devices are vulnerable to various physical attacks [22], [29]
honeypot and realizes the rapid deployment of the honeynet, such as position-based services [32]–[34]. Therefore, studying
encapsulates all these honeypots. Moreover, the honeynet con- lightweight IoT devices as well as communication encryption
trol center is simultaneously designed to distribute commands
and transfer files to each physical node in the honeynet. We schemes is crucial in ensuring their security [23]. The tradi-
implemented the proposed honeynet system and deployed it in tional sandbox and other security protection technologies [31]
practice. We have successfully caught many unknown malicious cannot be realized on the IoT devices because of the limited
attacks excluded in the VT, which proved the effectiveness of the resources of sensor devices and the unreliable system [24].
proposed framework. Consequently, the vulnerability of the system is easily found
Index Terms—Honeypot, honeynet, Internet of Things (IoT), via firmware analysis [25]. It is also vulnerable to side-channel
multiport, SOAP. attacks due to the stability of its equipment location [26].
The security threats to communication networks are domi-
nated by traditional cyberattacks, namely, man-in-the-middle
attacks, data theft and replay, counterfeiting, and so on. In
I. I NTRODUCTION addition, the UPnP, which is extensively used in IoT devices,
HE INTERNET of Things (IoT) promotes smart and con- also brings many vulnerabilities. IoT devices can use DHCP to
T venient living. According to a survey [1], the number of
IoT devices has surpassed 10 billion. However, a huge security
automatically access the Internet and then use the SSDP pro-
tocol to discover devices until the control device completes
the task [28].
Manuscript received September 9, 2019; revised October 24, 2019;
accepted November 22, 2019. Date of publication November 27, 2019; To protect the IoT devices, monitoring the malicious behav-
date of current version May 12, 2020. This work was supported in part ior of the IoT and promptly identifying threats are important.
by the Key Research and Development Program for Guangdong Province We must analyze the malicious behavior, characteristics of
under Grant 2019B010136001, in part by the National Key Research and
Development Plan under Grant 2017YFB0801801, and in part by the National the data, as well as the characteristics of attacks [30], which
Natural Science Foundation of China (NSFC) under Grant 61672186 and require us to obtain malicious samples of the IoT first.
Grant 1872110. (Corresponding author: Weizhe Zhang.) Honeypot and honeynet are the effective methods of capturing
W. Zhang is with the School of Science and Technology, Harbin Institute
of Technology, Harbin 150001, China, and also with the Cyberspace Security malicious requests and collecting malicious behavior samples.
Research Center, Peng Cheng Laboratory, Shenzhen 518000, China (e-mail: Honeypot induces the attack by arranging some hosts, network
[email protected]). services, or information, thereby capturing the attack behavior
B. Zhang and Y. Zhou are with the Cyberspace Security Research
Center, Peng Cheng Laboratory, Shenzhen 518000, China (e-mail: and analyzing the tools and methods adopted by the attacker,
[email protected]; [email protected]). and inferring the attack intention and motivation. The honey-
H. He and Z. Ding are with the School of Science and Technology, Harbin pot can help the defense party clearly understand the security
Institute of Technology, Harbin 150001, China (e-mail: [email protected];
[email protected]). threats and enhance the security protection capability of the
Digital Object Identifier 10.1109/JIOT.2019.2956173 real system.
2327-4662 
c 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 3992 IEEE INTERNET OF THINGS JOURNAL, VOL. 7, NO. 5, MAY 2020

Yegneswaran et al. [15] proposed a situational awareness returns the output. Such proposition avoids the simulation of
model based on honeynet. They deployed a honeynet system the service, reduces the workload of the security personnel,
with MySQL database to save and analyze data, and the and improves the capability of the honeypot to interact with
BRONIDS is used for analysis. After six months of data col- the external network. Accordingly, the current study devel-
lection, the experimental results proved that the system could ops a high-interaction honeypot running real IoT firmware.
detect botnet scanning and worm outbreaks. When the high-interaction simulation honeypot fails to respond
Ma et al. [16] generated a highly personalized and to the attacker’s request, the process is handed over to the
predictive blacklist for each network by sharing historical real honeypot and returns the real output. This article also
attackers, which are captured by honeynets in each network. designed a multiport honeypot, using a multithreaded running
Accordingly, different networks can collaboratively detect new high-interaction honeypot. Then, any port can return the IoT
attackers because of the shared attacker information. The most device configuration file according to the given fingerprint
likely attacker in the future will be identified on the basis information to simulate the real device service. The current
of their attacker’s historical relevance. The defense strategy study proposed a novel architecture of honeypot and honeynet,
undergoes a relatively active realization, and the experimen- with the following contributions.
tal results show that this method can produce an accurate 1) We build interconnected and collaborative honeynet for
blacklist. the IoT network. The system simulates IoT device
Yongli et al. [17] proposed a new honeynet model, BRHNS services to monitor the security status of the IoT in real
(based on Realm Honeynet), to solve the problem of non- time. It can discover and record malicious behaviors and
cooperation and weak real-time performance in honeynet. collect malicious samples of the IoT.
BRHNS utilized the cooperation between Realms and shared 2) In the proposed hybrid honeynet, we develop a medium-
the new intrusion rules. It also updated the intrusion detection high interactive honeypot with a high-interaction honey-
systems (IDS) rule-lib in real time and improved the detec- pot using real firmware services based on the popular
tion efficiency of IDS. Accordingly, it effectively reduced the CVE-2017-17215 vulnerability. Moreover, we design a
workload of honeynet and improved the efficiency of a hon- multiport interactive honeypot on the basis of the most
eynet. The experimental results show that the BRHNS is much exposed SOAP port in 2018.
faster than the formal honeynets. 3) We encapsulate the honeypot with Docker for the
Honeypot captures many attacks that are difficult to handle proposed honeynet to ensure the security of the physical
manually; therefore, some researchers proposed using the data machine and facilitate rapid deployment.
mining techniques to analyze the recorded traffic and extract The remainder of this article is structured as follows. The
useful information. Ghourabi et al. [18] provided a data anal- next section proposes related works. The method section
ysis tool on the basis of the clustering algorithm. The main depicts the proposed honeypots and honeynet. Consecutively,
idea is to extract useful information from data captured by the we dissect the conducted evaluation and activity observed with
honeypot. The data are then clustered by the Density-based the honeynet in the evaluation section. Finally, we conclude
spatial clustering of applications with the Noise algorithm to this article and future outlook in the final section.
classify the captured packets. Then, a human expert verifies
the extracted suspicious packets. This solution is useful for
II. R ELATED WORK
detecting novel routed attacks.
Huang and Zhu [19] indicated that positive interactions A. Honeypot
on the honeynet could yield mature attack samples, but Provos [3] proposed a classic honeypot framework Honeyd;
such honeynet is highly expensive and poses high risks the latter can simulate real computers under the network layer
against the development of the honeynet. Therefore, they as shown in Fig. 1. It consists of the traffic allocation units,
applied the semi-Markov decision process to describe an protocol processing units, and fingerprint matching units. The
attacker’s random transition and their stay time in the hon- traffic allocation units send the packet to an established hon-
eynet. Subsequently, they weighed the rewards and risks. eypot or a default route. The protocol processing units can
Adaptive long-term participation policies have also been simulate the TCP, UDP, and ICMP protocols, and so on. The
developed to demonstrate risk avoidance, cost-effectiveness, fingerprint matching units are used to fight fingerprint identi-
and time efficiency. The numerical results show that this adap- fication tools, which can prevent hackers from discovering the
tive interaction strategy can be used to attract attackers quickly, honeypot. The free IP address of the current network can be
with the capacity to obtain valuable threat information in a regarded as the virtual address of the honeypot, and many
long time with a low penetration rate. honeypots can be deployed on a single host because it is
However, the existing honeynet systems are designed for lightweight.
the traditional Internet and are inappropriate for IoT systems. Baecher et al. [4] proposed another classic honeypot frame-
In addition, owing to the changing form of the attack, we work called Nepentes. Nepenthes stimulates only parts of the
must design a new honeypot to capture the attacks. To cap- protocol instead of a complete one, and it adopts a ShellCode
ture a complete attack and avoid hackers from stopping due detection mechanism to discover the injected malicious code.
to long periods of unresponsiveness, this article proposes a The framework is replaced by Dionaea [5], which is imple-
medium-high interactive honeypot that uses the internal exe- mented via Python language to simulate vulnerability services
cution of the vulnerability service as a black box and only and capture malicious attacks.

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IoT HONEYNET BASED ON MULTIPORT HONEYPOTS FOR CAPTURING IoT ATTACKS 3993

the radio frequency identification technology as an example, it

converts the semantics of remote procedure call into a reader
query.

B. Honeynet
Reference [7] proposed honeynet due to the limitations of
a single virtual honeypot. The honeynet system is a network
that includes multiple honeypots as well as multiple deploy-
ment nodes. It is a network that consists of behavior recording,
alarm and analysis, management communication, and other
mechanisms. It contains real systems to capture further attacks,
Fig. 1. Work flow of Honeyd. facilitating the understanding of hacker’s attack methods and
security incidents. Artail et al. [35] proposed a hybrid hon-
eynet system to improve the IDS, in which the low- and
Rist et al. [6] developed a Web honeypot called Glastopf, high-interaction honeypots are all deployed to protect the
which attempts to respond directly to the requestors, thus network.
avoiding the simulation of the service and reducing the work- Curran et al. [8] pointed out several major characteristics
load of security personnel. Based on this article, the Glastopf of honeynet.
regards the CVE-2017-17215 vulnerability as a black box, 1) The defects and vulnerabilities in certain areas as well
which shall only respond to the attacker. The limitations of as some unsecurity measures, which easily hold hon-
this method prompt the current research to develop a high- eynet vulnerable to attacks by hackers, frequently exist
interactive honeypot that operates real IoT firmware. When in honeynet.
the medium-high-interaction honeypots cannot respond to an 2) A honeynet is not a service network, thereby rendering
attacker’s request, the process will be handed over to the traffic monitoring in the honeynet system unsafe.
high-interaction honeypot. 3) The honeynet system should be capable of recording
In the field of IoT, scholars have begun to study the honeynet any connections, requests, responses, services, logs, and
system to collect malicious IoT behaviors. Pa et al. [11] simu- so on, for the security personnel to perform subsequent
lated the TELNET login process to create an IoT honeypot that analysis.
attracted TELNET attacks against IoT devices with different 4) Every honeypot in the honeynet system is under strict
CPU architectures. While collecting data through the deployed control; it can be traced and restored.
honeynet, they discovered five different malware families, the 5) Security measures between the honeynet system and the
largest of which can infect up to nine different IoT devices external network must be in place to prevent malicious
with different CPU architectures. Anirudh et al. [12] designed behaviors after the honeypot is compromised.
a honeypot model as a bait for the main server, thereby shift- Moreover, Kevin et al. believed that the honeynet system
ing the DoS attacks in the IoT network and improving the does not need to actively lure attacks, which is conducive to
performance of the IoT device. Hakim et al. [13] introduced ensuring the authenticity of the data obtained by the honeypot.
an IoT honeypot framework based on the UPnP protocol. They For conventional honeynet, many scholars have con-
used device description files to automate honeypots, and they ducted research on intrusion detection and data analysis.
can allow multiple instances to be deployed on a single physi- Shuangshuang [9] proposed an attack behavior analysis
cal machine. we refer to the architecture in [13], select device method based on an attack graph. He used the attack graph
files to make honeypots, and further capture IoT malicious for honeynet security detection and introduced the key element
attacks. Hanson et al. [14] extended the concept of the IoT of network topology; he improved the clustering algorithm to
honeypot and presented a honeynet system with a hybrid of classify the alarms. In addition, he improved the DFS encod-
virtual and real devices. The system used the machine learn- ing technology and migrated it to the field of directed graphs.
ing algorithms for traffic analysis and predicted the opponent’s Finally, Hu synthesized the network and topology information
next activity. to identify the warning information. For data analysis in pro-
Unlike the Internet which is based on the HTTP protocol, tected content, for example, the position-based services and
IoT typically uses a lighter SOAP protocol for exchanging queries are highly dependent on processing speed with con-
information in a distributed computing environment. Dai [20] tent security. Sangaiah et al. [34] used machine learning for
designed and implemented an SOAP-based transaction man- roaming PBS users. Vishwasrao and Sangaiah [33] proposed
agement protocol (TMP), including supported operations, parallel architecture in the position monitoring system, and the
interface definitions for these operations, implementation position confidentiality conserving algorithm is used to protect
structures, and processing of the protocol. SOAP-based TMP the content [32].
can maximize the extensively used technologies, such as Agrawal and Tapaswi [10] proposed a method for moni-
HTTP, XML, and SOAP, and thus can have extensive use. toring rogue wireless access based on a shadow honeynet as
Riedel et al. [21] transformed the lengthy parts binding with shown in Fig. 2. The concept of a shadow honeynet comes
SOAP to the semantics of a specific network platform. Taking from a shadow honeypot, which refers to a copy of the

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 3994 IEEE INTERNET OF THINGS JOURNAL, VOL. 7, NO. 5, MAY 2020

Fig. 3. Composite honeynet system architecture.

Fig. 2. Work principle of shadow honeynet.

center. The script in the control center is used for file distri-
software or system actually intended to be protected. The copy bution and command transfer, the honeypot response message
shares the internal state with the subject. The framework con- is obtained, and it is recorded in the output log. The con-
sists of three parts, namely, a filtering engine, an anomaly trol script uses python multithreaded design to connect to the
sensor, and a shadow honeypot. remote host of the IP list using the paramiko library. The script
In the field of IoT, Oza et al. [36] implemented an authoriza- can realize the function of transferring files and can also use
tion mechanism in honeynet, thereby enabling them to solve the secure shell key to connect to the host and execute the
the issue of man-in-the-middle attacks in IoT. Ammar and given commands to open and close the honeypot as well as
AlSharif [37] proposed a honeyIo3 model in ICS/SCADA monitor the host system.
systems, and it provided the honeypot security tool with high As shown in Fig. 3, the honeynet system deploys honey-
availability; it contained three IoT devices and is implemented pots to multiple physical nodes, where each node supports
using an office router and one public IP address. both single and multihoneypot deployments and a master pro-
The honeynet module in this article focuses on the SOAP gram to manage the honeypots on it. When the medium-high
protocol in the UPnP protocol stack of IoT, which exhibits interaction honeypot cannot resolve the external request, it will
seriousness in terms of security. The CVE-2017-17215 vul- send a request to the master node, and the master node noti-
nerability and the most exposed SOAP port in 2018 are used fies the high-interaction honeypot running the real firmware to
to make honeypots. The latest IoT malicious samples since respond. The control nodes interact with the honeynet nodes
2017 have been collected and rigorously screened. Therefore, so that the honeypots are combined by a single individual into
this article has obtained highly authentic, timely, and valuable a whole honeynet system.
data.
B. Medium-High Interactive Honeypot
III. M ETHODOLOGY
In this section, we develop a honeypot for a router’s remote
To monitor malicious behaviors of the IoT, we proposed a
code injection vulnerabilities, which provide unsecured SOAP
hybrid honeynet as shown in Fig. 3, containing three kinds of
services for device upgrades. This vulnerability can result
honeypots. First, we designed a medium-high interactive hon-
in unauthorized access and remote code injection. It can be
eypot. Second, we designed a high-interactive honeypot that
utilized to execute arbitrary commands remotely by send-
provides real service; hence, a mixed service of real equip-
ing a specially constructed request packet to the port 37215
ment and simulated honeypot are formed. Third, for the most
monitored by the UPnP service of routers.
exposed SOAP ports in 2018, this article analyzes and pro-
First, we collect the IoT devices and their configuration
duces a multiport honeypot. Finally, an IoT honeynet system
information affected by this vulnerability as shown in Table I.
is implemented by deploying these different honeypots to
We develop a honeypot on the basis of this vulnerability. The
multiple nodes. With control centers for command distribu-
structure of the proposed honeypot is as follows: the core
tion and file transfer, we complemented the honeynet system
module of the honeypot, the honeypot Daemon module, the
by Docker.
Daemon process service, and the honeypot monitor, and other
modules.
A. Overall Architecture The framework can ensure the stability of the honeypot
To establish a coordinated honeypot system and increase the operation, and it can promptly discover and restart the honey-
capacity of cluster deployment, this article designs a control pot when the honeypot service is abnormal. It can also supply

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IoT HONEYNET BASED ON MULTIPORT HONEYPOTS FOR CAPTURING IoT ATTACKS 3995

TABLE I TABLE II
CVE-2017-17215 V ULNERABILITY I NFORMATION L OG F ORMAT

TABLE III
CVE-2017-17215 V ULNERABILITY BANNER F ORMAT

Fig. 4. Relations between pot-core parts.

some log information, which cannot be recorded by the honey-

pot service, as well as assist in debugging and troubleshooting
problems.
1) Core Module of the Honeypot: The honeypot core mod-
ule is the core service of a honeypot, which provides simulated
IoT devices and services with vulnerabilities. It consists of the injection code accesses port 37215 of the Web service.
the SOAP service module, Web service module, log module, Table III shows the banner information. The send-log func-
and malicious sample processing module. Fig. 4 illustrates the tion is also defined in this section to send a request record
relationship between them. packaged in JSON format to the log server. In this part, the
The core service module provides an external interface for socket is used in the communication between Web and log
the module, except for the honeypot core module. It monitors servers. The Web server waits for the message, the log server
by opening the log and SOAP servers, and it sets the timer- returns. If it receives an error message, it retransmits the same
handle-fun function of the timer-call log module. The function message. If the number of retransmissions exceeds the limit,
recursively calls itself and detects the current time, ensuring the log server is considered down.
that all logs are recorded daily in the local directory. The malicious sample processing module is responsible for
The log module defines UDPHandler to monitor the front- downloading and processing malicious samples, where the
end SOAP service module, and it analyzes the request wget-virus-in-url function provides an external interface for
information packaged in JSON format. Subsequently, the suc- calling the sample download function. In the function, the
cess information is returned. If a malicious sample download downloaded features are extracted by regular expressions.
is found in the request, the wget-virus-in-url function in the After extracting the download resource information, the
malicious sample processing module will be called to down- download-virus-by-requests function is called to download
load the sample. This file also provides the interface function samples. The function first searches for the output direc-
of opening the log server and timing output log for the core tory and the sample name. If the sample name exists, the
service module. Table II presents the logs defined as GET, renaming-duplicate-virus function is called to add the sample
POST and others, and the corresponding format. suffix to the sample to rename it. Then, the function calls the
The SOAP service module calls the handler defined in requests library for sample downloads. If the sample down-
the Web service module and the make-server functions in load is successful, the deep-analyze function is further called
wsgiref.simple-server, and it opens the SOAP server at port for an in-depth analysis, that is, the sample content is ana-
37215 to simulate the SOAP service with vulnerabilities of lyzed to determine whether a “large Trojan downloaded by
real IoT equipment and attract hackers. small Trojan” situation occurs. This part also defines the clear-
The handler function for the SOAP vulnerability is defined duplicate-sample function to remove the deduplication of the
in the Web service module, and the constructed fake file sample, which calculates the hash value of the sample by
is returned by wsgi. For the CVE-2017-17215 vulnerability, calling the md5sum function.

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 3996 IEEE INTERNET OF THINGS JOURNAL, VOL. 7, NO. 5, MAY 2020

TABLE IV
The SoapXML folder provides an SOAP device information L OG F ORMAT
modeled after the vulnerable router. It includes the device type,
device model, device URL, universally unique identifier, ser-
vice list, service address, serial number, and so on. This file
is used to respond to SOAP service scans for port 37215,
returning real device configuration information.
The functions of the above parts work together to form
the core of honeypot, complete the basic functions of the
honeypot, and simulate the real IoT devices and services.
2) Honeypot Daemon: This class defines a base class
Daemon to open, close, restart, and initialize. It also provides
the external interface to control honeypot.
Considering that the Daemon class is out of the terminal, the
standard information flow is redirected to an empty file. The
default value of pidfile attribute is “/tmp/tmp.pid”, which saves
the process number of the current process. The system can
determine if the process already exists to ensure the singleton
mode.
The function daemonize is used to initialize the Daemon
instance. First, whether it already exists by pidfile is deter-
mined; then, the buffer is flushed, and the standard stream Tc.sh calls the tc tool to limit traffic and prevent the hon-
is discarded. Finally, the pidfile is guaranteed removal at the eypot from being compromised due to DDoS attacks. The
end of the process through the atexit.register and signal.signal main.py is called in this article and is the outermost entrance
functions. The static function throws SystemExit exception. of the honeypot.
The start function calls the daemonize function to initialize,
catches the abnormal operation, and outputs an error message. C. High-Interactive Honeypot
The stop function takes a process number from a pidfile and The medium-high interactive honeypot described in the
kills it. The restart function continuously calls stop and start previous section simulates the SOAP protocol based on
functions to restart. wsgi. However, when the simulation protocol fails to pro-
3) Daemon Service: The class MyDaemon is defined in cess requests, an attacker is likely to interrupt the connection
the Daemon module, which inherits the Daemon class in scar- because the expected response is not received. Consequently,
library. Then, it starts the honeypot core service when the the honeypot fails to capture the subsequent injection code
instance is in operation. In the main function, an instance of and malicious sample. Therefore, a high-interactive honeypot
the class MyDaemon is created. The start of the honeypot is developed to handle requests using a completely realis-
daemon and the core of the honeypot are controlled by the tic exploitable IoT firmware to handle requests that cannot
corresponding functions of the instance. The class PotCore is be processed by mid-high interactive emulation honeypots.
also defined to provide an interface to the daemon externally. Moreover, running the captured malicious samples is possible
The main function is called by calling the subprocess.Popen because of the integrity of its services.
function. That is, the external instance of the class MyDaemon The qemu environment is used to assemble the kernel file
is not directly called, but the instance of PotCore is called. The vmlinux-2.6.32-5-4kc-malta and disk image debian-squeeze-
instance of PotCore calls the instance of MyDaemon through mips-standard.qcow2. After booting successfully, the change
its own method to implement the indirect call. root command is used to switch the root directory and run the
4) Honeypot Monitor: The honeypot monitor module calls UPnP and mic services. It provides the same SOAP service
the timer-handle-Web-detect-fun function to check the hon- as a real-world vulnerability IoT device. The device firmware-
eypot function. This function regularly accesses the honeypot based SOAP service honeypot can be implemented by adding
simulation service, detects its running state, determines excep- the above request record and sample download module to the
tions, such as timeouts and connection errors, and calls the system.
PotCore class object to restart honeypot when an exception
occurs. The start-service interface is also provided for external D. Multiport Honeypot
calls. SOAP vulnerability involves the UPnP’s device architecture,
5) Other Modules: The configuration module is the hon- SOAP service, and the HTTP protocol. Attackers use multiple
eypot configuration file, which defines some parameters and ports to attack. To collect these samples, we obtain the banner
reduces the workload of secondary development. Specifically, information of several IoT devices affected by the vulnerabil-
it includes honeypot name, log output directory, honeypot core, ity through the collection of IoT device information. The latter
honeypot self-check delay, and self-check cycle. is used to match the device type and select the response con-
main.py is the entry of the entire honeypot framework. It tent of the malicious request. Table IV describes the device
calls the start method of the PotCore class instance to open information.
the daemon and then calls the self-check.start-service of the To implement the multiport honeypot, this article adopts the
pot-monitor function to start the SOAP service self-check. threading module to achieve multithreaded operation. Then,
Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IoT HONEYNET BASED ON MULTIPORT HONEYPOTS FOR CAPTURING IoT ATTACKS 3997

TABLE V
any port can return the IoT device configuration file according T EST E NVIRONMENT
to the given fingerprint information to simulate the real device
service.

E. Honeypot Docker Packaging

To facilitate the rapid deployment of the transplant and
to prevent malicious behavior after the honeypot is broken,
the honeypot must be virtualized and transplanted. Then, the
TABLE VI
honeypot is packaged into an easily usable and deployable H ONEYPOT T EST I NSTANCE
black box.
Docker is a technology for packaging applications. The
main components are images, containers, and warehouses. An
image is a file that contains the basic contents of a con-
tainer that can be recognized by the Docker engine. An image
can contain the following that the developer needs: operating
system and specific environment, applications, and so on. The
container is an image after running. The repository is used
to save the image. Considering rapid deployment, the image
must be streamlined as follows.
1) Optimize the Basic Image: Ubuntu 16.04 is adopted in
the basic image of a honeypot, and it also integrates
some packages simultaneously needed in the Python
3.6, preventing the image from being downloaded at a
reduced rate during packaging.
2) Concatenate DockerFile Instructions: Multiple com-
mands are concatenated into one RUN command, the
number of the image layers is reduced, and unnecessary
components are removed to reduce space.
3) Optimize Business: The image cache is maximized, a
fixed machine is used for Docker builds, and the con-
stant large dependent libraries are separated from the
frequently modified own code.
4) Optimize Run Command: Suggested dependencies are
avoided when executing the apt command.
During the rapid deployment of honeynet, the master
node issues command to the master program of each phys-
ical host, and each physical host connects to the remote and can handle unknown requests. It also implements self-
image warehouse to download the required honeypot image check and restart functions with certain tolerance and robust-
and subsequently run them. A hybrid IoT honeypot with ness, and it provides a reliable underlying environment for the
multinodes and multihoneypots is constructed through the system.
communication between the master node and each physical We can conclude from Table VI that the honeypot is running
machine, the communication between each physical machine, normally after opening and can provide a simulated SOAP
and the mutual cooperation between the honeypots inside the service for IoT devices. After killing the honeypot core service
physical machines. with the kill command, the honeypot Daemon will find that the
program runs abnormally and automatically restarts the core
IV. E VALUATION during regular self-check.
A. Configuration
C. Evaluation of Honeynet
In this article, the control center and program are run-
Two honeypots deployed in 138.68.166.134 in the United
ning on the personal computer, and the proposed honeynet is
States and 159.89.42.105 in Canada operate steadily and col-
deployed on the cloud. Table V presents the specific software
lect many attacks over a week between November 30, 2018
environments and configurations.
and December 6, 2018 as shown in Table VII.
A total of 332 different IPs are observed to scan and inject
B. Evaluation of Honeypots the honeypot. As shown in Fig. 5, the source IPs of scan behav-
Table VI presents the functional test of the honeypot. iors are shown, and the most scan behaviors are from Japan.
The functional test demonstrates that the IoT honeypot can In Fig. 6, the distribution of countries for injecting behaviors,
perfectly simulate and implement the real IoT device services and most inject attacks are from the United States. Nine IPs

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 3998 IEEE INTERNET OF THINGS JOURNAL, VOL. 7, NO. 5, MAY 2020

TABLE VII
S AMPLE S ERVER I NFORMATION

Fig. 7. Sever distribution of malicious samples.

Table VIII presents the specific information of the malicious

sample.

V. C ONCLUSION
On the basis of the CVE-2017-17215 vulnerability
exploited by large-scale botnets, we developed a medium-
high interaction honeypot, which can implement SOAP ser-
vice interaction, log recording, sample download, and service
self-check. For the request that the honeypot could not be pro-
Fig. 5. Analysis for captured scan behaviors.
cessed, a high-interaction honeypot based on real firmware was
designed. Moreover, to expand the processing capability of
the honeynet, the multiport honeypot was developed using the
most exposed SOAP service port in 2018, and we simulated
different types of IoT devices. Finally, the rapid deployment
of the honeynet was achieved by packaging the honeypot as a
Docker image. The honeynet system has been on stable oper-
ation for nearly half a year in 2019, providing a large number
of logs, malicious samples, and other materials.
Owing to the timeliness of vulnerabilities, a necessity arises
to carry out ongoing track and research of IoT vulnerabilities,
security incidents, and analysis of hacker attacks. In terms
of honeynet, the intelligence and automation of the system
require further strengthening as well as efficiency.
Fig. 6. Analysis for captured inject behaviors.
R EFERENCES
TABLE VIII [1] Y. M. P. Pa, S. Suzuki, K. Yoshioka, and T. Matsumoto, “IoTPOT:
M ALICIOUS I OT S AMPLES C APTURED BY H ONEYPOT Analysing the rise of IoT compromises,” in Proc. USENIX WOOT, 2015,
pp. 1–9.
[2] H. T. Nguyen and K. Franke, “Adaptive intrusion detection system
via online learning,” in Proc. Int. Conf. Hybrid Intell. Syst., 2013,
pp. 271–277.
[3] N. Provos, “A virtual honeypot framework,” in Proc. USENIX Security
Symp., 2004, pp. 1–14.
[4] P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. C. Freiling, “The
Nepenthes platform: An efficient approach to collect malware,” in Proc.
Int. Workshop Recent Adv. Intrusion Detection, 2006, pp. 165–184.
[5] Nepenthes Development Team. Dionaea. Accessed: May 15, 2011.
are identified in the suspect sample download center or C2 [Online]. Available: http://dionaea.carnivore.it/
server found in the records, which are from different coun- [6] L. Rist et al., Know Your Tools: Glastopf-a Dynamic, Low-Interaction
Web Application Honeypot, Honeynet Project, Ann Arbor, MI, USA,
tries. Apart from these IPs, the honeypot also captures a threat Apr. 2010.
domain named cnc.arm7plz.xyz. Fig. 7 shows the distribution [7] Addison Wesley, Know Your Enemy: Learning About Security Threats.
of these servers, and most servers are deployed in the United London, U.K.: Honeywell Project, 2004.
[8] K. Curran et al., “Monitoring hacker activity with a honeynet,” ACM
States. Int. J. Netw. Manag., vol. 15, no. 2, pp. 123–134, 2015.
Honeypots download several IoT malicious samples from [9] H. Shuangshuang, Honeynet-Based Attack Analysis, Beijing Univ. Posts
these servers. These samples were not captured by VT dur- Telecommun., Beijing, China, 2015.
[10] N. Agrawal and S. Tapaswi, “Wireless rogue access point detection using
ing capture, indicating that honeypots can capture the latest shadow honeynet,” Wireless Pers. Commun., vol. 83, no. 1, pp. 551–570,
threats to the IoT with high scientific and engineering value. 2015.

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.
 ZHANG et al.: IoT HONEYNET BASED ON MULTIPORT HONEYPOTS FOR CAPTURING IoT ATTACKS 3999

[11] Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and [36] A. D. Oza, G. N. Kumar, M. Khorajiya, and V. Tiwari, “Snaring cyber-
C. Rossow, “IoTPOT: A novel honeypot for revealing current IoT attacks on IoT devices with honeynet,” in Computing and Network
threats,” J. Inf. Process., vol. 24, no. 3, pp. 522–533, 2016. Sustainability. Singapore: Springer, 2019, pp. 1–12.
[12] M. Anirudh, S. A. Thileeban, and D. J. Nallathambi, “Use of honeypots [37] Z. Ammar and A. AlSharif, “Deployment of IoT-based honeynet model,”
for mitigating DoS attacks targeted on IoT networks,” in Proc. IEEE in Proc. ACM 6th Int. Conf. Inf. Technol. IoT Smart City, 2018,
Int. Conf. Comput. Commun. Signal Process., 2017, pp. 1–4. pp. 134–139.
[13] M. A. Hakim, H. Aksu, A. S. Uluagac, and K. Akkaya, “U-PoT: A
honeypot framework for UPnP-based IoT devices,” in Proc. IEEE Int.
Perform. Comput. Commun. Conf., 2018, pp. 1–8. Weizhe Zhang (SM’04) received a doctor’s degree
[14] P. J. Hanson, L. Truax, and D. D. Saranchak, “IOT honeynet for military in computer science and technology from the Harbin
deception and indications and warnings,” in Proc. Auton. Syst. Sensors Institute of Technology, Harbin, China, in 2006.
Veh. Security Internet Everything, 2018, Art. no. 106431A. He is currently a Professor with the School of
[15] V. Yegneswaran, P. Barford, and V. Paxson, “Using honeynets for Computer Science and Technology, Harbin Institute
Internet situational awareness,” in Proc. 4th Workshop Hot Topics Netw., of Technology, Harbin, China, and the Director
2005, pp. 17–22. of the Cyberspace Security Research Center, Peng
[16] X. Ma, J. Zhu, Z. Wan, J. Tao, X. Guan, and Q. Zheng, “Honeynet-based Cheng Laboratory, Shenzhen, China. He has pub-
collaborative defense using improved highly predictive blacklisting algo- lished more than 130 academic papers in journals,
rithm,” in Proc. IEEE World Congr. Intell. Control Autom., 2010, books, and conference proceedings. His research
pp. 1283–1288. interests are primarily in cyberspace security, cloud
[17] L. Yongli, W. Shufang, Z. Jie, and W. Zixian, “Model and evaluation of computing, and high-performance computing.
a new honeynet,” in Proc. IEEE Symp. Robot. Appl., 2012, pp. 574–576. Prof. Zhang is a Lifetime Member of the ACM.
[18] A. Ghourabi, T. Abbes, and A. Bouhoula, “Data analyzer based on data
mining for honeypot route,” in Proc. IEEE Int. Conf. Comput. Syst.
Appl., 2010, pp. 1–6.
Bin Zhang received the Ph.D. degree from the
[19] H. Linan and Q. Zhu, “Adaptive honeypot engagement through rein-
Department of Computer Science and Technology,
forcement learning of semi-Markov decision processes,” in Proc. Int.
Tsinghua University, Beijing, China, in 2012.
Conf. Decis. Game Theory Security, 2019, pp. 196–216.
He worked as a Postdoctoral Fellow with Nanjing
[20] G. Dai, “Design and implementation on SOAP-based things management
Telecommunication Technology Institute, Nanjing,
protocol for Internet of Things,” in Proc. IEEE World Congr. Intell.
China, from 2014 to 2017. He is currently a
Control Autom., 2012, pp. 4305–4308.
Researcher with the Cyberspace Security Research
[21] T. Riedel, N. Fantana, A. Genaid, D. Yordanov, H. R. Schmidtke, and
Center, Peng Cheng Laboratory, Shenzhen, China.
M. Beigl, “Using Web service gateways and code generation for sus-
He publishes more than 30 papers in refereed
tainable IoT system development,” in Proc. IEEE Internet Things, 2010,
international conferences and journals. His current
pp. 1–8.
research interests focus on network anomaly detec-
[22] B. Wang, “Review of Internet of Things,” J. Electron. Meas. Instrum.,
tion, Internet architecture, and its protocols, network traffic measurement, and
vol. 23, no. 12, pp. 1–7, 2009.
information privacy security.
[23] J. A. Buchmann, F. Göpfert, T. Güneysu, T. Oder, and T. Pöppelmann,
“High-performance and lightweight lattice-based public-key encryption,”
in Proc. ACM Int. Workshop IoT Privacy Trust Security, 2016, pp. 2–9.
[24] R. H. Weber, “Internet of Things—New security and privacy challenges,” Ying Zhou received the bachelor’s degree in com-
Comput. Law Security Rep., vol. 26, no. 1, pp. 23–30, 2010. puter science and technology from the Dalian
[25] A. Costin, J. Zaddach, A. Francillon, and D. Balzarotti, “A large- University of Technology, Dalian, China, in 2016,
scale analysis of the security of embedded firmwares,” in Proc. Usenix and the master’s degree in computer science and
Security Symp., 2014, pp. 95–110. technology from the Harbin Institute of Technology,
[26] I. Vasyltsov and S. Lee, “Entropy extraction from bio-signals in health- Harbin, China, in 2019.
care IoT,” in Proc. ACM Workshop IoT Privacy Trust Security, 2015, She has been working with Peng Cheng
pp. 11–17. Laboratory, Shenzhen, China, since 2019.
[27] Y. Zhu, J. Yan, Y. Tang, Y. L. Sun, and H. He, “Joint substation-
transmission line vulnerability assessment against the smart grid,” IEEE
Trans. Inf. Forensics Security, vol. 10, no. 5, pp. 1010–1024, May 2015.
[28] F. Liu, A Brief Analysis of UPnP Agreement, Inner Mongolia Sci. Hui He (M’09) received a doctor’s degree in
Technol. Econ., Inner Mongolia, China, pp. 72–73, 2009. computer science and technology from the Harbin
[29] S. Yu, G. Gu, A. Barnawi, S. Guo, and I. Stojmenovic, “Malware propa- Institute of Technology, Harbin, China, in 2007.
gation in large-scale networks,” IEEE Trans. Knowl. Data Eng., vol. 27, She is a Ph.D. Supervisor with the School of
no. 1, pp. 170–179, Jan. 2014. Computer Science and Technology, Harbin Institute
[30] S. Yu, G. Wang, and W. Zhou, “Modeling malicious activities in cyber of Technology, Harbin, China. She has accom-
space,” IEEE Netw., vol. 29, no. 6, pp. 83–87, Nov./Dec. 2015. plished many projects, such as National High
[31] S. Yu, Y. Tian, S. Guo, and D. O. Wu, “Can we beat DDoS Technology Research and Development Program
attacks in clouds?” IEEE Trans. Parallel Distrib. Syst., vol. 25, no. 9, and National Science Foundation Projects. She has
pp. 2245–2254, Sep. 2014. published more than 50 scientific papers. She con-
[32] D. V. Medhane and A. K. Sangaiah, “PCCA: Position confidentiality ducts research in network and information technol-
conserving algorithm for content-protection in e-Governance services ogy, big data processing and analysis, and mobile network computing.
and applications,” IEEE Trans. Emerg. Topics Comput. Intell., vol. 2, Dr. He has won two second prizes Provincial Science and Technology
no. 3, pp. 194–203, Jun. 2018. Progress Awards. She is a member of ACM and CCF.
[33] M. D. Vishwasrao and A. K. Sangaiah, “ESCAPE: Effective scalable
clustering approach for parallel execution of continuous position-based
queries in position monitoring applications,” IEEE Trans. Sustain.
Zeyu Ding received the bachelor’s degree from
Comput., vol. 2, no. 2, pp. 49–61, Apr.–Jun. 2017.
Harbin Engineering University, Harbin, China, in
[34] A. K. Sangaiah, D. V. Medhane, T. Han, M. S. Hossain, and
2017, and the master’s degree from the Harbin
G. Muhammad, “Enforcing position-based confidentiality with machine
Institute of Technology, Harbin, in 2019.
learning paradigm through mobile edge computing in real-time industrial
His research direction is cyberspace security.
informatics,” IEEE Trans. Ind. Informat., vol. 15, no. 7, pp. 4189–4196,
Jul. 2019.
[35] H. Artail, H. Safa, M. Sraj, I. Kuwatly, and Z. Al-Masri, “A hybrid hon-
eypot framework for improving intrusion detection systems in protecting
organizational networks,” Comput. Security, vol. 25, no. 4, pp. 274–288,
2006.

Authorized licensed use limited to: COMSATS INSTITUTE OF INFORMATION TECHNOLOGY. Downloaded on November 07,2024 at 16:25:33 UTC from IEEE Xplore. Restrictions apply.