物聯網（Internet of Things; IoT）設備的易於部署、實施和使用使物聯網應用程序受到了公眾和惡意對手的廣泛關注。 物聯網惡意程式試圖感染易受攻擊的物聯網設備，並利用受感染設備作為殭屍來攻擊特定目標。在惡意程式或攻擊的惡意流量方面，通常使用現實物聯網設備模擬的蜜罐來誘捕，以便物聯網網關可以使用收集的資訊來識別和阻止惡意攻擊。本文開發了由蜜罐、真實物聯網設備和商業物聯網韌體模擬的虛擬化物聯網設備以及 Mirai 惡意程式組成的高交互蜜網。遭受我們 Mirai 惡意程式或網際網路 攻擊而感染的節點將阻止其傳播到蜜網中的其他節點。在這種情況下，可以捕獲感染後由物聯網節點發送和接收的惡意流量，並且提取的封包級簽名可以用作基於機器學習檢測的有效特徵。我們的實驗結果表明，在物聯網網關使用隨機森林（Random Forest; RF）分類器可以識別真實世界的惡意流量，並且達到 96.52% 的準確率。

The ease of deployment, implementation, and usage of Internet of Things (IoT) devices make IoT applications receive lots of attentions from the general public and malicious adversary. IoT malware in particular tries to infect vulnerable IoT devices and leverage compromised devices as bots to attack a specific target. Typically, a honeypot emulated as a realistic IoT device is developed to capture malicious traffic of malware or attack so that the IoT gateway could use collected information to identify and block malicious attacks. This paper develops a High-interaction honeynet consisted of honeypots, physical IoT devices, and virtualized IoT devices emulated by commercial firmware as well as a Mirai attack toolkit. Nodes in the honeynet compromised by the attack from our toolkit or Internet will further spread malware to other nodes inside the honeynet with containment. In this case, malicious traffic sent and received by IoT nodes after infection can be captured, and the extracted packet-level signatures can be utilized as effective features for machine learning-based detection. Our experiment results show that the developed Random Forest detector located at IoT gateway identifying real world malicious traffic can achieve a 96.52\% accuracy rate.

[1] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran,
Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis et al., “Understanding
the mirai botnet,” in Proc. USENIX Security 2017, Aug. 2017, pp.
1093–1110.
[2] S. Edwards and I. Profetis, “Hajime: Analysis of a decentralized internet worm
for IoT devices,” Rapidity Networks, vol. 16, Oct. 2016.
[3] S. Herwig, K. Harvey, G. Hughey, R. Roberts, and D. Levin, “Measurement
and analysis of Hajime, a peer-to-peer IoT botnet.” in Proc. NDSS 2019, Feb.
2019.
[4] R. Mahmoud, T. Yousuf, F. Aloul, and I. Zualkernan, “Internet of things (IoT)
security: Current status, challenges and prospective measures,” in IEEE ICITST
2015, Dec. 2015, pp. 336–341.
[5] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “DDoS in the IoT: Mirai
and other botnets,” Computer, vol. 50, no. 7, pp. 80–84, Jul. 2017.
[6] A. Sivanathan, D. Sherratt, H. H. Gharakheili, A. Radford, C. Wijenayake,
A. Vishwanath, and V. Sivaraman, “Characterizing and classifying IoT traffic
in smart cities and campuses,” in Proc. IEEE INFOCOM WKSHPS 2017, May
2017, pp. 559–564.
[7] A. Singh, S. Murali, L. Rieger, R. Li, S. Hommes, R. State, G. Ormazabal, and
H. Schulzrinne, “HANZO: Collaborative network defense for connected things,”
in Proc. IEEE IPTComm 2018, Oct. 2018, pp. 1–8.
[8] A. Sivanathan, H. H. Gharakheili, F. Loi, A. Radford, C. Wijenayake, A. Vishwanath,
and V. Sivaraman, “Classifying IoT devices in smart environments
using network traffic characteristics,” IEEE Transactions on Mobile Computing,
vol. 18, no. 8, pp. 1745–1759, Jan. 2018.
32
[9] M. Miettinen, S. Marchal, I. Hafeez, N. Asokan, A.-R. Sadeghi, and S. Tarkoma,
“IoT SENTINEL: Automated device-type identification for security enforcement
in IoT,” in Proc. IEEE ICDCS 2017, Jun. 2017, pp. 2177–2184.
[10] Y. Mirsky, T. Doitshman, Y. Elovici, and A. Shabtai, “Kitsune: An ensemble
of autoencoders for online network intrusion detection,” arXiv e-prints, Feb.
2018.
[11] E. Anthi, L. Williams, M. Słowińska, G. Theodorakopoulos, and P. Burnap,
“A supervised intrusion detection system for smart home IoT devices,” IEEE
Internet of Things Journal, vol. 6, no. 5, pp. 9042–9053, Jul. 2019.
[12] I. Hafeez, M. Antikainen, A. Y. Ding, and S. Tarkoma, “IoT-KEEPER: Detecting
malicious IoT network activity using online traffic analysis at the edge,”
IEEE Transactions on Network and Service Management, vol. 17, no. 1, pp.
45–59, Jan. 2020.
[13] R. Trimananda, J. Varmarken, A. Markopoulou, and B. Demsky, “Packet-level
signatures for smart home devices,” in Proc. NDSS 2020, Feb. 2020.
[14] J. Grashöfer, C. Titze, and H. Hartenstein, “Attacks on dynamic protocol detection
of open source network security monitoring tools,” arXiv preprint arXiv:
1912.03962, Dec. 2019.
[15] E. Lastdrager, C. Hesselman, and J. Jansen, “Protecting home networks from
insecure IoT devices,” in Proc. IEEE/IFIP NOMS 2020, Apr. 2020.
[16] M. Eskandari, Z. H. Janjua, M. Vecchio, and F. Antonelli, “Passban IDS: An
intelligent anomaly based intrusion detection system for IoT edge devices,”
IEEE Internet of Things Journal, 2020.
[17] J. D. Guarnizo, A. Tambe, S. S. Bhunia, M. Ochoa, N. O. Tippenhauer,
A. Shabtai, and Y. Elovici, “SIPHON: Towards scalable high-interaction physical
honeypots,” in Proc. ACM CPS Workshop 2017, Apr. 2017, pp. 57–68.
33
[18] Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow,
“IoTPOT: analysing the rise of IoT compromises,” in Proc. USENIX Workshop
2015, Aug. 2015.
[19] A. Jicha, M. Patton, and H. Chen, “SCADA honeypots: An in-depth analysis
of conpot,” in Proc. IEEE ISI 2016, Nov. 2016, pp. 196–198.
[20] D. Fraunholz, D. Krohmer, S. D. Anton, and H. D. Schotten, “Investigation of
cyber crime conducted by abusing weak or default passwords with a medium
interaction honeypot,” in Proc. IEEE Cyber Security 2017, Jun. 2017, pp. 1–7.
[21] S. Dowling, M. Schukat, and H. Melvin, “A ZigBee honeypot to assess IoT
cyberattack behaviour,” in Proc. IEEE ICCS 2017, Jun. 2017, pp. 1–6.
[22] U. D. Gandhi, P. M. Kumar, R. Varatharajan, G. Manogaran, R. Sundarasekar,
and S. Kadu, “HIoTPOT: surveillance on IoT devices against recent threats,”
Wireless personal communications, vol. 103, no. 2, pp. 1179–1194, Apr. 2018.
[23] T. Luo, Z. Xu, X. Jin, Y. Jia, and X. Ouyang, “IoTCandyJar: Towards an
intelligent-interaction honeypot for IoT devices,” Black Hat, Jul. 2017.
[24] C. D. McDermott, F. Majdani, and A. V. Petrovski, “Botnet detection in the
internet of things using deep learning approaches,” in Proc. IEEE IJCNN 2018,
Jul. 2018, pp. 1–8.
[25] G. Bastos, A. Marzano, O. Fonseca, E. Fazzion, C. Hoepers, K. Steding-Jessen,
C. M. HPC, Í. Cunha, D. Guedes, and W. Meira, “Identifying and characterizing
bashlite and mirai C&C servers,” in Proc. IEEE ISCC 2019, Jun. 2019,
pp. 1–6.
[26] J. M. Ceron, K. Steding-Jessen, C. Hoepers, L. Z. Granville, and C. B. Margi,
“Improving IoT botnet investigation using an adaptive network layer,” Sensors,
vol. 19, no. 3, p. 727, Jan. 2019.
[27] D. D. Chen, M. Woo, D. Brumley, and M. Egele, “Towards automated dynamic
analysis for linux-based embedded firmware.” in Proc. NDSS 2016, vol. 16, Feb.
2016, pp. 1–16.
34
[28] S. Wang, Z. Chen, Q. Yan, B. Yang, L. Peng, and Z. Jia, “A mobile malware detection
method using behavior features in network traffic,” Journal of Network
and Computer Applications, vol. 133, pp. 15–25, Nov. 2019.
[29] A. Kumar and T. J. Lim, “A secure contained testbed for analyzing IoT botnets,”
in Proc. EAI TridentCom 2018. Springer, Nov. 2018, pp. 124–137.
[30] W. Wang, M. Zhu, X. Zeng, X. Ye, and Y. Sheng, “Malware traffic classification
using convolutional neural network for representation learning,” in Proc. IEEE
ICOIN 2017, Jan. 2017, pp. 712–717.
[31] S. Homayoun, M. Ahmadzadeh, S. Hashemi, A. Dehghantanha, and
R. Khayami, “BoTShark: A deep learning approach for botnet traffic detection,”
in Cyber Threat Intelligence. Springer, May 2018, pp. 137–153.
[32] M. Goyal, I. Sahoo, and G. Geethakumari, “HTTP botnet detection in IoT
devices using network traffic analysis,” in Proc. IEEE ICRAECC 2019, Mar.
2019, pp. 1–6.
[33] S. Kumar et al., “Botnet detection techniques and research challenges,” in Proc.
IEEE ICRAECC 2019, Mar. 2019, pp. 1–6.
[34] F.-H. Hsu, C.-W. Ou, Y.-L. Hwang, Y.-C. Chang, and P.-C. Lin, “Detecting
web-based botnets using bot communication traffic features,” Security and
Communication Networks, vol. 2017, Jan. 2017.
[35] M. Wang, J. Santillan, and F. Kuipers, “ThingPot: an interactive Internet-of-
Things honeypot,” arXiv e-prints, p. arXiv:1807.04114, Jul. 2018.
[36] H. Šemić and S. Mrdovic, “IoT honeypot: a multi-component solution for handling
manual and Mirai-based attacks,” in Proc. IEEE TELFOR 2017, Nov.
2017, pp. 1–4.
[37] M. A. Hakim, H. Aksu, A. S. Uluagac, and K. Akkaya, “U-PoT: A honeypot
framework for UPnP-based IoT devices,” in Proc. IEEE IPCCC 2018, Nov.
2018, pp. 1–8.
35
[38] W. Zhang, B. Zhang, Y. Zhou, H. He, and Z. Ding, “An IoT honeynet based
on multi-port honeypots