The Internet of Things (IoT) devices are increasingly exploited as intermediaries for launching sophisticated cyberattacks. IoT honeypots have emerged as a proactive measure to lure attackers and provide early threat detection. However, existing honeypots exhibit significant limitations, including low interaction levels, vulnerability to fingerprinting, and constrained data collection capabilities. This paper introduces HoneySentry, a high-interaction IoT honeypot specifically designed to overcome these challenges and target advanced attackers adept at sophisticated honeypot fingerprinting and strategic selection of victim IoT devices. HoneySentry utilizes a custom-enhanced IoT firmware emulation framework to achieve high-fidelity emulation of diverse IoT devices and architectures. It incorporates advanced anti-fingerprinting techniques to evade detection, modifying commands frequently used by attackers during reconnaissance. Additionally, HoneySentry enhances its appeal to attackers by deploying a variety of meticulously crafted bait files and processes. To facilitate detailed analysis, HoneySentry captures comprehensive attack data, including both network traffic and host-level activities. Comparative evaluations against traditional honeypots and real-world deployments demonstrate that HoneySentry significantly outperforms existing solutions in fostering deep engagement with attackers, collecting extensive attack data, and enabling comprehensive threat analysis. During its two-month deployment (August 2024 to November 2024), HoneySentry captured over 200,000 requests and generated 61.3 GB of log data. Further analysis revealed variants of known malicious worms and viruses, as well as several intriguing attack behaviors, highlighting its capability to uncover diverse threats.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

HoneySentry: A High-Fidelity Interactive IoT Honeypot for Advanced Threat Detection

  • Yanbing Shen,
  • Hao Sun,
  • Jiacheng Wang,
  • Haitao Xu,
  • Gang Liu,
  • Fan Zhang

摘要

The Internet of Things (IoT) devices are increasingly exploited as intermediaries for launching sophisticated cyberattacks. IoT honeypots have emerged as a proactive measure to lure attackers and provide early threat detection. However, existing honeypots exhibit significant limitations, including low interaction levels, vulnerability to fingerprinting, and constrained data collection capabilities. This paper introduces HoneySentry, a high-interaction IoT honeypot specifically designed to overcome these challenges and target advanced attackers adept at sophisticated honeypot fingerprinting and strategic selection of victim IoT devices. HoneySentry utilizes a custom-enhanced IoT firmware emulation framework to achieve high-fidelity emulation of diverse IoT devices and architectures. It incorporates advanced anti-fingerprinting techniques to evade detection, modifying commands frequently used by attackers during reconnaissance. Additionally, HoneySentry enhances its appeal to attackers by deploying a variety of meticulously crafted bait files and processes. To facilitate detailed analysis, HoneySentry captures comprehensive attack data, including both network traffic and host-level activities. Comparative evaluations against traditional honeypots and real-world deployments demonstrate that HoneySentry significantly outperforms existing solutions in fostering deep engagement with attackers, collecting extensive attack data, and enabling comprehensive threat analysis. During its two-month deployment (August 2024 to November 2024), HoneySentry captured over 200,000 requests and generated 61.3 GB of log data. Further analysis revealed variants of known malicious worms and viruses, as well as several intriguing attack behaviors, highlighting its capability to uncover diverse threats.