HoneyIoT: Adaptive High-Interaction Honeypot for IoT Devices Through Reinforcement Learning

TL;DR

HoneyIoT is an adaptive high-interaction IoT honeypot that uses reinforcement learning and differential analysis to effectively deceive attackers, bypass detection, and gather attack data on diverse IoT devices.

Contribution

The paper introduces HoneyIoT, a novel adaptive honeypot system that employs reinforcement learning and differential analysis to mimic IoT devices and deceive attackers.

Findings

HoneyIoT effectively bypasses pre-attack checks.

It successfully misleads attackers into uploading malware.

The system is covert against detection tools.

Abstract

As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic. To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses. HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.