IoT Attacks: Features Identification and Clustering

The exponential growth in the Internet of Things (IoT) market has led to the proliferation of cyber threats as millions of vulnerable IoT devices are connected to the Internet each year. Security practitioners and researchers capture attacks on IoT devices using honeypots to explore the attack process, identify the types of attacks and analyse the interaction of the attackers with IoT devices. Several studies have focused on the classification of attacks on IoT devices, however, they are limited to performing manual analysis on command data by assigning skill levels to the attackers and looking at the purpose of executing specific commands. In this paper, we report our analysis of the captured attacks on IoT devices for four months using a medium-interaction server honeypot. We extract a new feature set by analysing the attacks according to the depth of interaction by the attackers, their behaviour in the attack process and the resources they utilised to perform these attacks. We apply unsupervised learning (i.e. clustering) to automatically group captured attacks and build a model to highlight the important features that contribute to understanding the relationship between various attacks grouped in the same cluster.