Revealing Human Attacker Behaviors Using an Adaptive Internet of Things Honeypot Ecosystem.

Honeypots have been used as decoy devices to understand the dynamics of threats on networks and their impacts. However, the questions of whether and how honeypots can elicit rich human attacker behaviors have not been investigated systematically. These capabilities are especially important for Internet of Things devices given the limited knowledge about attacker goals. This chapter attempts to answer three questions. Can an Internet of Things honeypot that gradually adapts or increases its emulation sophistication elicit richer human attacker behaviors over time? Is it possible to engage human attackers using dynamically-adapting Internet of Things honeypots? Does the large amount of data captured by honeypots embody patterns that can enable security analysts to understand attacker intentions on Internet of Things devices? To answer the questions, a new approach is presented for creating an adaptive honeypot ecosystem that gradually increases the sophistication of honeypot interactions with adversaries based on observed data. The approach is employed to design custom honeypots that mimic Internet of Things devices and an innovative data analytics method is applied to identify attacker behavior patterns and reveal attacker goals. The honeypots in the experiments actively observed real-world attacker behaviors and collected increasingly sophisticated attack data over more than three years. In the case of Internet of Things camera honeypots, human attack activities were observed after adapting the honeypots based on previous attacker behaviors. The data analytics results indicate that the vast majority of captured attack activities share significant similarities, and can be clustered to better understand the goals, patterns and trends of Internet of Things attacks in the wild.