As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic. To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses. HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.

翻译：随着物联网设备广泛部署，其固有漏洞对基于物联网的系统构成诸多威胁。提升物联网安全性的有效方法之一是部署物联网蜜罐系统，该系统可收集攻击信息并揭示攻击者采用的方法与策略。然而，由于物联网设备的异构性，构建高交互蜜罐极具挑战性。物联网设备的漏洞通常依赖于特定设备类型或固件版本，这促使攻击者在发起攻击前进行预攻击探测以收集设备信息。此外，传统蜜罐因其响应逻辑与所模拟的物联网设备存在差异而易被识别。针对这些问题，我们开发了一种名为HoneyIoT的自适应高交互物联网蜜罐。首先构建基于真实设备的攻击轨迹采集系统，学习攻击者与物联网设备的交互模式；随后通过马尔可夫决策过程对攻击行为建模，并利用强化学习技术基于攻击轨迹学习最优响应策略以吸引攻击者；同时采用差分分析技术变异特定字段的响应值，生成高保真响应。HoneyIoT已部署于公共互联网。实验结果表明，HoneyIoT能够有效绕过预攻击探测，误导攻击者上传恶意软件，且对广泛使用的侦察与蜜罐检测工具具有隐蔽性。