Attack Detection and Forensics Using Honeypot in IoT Environment

The Internet of Things (IoT) is a collection of tiny devices deployed with sensors. IoT automates embedded devices and controls them over the Internet. Ubiquitous deployment of IoT introduces a vision for the next generation of the Internet where users, computing systems, and everyday objects possessing sensing and actuating capabilities cooperate with unprecedented convenience and economic benefits. Due to the increased usage of IoT devices, the IoT networks are vulnerable to various security attacks by remote login (like SSH and Telnet). This paper focuses on capturing the attacks on IoT devices using Cowrie honeypot. We employ various machine learning algorithms, namely, Naive Bayes, J48 decision tree, Random Forest and Support Vector Machine (SVM) to classify these attacks. This research classifies attacks into various categories such as malicious payload, SSH attack, XOR DDoS, Spying, Suspicious and clean. Feature selection is carried out using subset evaluation and best first search. Once features are selected, we use the proposed SVM model and evaluate its performance with baseline models like Random Forest, Naive Bayes, J48 decision tree. The trained model's fitness is evaluated on the basis of various metrics such as accuracy, sensitivity, precision, and F-score, where accuracy varies from 67.7% to 97.39%. This work exhibits the inclusion of machine learning module to classify attacks by analyzing the exhibit behavior. In the end, we discuss our observations of honeypot forensics over the commands executed by the attacker to execute malicious attack.