Deception-Based Security Framework for IoT: An Empirical Study

A large number of Internet of Things (IoT) devices in use has provided a vast attack surface. The security in IoT devices is a significant challenge considering constrained resources, designed with poor security measures and their associated configuration and maintenance flaws. Vulnerable IoT devices are used to perform different attacks such as Distributed Denial of Service (DDoS) caused by malware infection and propagation.

In the literature, attacks on IoT devices have been captured and analysed using deception systems such as honeypots to discover patterns of target selection, login credentials used, commands executed by the attackers in the attack process and study behaviours of IoT malware and botnets. However, previous studies are limited in presenting an in-depth analysis of complete attack structures, grouping attacks without the subjective bias of experts' domain knowledge and proposing empirically-proven methods to detect human attackers. These studies also do not use the existing knowledge of attacks to design or improve deception-based defences.

The overall goal of this thesis is understanding IoT attacks, threat actors and their behaviours and uses probabilistic modelling and prior knowledge to propose a deception-based security framework. A key feature of this thesis is the experimental data collection and empirical analysis using categorisation and clustering techniques. To achieve the overall goal, this research conducts an experimental study in which a honeypot is deployed to capture IoT attacks. Using the Cyber Kill Chain (CKC) model, more than 30,000 captured attacks are empirically analysed and an IoT Kill Chain (IoTKC) model is designed. The IoTKC model presents attack process followed for the exploitation of IoT devices and each phase is an abstraction of attackers' activities, tools, techniques and tactics used.

The knowledge gained about IoT attacks is used to propose a deception-based security framework. A pre-planning phase is introduced on top of other traditional phases, i.e., creating deception-based defence, performing defence, evaluating, monitoring and updating defence. The knowledge of prior attacks helps predict attack actions based on the probabilities of following a sequence and subsequently choosing defensive measures. The framework also discusses attackers' behaviour in the process and various quantification measures for evaluating the performance of attack and defence actions.

This research also proposes a feature set extracted from captured IoT attacks based on manually mapping commands with IoTKC steps, behaviour of attackers and utilisation of resources. Various clustering algorithms are applied to the data set prepared by identified features and random tree models are designed to highlight the distribution of attacks and classification features. Further extending the analysis, this thesis proposes a new approach comprised of feature construction using Autoencoder (AE) and clustering IoT attacks to understand the attacks distribution based on changes in commands and the links between captured attacks. The proposed approach also handles domain knowledge and subjective bias limitations by removing the process of manually correlating commands. Overall the findings related to understanding and clustering IoT attacks show that most of the attacks captured are automated and active attack campaigns on the Internet. A larger experimental study is therefore required to acquire larger data set and further study other types of attacks and attackers behind them. Before conducting the new experiment, this research performs a risk assessment study using Failure Modes and Effects Analysis (FMEA) for a honeypot-based cyber security experiment. The analysis identifies the factors affecting a cyber security experiment regarding deceptive capabilities, increasing exposure, avoiding detection, deploying and monitoring honeypots. Moreover, for the relevant configurations, components and deceptive capabilities in the experiment; the analysis provides details on possible failure modes, their effects on experimental results, the possible causes of failures and available controls to detect and mitigate potential failures.

This research then conducts a large experimental study by deploying 15 server honeypots in various geographical locations around the world and collecting attack data for a period of two months. A representative feature set is proposed to identify the behavioural characteristics of human attackers when interacting with the target system. Our analysis also discusses various case studies of human attackers and reports observations on their interaction behaviours with the target systems and intentions to perform attacks. We also discuss the advantages of increasing deception by comparing attacks received on honeypots with various deceptive capabilities. Changing configurations and increasing deception at various levels help make the honeypot more appealing to lure IoT-specific attacks and convince attackers to maintain longer engagements.