Using honeypots to model botnet attacks on the internet of medical things

Huanran Wang; Hui He; Weizhe Zhang; Wenmao Liu; Peng Liu; Amir Javadpour

doi:10.1016/j.compeleceng.2022.108212

Using honeypots to model botnet attacks on the internet of medical things

Comput Electr Eng. 2022 Sep:102:108212. doi: 10.1016/j.compeleceng.2022.108212. Epub 2022 Jul 8.

Authors

Huanran Wang¹, Hui He¹, Weizhe Zhang^{1

2}, Wenmao Liu³, Peng Liu⁴, Amir Javadpour⁵

Affiliations

¹ School of Cyberspace Science, Harbin Institute of Technology, Harbin, China.
² Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen, China.
³ NSFOCUS inc., Beijing, China.
⁴ Pennsylvania State University, United States.
⁵ Department of Computer Science and Technology, Harbin Institute of Technology, Shenzhen, China.

Abstract

Corona Virus Disease 2019 (COVID-19) has led to an increase in attacks targeting widespread smart devices. A vulnerable device can join multiple botnets simultaneously or sequentially. When different attack patterns are mixed with attack records, the security analyst produces an inaccurate report. There are numerous studies on botnet detection, but there is no publicly available solution to classify attack patterns based on the control periods. To fill this gap, we propose a novel data-driven method based on an intuitive hypothesis: bots tend to show time-related attack patterns within the same botnet control period. We deploy 462 honeypots in 22 countries to capture real-world attack activities and propose an algorithm to identify control periods. Experiments have demonstrated our method's efficacy. Besides, we present eight interesting findings that will help the security community better understand and fight botnet attacks now and in the future.

Keywords: Attack pattern; Botnet; Control period; Internet of medical things; Internet of things.