HoneyComb: A Darknet-Centric Proactive Deception Technique For Curating IoT Malware Forensic Artifacts - Citegraph

Paper Info

Title
HoneyComb: A Darknet-Centric Proactive Deception Technique For Curating IoT Malware Forensic Artifacts

Abstract
Conventional IoT honeypots are known to suffer from scalability and management issues, while accumulating stringent costs. Further, their passive nature hinders the wide-scale gathering of much-needed IoT malware artifacts, impeding their measurements, analysis, and ultimately their use to infer and react to IoT maliciousness at large. To this end, in this work, we introduce HoneyComb, a proactive deception technique to curate IoT malware forensics by leveraging IoT scans captured on the darknet (i.e., Internet telescope). HoneyComb is built on the premise that we can position a large darknet network (i.e., comprising of 16.7 million IPs) as a large honeypot to interact with malware-infected IoT devices at scale. Such a large vantage point is capable of offering an incomparable hefty look into the IoT cyber security posture compared to the typical, much-restricted, currently-available IoT honeypots. In essence, the inferred IoT scans from the darknet along with the existing discrepancy in the validation algorithms of IoT malware stateless scanning modules, enable HoneyComb to initiate crafted deceiving packets (i.e., TCP SYN-ACK packets) to delude and interconnect with malware-infected IoT devices in the wild. During 48 hours of empirical measurements, the proposed scheme logged 1,432,518 interactions originating from 37,323 malware-infected IoT devices worldwide. Additionally, our findings revealed intriguing insights concerning the propagation behavior of IoT malware where 11,340 infected devices delivered the malware binaries using 1,398 unique URLs, whereas 2,114 used HexString dumping to drop their binaries, while the rest reported sensitive information (e.g., credentials) to their servers. Finally, while we observe that newly emerged IoT malware such as ZHTRAP is more capable in the takeover process due to its innovative techniques and offensive competencies, we frame HoneyComb as a complementary scheme, which would aid in addressing a number of evolving IoT-centric security endeavours, including large-scale malware attribution and C&C takedowns.

Year	DOI	Venue
2022	10.1109/NOMS54207.2022.9789827	NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium
Keywords	DocType	ISSN
Internet telescope,Darknet,IoT-honeypots,IoT malware,IoT scans,Stateless scanners,Proactive deception	Conference	1542-1201
ISBN	Citations	PageRank
978-1-6654-0602-4	0	0.34
References	Authors
10	3

Authors (3 rows)

Cited by (0 rows)

References (10 rows)

Name	Order	Citations	PageRank
Morteza Safaei Pour	1	4	1.81
Joseph Khoury	2	0	0.34
Elias Bou-Harb	3	0	0.34

1