Iot Threat Discovery And Situation Awareness Based On Honeynet

In recent years,the Internet of Things has developed rapidly because of people's demand for smart living.According to the survey,the scale of IoT equipment has exceeded 10 billion.Such a large number of IoT devices can greatly improve our living environment,but it also hides huge security risks.Moreover,IoT devices are difficult to deploy conventional network security measures because of their limited device resources and numerous operating system architectures.So they are more likely to be attacked.At present,the security situation of the Internet of Things is severe,and there is less research of it.Various scholars have proposed a variety of protection methods,but there are few security solutions from a macro perspective.This thesis proposes an IoT security situational awareness system to detect the real-time security status of the Internet of Things network and detect malicious threats in time.The system deploys different kinds of IoT honeypots to form a composite honeynet.It also trains classify models with malicious samples of IoT to analyze the samples captured by the honeynet and know the family to which them belongs.In addition,through analysing and processing the threat information obtained by the honeynet,this thesis designs a series of strategies to rate the threat intelligence from different perspective,and gives the total risk level of the current IoT net.This thesis also designs a data visualization system,which visually displays the changes of malicious requests over time,the geographical distribution of attackers,and the analysis of attackers' means.The system greatly facilitates the research of security personnel.The details of each part are as follows:According to the CVE-2017-17215 vulnerability,this thesis implements a medium-to-high interaction honeypot which can simulate a specific UPnP service,with service simulation,log record,malicious sample download,and service self-test functions.In order to solve the problem that the honeypot may received an incomprehensible request,the high-interaction honeypot was built with real IoT firmware.This thesis also investigates the most exposed ports of SOAP service in 2018 and designs a kind of multi-port honeypot to improve the capture capacity of the honeynet.In addition,this article uses Docker technology to package honeypots,thereby streamlining the volume,and achieving rapid deployment.At the same time,the control center is designed to distribute commands and transfer files to each physical node in the honeynet.This thesis also proposes a new family classification method for IoT malicious samples.Through the reverse analysis of the sample,detailed information such as the structure of the sample and the security protection means are obtained.Then we select 18 of them as training features and carry out the discretized mapping.In order to classify IoT malicious samples,the thesis proposes an ensemble learning algorithm based on the weak classifiers and then optimizes the performance of the weak classifier.The experimental results show that the ensemble learning algorithm improves the accuracy of multi-family classification from 89% to 92%,and has good performance for any family.Compared with the related research in the field of IoT at home and abroad,the proposed algorithm has better performance.Through the summary and analysis of the threat information collected by the honeynet,the current situation of the IoT security is depicted from the perspectives of time,space and attack methods.We propose a method of rating malicious behavior based on safe strategy.The method also give IoT threat index from four perspectives so that security personnel can locate problems rapidly.We design and achieve a data visualization system,which displays the original data and analysis results visually on the front page.The system is composed of mutiple functions such as host status monitoring,real-time log display,sample classification display,malicious request trend display,threat intelligence summary,geographic traceability display,threat score display and so on.In this thesis,the above modules are linked together through background scripts and sql database to compose a complete IoT security solution which can provides functions from data acquisition to front-end display.Through this system,security personnel can grasp the security status of the IoT net in real time,analyze various threat information,and take security measures rapidly.