1. Introduction

2. Literature Review

3. Proposed Approach

4. Experimental Setup

4.1. Honeypot

The proposed honeypot is a low-interactive system implemented on a Raspberry Pi Model 3 B+, operating with the desktop version of the Raspbian 64-bit Lite OS. It redirects attackers to a fake admin login web page, prompting them to enter a username and password. The honeypot records all the data, including the IP address, type of request, values entered, and breached port. It was created using a socket programming approach with a Python script directing users to a web page by listening to port 80, the port where the server anticipates receiving data from a web client. Multiple ports can be opened, allowing the honeypot to monitor changes or requests and respond accordingly. Socket programming facilitates communication between two nodes in a network: one socket (node) listens to a specific port at an IP address, whereas the other socket reaches out to establish a connection. When the client attempts to contact the server, the server creates a listener socket. The following scripts demonstrate how a socket was created and configured for IPv4 addressing using a TCP connection. The socket is given a dedicated port to which it should listen, as illustrated in script 1.

Script 1

The code snippet provided in Script 1 establishes a socket connection to create a honeypot system that listens to incoming connections from potential attackers. The try block initiates the process by creating a new socket using the AF_INET address family and SOCK_STREAM socket type, which is suitable for TCP connections. The bind method associates the socket with a specific IP address (ip_add) and port (port). The listen method then sets the socket to listen for incoming connections with a timeout set to 10 seconds. Within an infinite loop (while True), the accept method waits for a client to establish a connection, returning a new socket object (client_con) and the address of the connected client (client_addr). Upon a successful connection, the code prints a message indicating the detection of a visitor along with the visitor’s IP address.

The session must then be ended upon completion, closing the endpoints, as shown in script 2.

Script 2

The Hypertext Transfer Protocol (HTTP) is handled by port 80. Therefore, a request can be submitted by typing the honeypot’s IP address ’192.168.1.4’ into any web browser. The attacker is then routed to a webpage designed using JavaScript and CSS. As illustrated in Figure 2, there are two input text boxes representing the data needed to unlock the SmartLock system. This is normal behavior for the IoT system, giving the attackers a false sense of security and believing that they have infiltrated our IoT system. These inputs, along with other information about the attack and its location, were saved for the analysis.

String manipulation techniques were applied to extract the values of the username and password. Data are retrieved from the HTML page using a socket programming approach that captures and decodes the response from the webpage. String manipulation was then performed on the decoded response to clean and filter the data. These logs, generated by the honeypot, record any active connections established with the honeypot. The terminal output first announces that the honeypot is active and logs any device that connects to it within every specified time frame. Subsequently, it logs the values entered on the website, allowing us to track the attacker’s activity on the webpage. The terminal output after entering the data into the webpage is shown in Figure 3.

Next, an Excel spreadsheet was generated using a Python script to format the logged data. This sheet records the time a connection is made to the honeypot, the IP address of the device that made the request, the port accessed, and the type of connection—whether it is a GET request (when accessing the webpage) or a POST request (when sending a response to the webpage). Additionally, it records the operating system and other information about the device that made the connection, as well as the actual values of the usernames and passwords that were entered.

Figure 4 illustrates the excel spreadsheet “Honeypot Logs” automatically created locally, as mentioned above. The sheet contains six columns with the following information:

• Time Stamp: The exact time a connection was made.
• Visitor IP: The IP address of the suspicious device.
• Listening on Port: The vulnerable port accessed on the honeypot.
• Visitor Information: Details about the type of connection made.
• Username: The username entered on the website.
• Password: The password entered on the website.

In addition, the logging package in Python was used to create a logger file that presented the collected data in a different format. Figure 5 illustrates an example of a logger file.

A port packet sniffer is used to log traffic from vulnerable open ports in the system. The TCPdump, a command-line-based sniffer, was employed to gather detailed information about the incoming connections. The data captured by the TCPdump can be saved in a .pcap format, which is then imported into data analysis tools, such as WireShark, for further packet analysis. The collected data of the sniffer are appended to both a logger file and a .xlsx file for convenient access and comparison of the incoming connections across various ports. The last two lines in Figure 6 are added by the sniffer, containing the IP address initiating the connection, accessed port, and two respective values, A and B. These values serve as trigger inputs for the HT. Monitoring these values and connections helps to mitigate attacks.

These logs were also entered into a separate sheet .xlsx file in a separate tap “Attack Logs” for a clearer presentation as shown in Figure 7.

4.2. Hardware Trojan

The hardware Trojan employed in this study is a hybrid design consisting of two separate Trojans based on references [26,42]. The newly established Trojan was then simulated on Logisim and emulated on an FPGA Cyclone IV (D2-115) Intel board.

Figure 8 illustrates a counter-based Trojan, commonly referred to as a “ticking time-bomb” [26]. This architecture serves as a case study for our project. The activation mechanism consists of an XOR gate and a k-bit counter. When a = b = 1, the k-bit counter is decremented. When a ≠ b, the counter is incremented. When the counter value exceeds a predefined number N, the output signal is altered.

According to [42], for a system to authenticate user-password pairs $x$ and f, the function $f\left(x\right)$ needs to be constructed. With $f\left(x\right)=x^2$, the design specifies ten users, $I_0$ through $I_9$. Because there are ten users, the designer utilizes four bits, $x_1$ to $x_4$, to encode them. Because the greatest function output is 81, seven bits, $z_1$ to $z_7$, are required. Figure 9 shows the final circuit.

Because the input is 4 bits, we can have 16 users. However, this design does not utilize all of these. Consequently, 6 users are not in use and are in the “don’t care” condition. The designer asserts that the circuit correctly performs the function $f\left(x\right)=x^2$ despite this incomplete specification. If an attacker makes the minor modification shown in Figure 10 (in red), the output for the ten valid inputs remains unchanged compared to the original circuit. For inputs 10 and 11, there are two additional correct outputs. Thus, the modified circuit included a backdoor Trojan.

Figure 11 presents the outputs of the circuits.

In this study, we designed an HT that combines the two types by using the counter-based Trojan result as a selection line for a multiplexer, which determines whether the backdoor Trojan is activated. Figure 12 shows the circuit of the HT in Logisim. The switches in Box 2 were used to enter the user number to generate the corresponding password. Box 1 contains LEDs that represent the values of $z_1$ to $z_7$ from left to right. In addition, the 7-segment display in Box 3 shows the current value of the counter.

The proposed IoT system architecture was simulated using serial programming for FPGA-Raspberry Pi communication. General Purpose Input Output (GPIO) in the FPGA and the Raspberry Pi were used to achieve serial communication between them. Data can be sent from one board to the other to facilitate control of the FPGA using Raspberry Pi (see script 3).

Script 3. Hardware Trojan on Raspberry Pi in Python

Next, Quartus was used to synthesize the Trojan on the FPGA board. The VHSIC Hardware Description Language (VHDL) was used, and the project consisted of four files. Three of these files were for different circuit components and the main file included all of them. The FPGA accepts inputs $a, b, x_0, x_1, x_2$ and $x_3$, which are used by the counter-based and backdoor Trojans, respectively. An LED is assigned to each output from $z_0$ to $z_7$.

If the counter does not exceed the preset value, the circuit operates normally and does not create a backdoor that allows hackers to breach the system. Only ten users can successfully generate a password in this circuit. However, those ten users require four bits to encode, which allows for the creation of six additional undesirable users. When the HT is not enabled, the circuit will continue to function normally; however, when triggered, the HT will allow two more users to obtain the correct password. This circuit can be assumed to be part of a smart-lock IoT device that only permits ten users to unlock the SmartLock. The generation function for the passwords is $f\left(x\right)=x^2$.

Script 4 shows the implementation of the HT in VHDL language on Quartus.

Script 4. Hardware Trojan Architecture in VHDL

As shown in Figure 13 in Modelsim, the value of the counter changes as a result of XORing A and B together. The Trojan will not be activated unless the counter reaches 7 ‘111’. A value of 7 is predefined in the code and can be changed as needed. Once this state is reached, the circuit cannot return to its previous configuration, because a backdoor has been created.

5. Results and Discussion

6. Conclusion and Future Work

References

1. Alyasiri, H.; Clark, J.A.; Malik, A.; Fréin, R.d. Grammatical evolution for detecting cyberattacks in internet of things environments. In Proceedings of the International Conference on Computer Communications and Networks (ICCCN), Athens, Greece; 2021; pp. 1–6. [Google Scholar] [CrossRef]
2. Suber, J.G.; Zantua, M. Intelligent Interaction Honeypots for Threat Hunting within the Internet of Things. Journal of The Colloquium for Information Systems Security Education. 2022, 9, 1–5. [Google Scholar] [CrossRef]
3. Khraisat, A., Alazab, A. A critical review of intrusion detection systems in the internet of things: techniques, deployment strategy, validation strategy, attacks, public datasets and challenges. Cybersecur. 2021, 4, 18, 1-27. [CrossRef]
4. Kumar, A.; Abhishek, K.; Ghalib, M.R.; Shankar, A.; Cheng, X. Intrusion detection and prevention system for an IoT environment. Digital Communications and Networks. 2022, 8, 540–551. [Google Scholar] [CrossRef]
5. Pa, Y.M.P.; Suzuki, S.; Yoshioka, K.; Matsumoto, T.; Kasama, T.; Rossow, C. IoTPOT: A novel honeypot for revealing current IoT threats. Journal of Information Processing. 2016, 24, 522–533. [Google Scholar] [CrossRef]
6. Almohannadi, H.; Awan, I.; Al Hamar, J.; Cullen, A.; Disso, J.P.; Armitage, L. Cyber Threat Intelligence from Honeypot Data Using Elasticsearch. In Proceedings of the 2018 IEEE 32nd International Conference on Advanced Information Networking and Applications (AINA), Krakow, Poland; 2018; pp. 900–906. [Google Scholar] [CrossRef]
7. Hakim, M.A.; Aksu, H.; Uluagac, A.S.; Akkaya, K. U-PoT: A Honeypot Framework for UPnP-Based IoT Devices. In Proceedings of the 2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC), Orlando, FL, USA; 2018; pp. 1–8. [Google Scholar] [CrossRef]
8. Shahin, S.; Soubra, H. An IoT Adversary Emulation prototype tool. In Proceedings of the 2022 5th International Conference on Information and Computer Technologies (ICICT), New York, NY, USA; 2022; pp. 7–12. [Google Scholar] [CrossRef]
9. Sabry, N.; Abobkr, M.; ElHayani, M.; Soubra, H. A Cyber-Security Prototype Module for Smart Bikes. In Proceedings of the 2021 16th International Conference on Computer Engineering and Systems (ICCES), Cairo, Egypt, Egypt; 2021; pp. 1–5. [Google Scholar] [CrossRef]
10. Elhusseiny, N.; Sabry, M.; Soubra, H. B2X Multiprotocol Secure Communication System for Smart Autonomous Bikes. In Proceedings of the 2023 IEEE Conference on Power Electronics and Renewable Energy (CPERE), Luxor, Egypt; 2023; pp. 1–6. [Google Scholar] [CrossRef]
11. Joel, M.R.; Manikandan, G.; Bhuvaneswari, G. An Analysis of Security Challenges in Internet of Things (IoT) based Smart Homes. In Proceedings of the 2023 Second International Conference on Electronics and Renewable Systems (ICEARS), Tuticorin, India; 2023; pp. 490–497. [Google Scholar] [CrossRef]
12. Bryant, B.; Saiedian, H. Key challenges in security of IoT devices and securing them with the blockchain technology. Security and privacy. 2022, 5, 5. [Google Scholar] [CrossRef]
13. Alawadhi, J.; AlJanabi, A.M.; Khder, M.A.; Ali, B.J.A.; Al–Shalabi, R.F. Internet of Things (IoT) Security Risks: Challenges for Business. In Proceedings of the 2022 ASU International Conference in Emerging Technologies for Sustainability and Intelligent Systems (ICETSIS), Manama, Bahrain; 2022; pp. 450–456. [Google Scholar] [CrossRef]
14. Khanam, R. Review of Threats in IoT Systems: Challenges and Solutions. International Journal For Science Technology And Engineering. 2023, 11, 325–341. [Google Scholar] [CrossRef]
15. Haris, M.A.H.B.; Yahya, M.I.H.B.; Ibrahim, M.N.B. Security and Privacy Issues in Internet of Things (IoT). TechRxiv. 2023. [CrossRef]
16. Gupta, S.; Lingareddy, N. Security Threats and Their Mitigations in IoT Devices. In: Pawar, P.M., Balasubramaniam, R., Ronge, B.P., Salunkhe, S.B., Vibhute, A.S., Melinamath, B. (eds) Techno-Societal 2020. Springer, Cham, 2021. [CrossRef]
17. Bakshi, G. IoT Architecture Vulnerabilities and Security Measures. In: Bhardwaj, A., Sapra, V. (eds) Security Incidents & Response Against Cyber Attacks. EAI/Springer Innovations in Communication and Computing. Springer, Cham, 2021. [CrossRef]
18. Hromada, D.; Costa, R.L.; Santos, L.; Rabadão, C. Security Aspects of the Internet of Things. In C. González García & V. García-Díaz (Eds.), IoT Protocols and Applications for Improving Industry, Environment, and Society (pp. 207-233). IGI Global, 2021. [CrossRef]
19. Mallik, P.; Jena, O.P. Analysis of Security Vulnerabilities of Internet of Things and It’s Solutions. In: Udgata, S.K., Sethi, S., Srirama, S.N. (eds) Intelligent Systems. Lecture Notes in Networks and Systems, vol 185. Springer, Singapore, 2021. [CrossRef]
20. Amit, Dhingra, A.; Sangwan, A.; Sindhu, V. DDOS Attack on IOT devices. Int J Circuit Comput Networking 2022; 3(1), 33-42. [CrossRef]
21. Lightbody, D.; Ngo, D.-M.; Temko, A.; Murphy, C.C.; Popovici, E. Attacks on IoT: Side-Channel Power Acquisition Framework for Intrusion Detection. Future Internet, 2023, 15, 187. [CrossRef]
22. Mohd Bakry, B.B.; Bt Adenan, A.R.; Mohd Yussoff, Y.B. Security Attack on IoT Related Devices Using Raspberry Pi and Kali Linux. In Proceedings of the 2022 International Conference on Computer and Drone Applications (IConDA), Kuching, Malaysia; 2022; pp. 40–45. [Google Scholar] [CrossRef]
23. Neto, E.C.P.; Dadkhah, S.; Ferreira, R.; Zohourian, A.; Lu, R.; Ghorbani, A.A. CICIoT2023: A Real-Time Dataset and Benchmark for Large-Scale Attacks in IoT Environment. Sensors 2023, 23, 5941. [Google Scholar] [CrossRef] [PubMed]
24. Kampel, L.; Kitsos, P.; Simos, D.E. Locating Hardware Trojans Using Combinatorial Testing for Cryptographic Circuits. IEEE Access 2022, 10, 18787–18806. [Google Scholar] [CrossRef]
25. Jain, A.; Zhou, Z.; Guin, U. Survey of Recent Developments for Hardware Trojan Detection. In Proceedings of the 2021 IEEE International Symposium on Circuits and Systems (ISCAS), Daegu, Korea; 2021; pp. 1–5. [Google Scholar] [CrossRef]
26. Liu, H.; Luo, H.; Wang, L. Design of hardware trojan horse based on counter. In Proceedings of the 2011 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering, Xi’an, China; 2011; pp. 1007–1009. [Google Scholar] [CrossRef]
27. Shakya, B.; He, T.; Salmani, H. et al. Benchmarking of Hardware Trojans and Maliciously Affected Circuits. J Hardw Syst Secur 2017, 1, 85–102. [CrossRef]
28. Tang, W.; Su, J.; Gao, Y. Hardware Trojan Detection Method Based on Dual Discriminator Assisted Conditional Generation Adversarial Network. J Electron Test 2023, 39, 129–140. [Google Scholar] [CrossRef]
29. Dakhale, B.; Vipinkumar, K.; Narotham, K.; Kadam, S.; Bhurane, A.A.; Kothari, A.G. Automated Detection of Hardware Trojans using Power Side-Channel Analysis and VGG-Net. In Proceedings of the 2023 2nd International Conference on Paradigm Shifts in Communications Embedded Systems, Machine Learning and Signal Processing (PCEMS), Nagpur, India; 2023; pp. 1–5. [Google Scholar] [CrossRef]
30. Mao, J.; Jiang, X.; Liu, D.; Chen, J.; Huang, K. A Hardware Trojan-Detection Technique Based on Suspicious Circuit Block Partition. Electronics 2022, 11, 4138. [Google Scholar] [CrossRef]
31. Hassan, R.; Meng, X.; Basu, K.; Dinakarrao, S.M.P. Circuit Topology-Aware Vaccination-Based Hardware Trojan Detection. Trans. Comp.-Aided Des. Integ. Cir. Sys. 42, 9 (Sept. 2023), 2852–2862. [CrossRef]
32. Yasaei, R.; Chen, L.; Yu, S.-Y.; Faruque, M.A.A. Hardware trojan detection using graph neural networks. IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 2022, 1-14. [CrossRef]
33. Brunner, M.; Lee, H.H.; Hepp, A.; Baehr, J.; Sigl, G. Hardware Honeypot: Setting Sequential Reverse Engineering on a Wrong Track. In Proceedings of the 2024 27th International Symposium on Design & Diagnostics of Electronic Circuits & Systems (DDECS), Kielce, Poland; 2024; pp. 47–52. [Google Scholar] [CrossRef]
34. Wegerer, M.; Tjoa, S. Defeating the Database Adversary Using Deception - A MySQL Database Honeypot. In Proceedings of the 2016 International Conference on Software Security and Assurance (ICSSA), Saint Pölten, Austria; 2016; pp. 6–10. [Google Scholar] [CrossRef]
35. Piggin, R.; Buffey, I. Active defence using an operational technology honeypot. In Proceedings of the 11th International Conference on System Safety and Cyber-Security (SSCS 2016), London, UK; 2016; pp. 1–6. [Google Scholar] [CrossRef]
36. Kibret, Y.; Yong, W. Design and Implementation of Dynamic Hybrid Virtual Honeypot Architecture for Attack Analysis. Int J Netw Distrib Comput 2013, 1, 108–123. [Google Scholar] [CrossRef]
37. Guan, C.; Liu, H.; Cao, G.; Zhu, S.; La Porta, T. HoneyIoT: Adaptive High-Interaction Honeypot for IoT Devices Through Reinforcement Learning. In Proceedings of the 16th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec ‘23). Association for Computing Machinery, New York, NY, USA; 2023; pp. 49–59. [Google Scholar] [CrossRef]
38. Ellouh, M.; Ghaleb, M.; Felemban, M. IoTZeroJar: Towards a Honeypot Architecture for Detection of Zero-Day Attacks in IoT. In Proceedings of the 2022 14th International Conference on Computational Intelligence and Communication Networks (CICN), Al-Khobar, Saudi Arabia; 2022; pp. 765–771. [Google Scholar] [CrossRef]
39. Srinivasa, S.; Pedersen; J.M.; Vasilomanolakis, E. RIoTPot: A Modular Hybrid-Interaction IoT/OT Honeypot. In Proceedings of the the 26th European Symposium on Research in Computer Security (ESORICS), Darmstadt, Germany, 2021, 1-7. [CrossRef]
40. Srinivasa, S.; Pedersen; J.M.; Vasilomanolakis, E. 2022. Interaction matters: a comprehensive analysis and a dataset of hybrid IoT/OT honeypots. In Proceedings of the 38th Annual Computer Security Applications Conference (ACSAC ‘22). Association for Computing Machinery, New York, NY, USA, 742–755. [CrossRef]
41. Lu, X. -X.; Yu, X. -N.; Liu, Y. -Z.; Zhang, M. Dynamic Deployment Model of Lightweight Honeynet for Internet of Things. In Proceedings of the 2022 International Conference on 6G Communications and IoT Technologies (6GIoTT), Fuzhou, China, 2022, pp. 30-34. [CrossRef]
42. Moein, S.; Gulliver, T.A.; Gebali, F.; Alkandari, A. A New Characterization of Hardware Trojans. IEEE Access 2016, 4, 2721–2731. [Google Scholar] [CrossRef]