Date of Award

Spring 3-2020

Document Type


Degree Name

Doctor of Philosophy in Cyber Operations (PhDCO)


Computer Science

First Advisor

Josh Pauli

Second Advisor

Josh Stroschein

Third Advisor

Gabe Mydland


Internet of Things (IoT) devices are quickly growing in adoption. The use case for IoT devices runs the gamut from household applications (such as toasters, lighting, and thermostats) to medical, battlefield, or Industrial Control System (ICS) applications used in life or death situations. A disturbing trend is that for IoT devices is that they are not developed with security in mind. This lack of security has led to the creation of massive botnets that conduct nefarious acts. A clear understanding of the threat landscape IoT devices face is needed to address these security issues. One technique used to understand threats is to deploy honeypots that masquerade as legitimate IoT devices and analyze what attackers do to them.

Current research shows that it is challenging to create high-interaction IoT honeypots due to the heterogeneous nature of IoT devices and the lack of emulators. This study seeks to answer the research question, "How can an ideal IoT honeypot emulate existing IoT devices and be high-interaction by allowing the inspection of the full OS running on the device to detect when an attack is occurring, support an arbitrary number of services, and record metrics related to the attack." The answer to this question would allow for the development of an IoT honeypot that provides valuable insight into how threat actors attack, exploit, and use IoT devices to their advantage.

This research used design science research methods to explore the creation of a Virtual Machine Introspection-based high-interaction honeypot framework for IoT devices that is capable of emulating existing devices, gathering Operating-System-level artifacts, and monitoring an arbitrary number of services. Two artifact were developed: a theoretical framework and an instantiation of the theoretical framework. The theoretical framework drove the design of the framework instantiation, while the instantiation validated the theoretical framework design. The framework design goals were validated using two case studies that emulated consumer-grade IoT devices and infected them with the Reaper and Silex botnets.