section{Honeypot Concept}
In this chapter, we propose an abstract scenario of a drone environment with the honeypot in place. We then propose a basic architecture of the honeypot.
subsection{Basic honeypot scenario}
par The attacks on drones are more likely in an area with high drone activity. Typically in such an area, every drone is part of the same organization and therefore offer similar functionality and implement similar protocols e.g. Inspection drones across power lines. In order to clearly explain the advantage of using a honeypot in such areas, we provide a basic usage scenario for the honeypot, in the context of drones, with a higher level of abstraction. Figure 3 shows a basic scenario of a honeypot with one honeypot node, one real drone and one attacker. A honeypot node consists of a Linux machine that can run the instances of the honeypot, one or more communication endpoints associated with the machine and a power source. In this scenario it is assumed that a node runs only one instance of the honeypot. The communication endpoint is abstract as there are a number of ways to establish a communication with the drone including Wi-Fi, Bluetooth, LTE, etc. The software and hardware tools used by the attacker is also kept abstract. The attacker within the vicinity of a real drone receives the signals from the honeypot placed within the range of the attacker.
caption{Basic Honeypot Scenario}

par In a real life scenario the network is much larger. Typical examples would include the drones deployed for inspecting the power lines, drones deployed inside a ware-house, surveillance drones across the borders, delivery drones, etc. In such cases, there are multiple nodes placed along the edges of the network for greater coverage. Each node runs one or more instances of the honeypot, logging the information about the attacks either to its dedicated database or to a centralized database.
par Another possibility is to have the drone software run on the flight controller itself alongside the autopilot software. As some of the flight controllers are purely Linux-based, this is achievable and in this case there is no requirement for a separate power source. However an additional Wi-Fi module would be necessary.
subsection{Honeypot Architecture}
par In this section, we propose a generic architecture for the drone honeypot, which is named as ‘HoneyDrone’. Drones differ from each other majorly in three aspects, namely the type of connectivity, method of communication and the file system of the drone. The type of connection established to a drone is typically wireless. However, most of the drones also offer USB serial port connectivity which is primarily used for firmware updates. The option for wireless connectivity also differs across each drone manufacturers and solution providers. The method of communication denotes the protocols used for communication. This is partially dependent on the type of communication. Finally, the file system of the drones depends on the drone itself. With respect to the HoneyDrone, the file system only refers to those files that are exposed upon connection. The three aspects discussed above are kept abstract so that the architecture can be applied to a large number of drone systems. The architecture is based on the application layer and communicates with the below layers. Figure 4 shows the architecture of the HoneyDrone.
par The incoming traffic is handled by the ac{nie}, which routes them to the appropriate services in the HoneyDrone host, based on the type of the interface that accepts the traffic. Once the traffic is routed to the HoneyDrone host, it is handled by the corresponding protocol service running on the host, to which the messages are addressed to. Some of the services emulated by the HoneyDrone host, such as the Telnet and the ac{ssh}, make use of the file system emulator to emulate the file system commands issued by the attacker. The file system emulator makes use of the ‘Drone File System’, the collection of fake file systems of the different drones, to achieve its functionality. HoneyDrone host is connected to the database and takes its settings from the configuration file.
caption{HoneyDrone Architecture}
par The different components in the architecture are explained below.
item extbf{ac{nie}}: The ac{nie} is responsible for setting up the network interface of the drone that is being emulated by the HoneyDrone. Some of the network interfaces are the Wi-Fi, Bluetooth, LTE etc. The Wi-Fi and Bluetooth are the commonly used network interfaces in mini drones. Some of the protocols emulated are dependent upon the network interface that has been setup. For example, Telnet is suited for Wi-Fi. However, protocols like MAVLink work across all the interfaces. At the time of setup of the HoneyDrone, the ac{nie} takes the connection settings from the configuration file, checks for the availability of network devices and brings up the interface. The corresponding logs that are generated during setup and the incoming connections are written to the database. In our prototype, we implement the Wi-Fi interface, resembling that of a drone.
item extbf{HoneyDrone Host}: HoneyDrone host is the core of the HoneyDrone system. It is responsible for handling incoming connections, creating objects of specific protocols and continuously monitoring the traffic and logging. The host takes its input from the configuration file in order to emulate specific protocols on a network interface. The protocols use a specific file system depending upon the drone that is being emulated. There are three components within the HoneyDrone host which are described below.
item extbf{Services}: The services are a set of classes or modules each for a different protocol. They define a set of variables and methods that are used to emulate a particular protocol on the HoneyDrone. The protocols that can be emulated are entirely dependent on the network interfaces that have been setup. For example the protocols namely Telnet, SSH can be emulated on a Wi-Fi interface while they are not suited for a Bluetooth interface. The protocol settings are taken from the configuration file.
item extbf{Connection Guard}: Once the HoneyDrone is deployed, it is crucial that it is resilient to large number of incoming connections, unexpected network behavior, etc. Connection Guard is used to ensure smooth functioning of the HoneyDrone. Some of its responsibilities include limiting the number of incoming connections to a manageable threshold, bringing up the HoneyDrone and bouncing back the services after an unexpected shutdown, etc.
item extbf{File System Emulator}: The file system emulator provides functions that interact with the drone file system. It is responsible for the execution of commands as entered by the attacker on the emulated console such as copying, moving, creation and removal of files, etc.
item extbf{Drone File System}: The Drone File System refers to the emulated file system of a specific drone. In addition to emulating the file system of the drone, it also serves files to be downloaded by the attacker. Each file system has its own storage space to store the data uploaded from the attacker. The configuration file is used to denote which file system to emulate for a particular drone.
item extbf{HoneyDrone Database}: The HoneyDrone database stores all the information gathered by the HoneyDrone. The database can be either file-based, relational or document based database. The HoneyDrone host stores the details of incoming connections and the activities from each connection in the database. It also stores the invalid user credentials entered by the attacker. In addition to storing the commands that are executed successfully, the HoneyDrone also stores unimplemented commands which helps in identifying such commands for future implementation. The database could be either specific to a single HoneyDrone instance or could be a centralized database in the case of a distributed HoneyDrone setup.
item extbf{Configuration file}: This component refers to a single or a set of configuration files that are used by the ac{nie} at the time of network interface setup and by the HoneyDrone host while the HoneyDrone is active. It contains details such as the type of network interface for the emulated drone, file system to be chosen, settings for the protocols to be emulated, etc. A configuration file corresponds to one emulated drone and so it is possible to maintain different configuration files that serve as profiles.
item extbf{Incoming Traffic}: Incoming traffic refers to any traffic addressed to the network interface of the HoneyDrone.


I'm Erica!

Would you like to get a custom essay? How about receiving a customized one?

Check it out