Analyzing Post-injection Attacker Activities in IoT Devices: A Comprehensive Log Analysis Approach

With the continuous proliferation of Internet of Things (IoT) devices, malware threats that specifically target these devices continue to increase. The urgent need for robust security measures is predicated on a comprehensive understanding of the behavioral patterns of IoT malware. However, previous studies have often overlooked the analysis of command sequences in Telnet logs. This study bridges this research gap by examining the post-injection behaviors of attackers. By analyzing a vast dataset comprising more than ten million logs collected from an IoT honeypot, we reveal three distinct post-injection activity patterns, each with unique characteristics. These patterns provide pivotal insights that not only help distinguish between legitimate operations and attempted attacks, but also drive the development of robust cybersecurity measures that effectively deter such behaviors. The nuances discovered in this study contribute significantly to IoT security by enhancing our understanding of malware tactics and informing targeted defense strategies.

© 2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

This fulltext file will be available in Feb. 2026.