Abstract
Industrial control system (ICS) devices with IP addresses are accessible on the Internet and become an essential part of critical infrastructures. The adoption of ICS devices also yields cyber-attacks targeted specific port based on proprietary industrial protocols. However, there is a lack of comprehensive understanding of these ICS threats in cyberspace. To this end, this paper uniquely exploits active interaction on ICS-related ports and analysis of long-term multi-port traffic in a first attempt ever to capture and comprehend ICS automated attacks based on private protocols. Specially, we first propose a minimal-interaction scheme for ICS honeypot(MirrorPot), which can listen on any port and respond automatically without understanding the protocol format. Then, we devise a preprocessing algorithm to extract requests payload and classify them from long-term honeypot-captured data. Finally, to better characterize the ICS attacks based on private industrial protocols, we propose a Markov state transition model for describing their attack complexity. Our experiments show that there are several unknown probing methods have not been observed by previous works. We concur that our work provides a solid first step towards capturing and comprehending real ICS attacks based on private protocols.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
ICS Protocal Detect Nmap Script, https://github.com/cckuailong/ICS-Protocal-Detect-Nmap-Script.
References
Andreeva, O., et al.: Industrial Control Systems and Their Online Availability (2016)
Antonioli, D., Agrawal, A., Tippenhauer, N.O.: Towards high-interaction virtual ICS honeypots-in-a-box. In: Proceedings of ACM Workshop on Cyber-Physical Systems Security and Privacy (2016)
Bodenheim, R., Butts, J., Dunlap, S., Mullins, B.: Evaluation of the ability of the shodan search engine to identify internet-facing industrial control devices. Int. J. Crit. Infrastruct. Prot. 7(2), 114–123 (2014)
Boyer, S.A.: SCADA: Supervisory Control and Data Acquisition. International Society of Automation, Research Triangle (2009)
Boys, W.: Back to basics: SCADA. Automation TV: Control Global-Control Design (2009)
Buza, D.I., Juhász, F., Miru, G., Félegyházi, M., Holczer, T.: CryPLH: protecting smart energy systems from targeted attacks with a PLC honeypot. In: Cuellar, J. (ed.) SmartGridSec 2014. LNCS, vol. 8448, pp. 181–192. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10329-7_12
Cao, J., Li, W., Li, J., Li, B.: DiPot: a distributed industrial honeypot system. In: Qiu, M. (ed.) SmartCom 2017. LNCS, vol. 10699, pp. 300–309. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73830-7_30
Ding, C., Zhai, J., Dai, Y.: An improved ICS honeypot based on SNAP7 and IMUNES. In: Sun, X., Pan, Z., Bertino, E. (eds.) ICCCS 2018, Part I. LNCS, vol. 11063, pp. 303–313. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00006-6_27
Durumeric, Z., Bailey, M., Halderman, J.A.: An internet-wide view of internet-wide scanning. In: Proceedings of USENIX Security Symposium (USENIX Security) (2014)
Durumeric, Z., Wustrow, E., Halderman, J.A.: ZMap: fast internet-wide scanning and its security applications. In: Presented as part of the 22nd \(\{\)USENIX\(\}\) Security Symposium (\(\{\)USENIX\(\}\) Security 13), pp. 605–620 (2013)
Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N.D., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: Proceedings of Annual Network and Distributed System Security Symposium (NDSS) (2017)
Feng, X., Li, Q., Wang, H., Sun, L.: Characterizing industrial control system devices on the internet. In: Proceedings of IEEE International Conference on Network Protocols (ICNP) (2016)
Gunathilaka, P., Mashima, D., Chen, B.: Softgrid: a software-based smart grid testbed for evaluating substation cybersecurity solutions. In: Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, pp. 113–124. ACM (2016)
Holczer, T., Félegyházi, M., Buttyán, L.: The design and implementation of a PLC honeypot for detecting cyber attacks against industrial control systems (2015)
Kołtyś, K., Gajewski, R.: Shape: a honeypot for electric power substation. J. Telecommun. Inf. Technol. 4, 37–43 (2015)
Lau, S., Klick, J., Arndt, S., Roth, V.: Poster: towards highly interactive honeypots for industrial control systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pp. 1823–1825. ACM (2016)
Li, Q., Feng, X., Wang, H., Sun, L.: Understanding the usage of industrial control system devices on the internet. IEEE Internet Things J. 5(3), 2178–2189 (2018)
Lyon, G.F.: Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Insecure, Sunnyvale (2009)
Mashima, D., Chen, B., Gunathilaka, P., Tjiong, E.L.: Towards a grid-wide, high-fidelity electrical substation honeynet. In: 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm), pp. 89–95. IEEE (2017)
Metcalfe, R.M., Boggs, D.R.: Ethernet: distributed packet switching for local computer networks. Commun. ACM 19(7), 395–404 (1976)
Mirian, A., et al.: An internet-wide view of ICS devices. In: Proceedings of IEEE Annual Conference on Privacy, Security and Trust (PST) (2016)
Nisrine, M., et al.: A security approach for social networks based on honeypots. In: 2016 4th IEEE International Colloquium on Information Science and Technology (CiSt), pp. 638–643. IEEE (2016)
Oosterhof, M.: Cowrie honeypot. https://www.cowrie.org/. Accessed 16 Sept 2019
Orebaugh, A., Ramirez, G., Beale, J.: Wireshark & Ethereal Network Protocol Analyzer Toolkit. Elsevier, Amsterdam (2006)
Pothamsetty, V., Franz, M.: SCADA honeynet project: building honeypots for industrial networks. SCADA Honeynet Proj. 15. http://scadahoneynet.sourceforge.net/. Accessed 16 Sept 2019
Provos, N.: Honeyd-a virtual honeypot daemon. In: 10th DFN-CERT Workshop, Hamburg, Germany, vol. 2, p. 4 (2003)
Research., T.A.: Opencanary. http://opencanary.org. Accessed 16 Sept 2019
Rist, L., Vestergaard, J., Haslinger, D., Pasquale, A., Smith, J.: Conpot ICS/SCADA honeypot. Honeynet Project (conpot. org) (2013)
Schneider Electric USA, Inc.: Modbus/TCP security. http://modbus.org/docs/MB-TCP-Security-v21_2018-07-24.pdf. Accessed 15 Sept 2019
Serbanescu, A.V., Obermeier, S., Yu, D.Y.: A flexible architecture for industrial control system honeypots. In: 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE), vol. 4, pp. 16–26. IEEE (2015)
Serbanescu, A.V., Obermeier, S., Yu, D.Y.: ICS threat analysis using a large-scale honeynet. In: Proceedings of International Symposium for ICS & SCADA Cyber Security Research (2015)
Serbanescu, A.V., Obermeier, S., Yu, D.-Y.: A scalable honeynet architecture for industrial control systems. In: Obaidat, M.S., Lorenz, P. (eds.) ICETE 2015. CCIS, vol. 585, pp. 179–200. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-30222-5_9
Shi, L., Li, Y., Liu, T., Liu, J., Shan, B., Chen, H.: Dynamic distributed honeypot based on blockchain. IEEE Access 7, 72234–72246 (2019). https://doi.org/10.1109/ACCESS.2019.2920239
Simões, P., Cruz, T., Proença, J., Monteiro, E.: Specialized honeypots for SCADA systems. In: Lehto, M., Neittaanmäki, P. (eds.) Cyber Security: Analytics, Technology and Automation. ISCA, vol. 78, pp. 251–269. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-18302-2_16
Spitzner, L.: Honeypots: catching the insider threat. In: 19th Annual Computer Security Applications Conference, 2003, Proceedings, pp. 170–179. IEEE (2003)
Stouffer, K., Falco, J., Scarfone, K.: Guide to industrial control systems (ICS) security. NIST Spec. Publ. 800(82), 16–16 (2011)
Swales, A., et al.: Open modbus/TCP specification. Schneid. Electric 29. http://www.dankohn.info/projects/Fieldpoint_module/Open_ModbusTCP_Standard.pdf. Accessed 15 Sept 2019
Vasilomanolakis, E., Srinivasa, S., Cordero, C.G., Mühlhäuser, M.: Multi-stage attack detection and signature generation with ICS honeypots. In: NOMS 2016–2016 IEEE/IFIP Network Operations and Management Symposium, pp. 1227–1232. IEEE (2016)
Vetterl, A., Clayton, R.: Bitter harvest: systematically fingerprinting low-and medium-interaction honeypots at internet scale. In: 12th \(\{\)USENIX\(\}\) Workshop on Offensive Technologies (\(\{\)WOOT\(\}\) 18) (2018)
Wafi, H., Fiade, A., Hakiem, N., Bahaweres, R.B.: Implementation of a modern security systems honeypot honey network on wireless networks. In: 2017 International Young Engineers Forum (YEF-ECE), pp. 91–96. IEEE (2017)
Wiens, T.: S7comm wireshark dissector plugin (2014)
Zhao, C., Qin, S.: A research for high interactive honepot based on industrial service. In: Proceedings of IEEE International Conference on Computer and Communications (ICCC) (2017)
Acknowledgement
The research presented in this paper is supported by the National Key R&D Program of China (Grant No. 2018YFB0803402), Strategic Priority Research Program of the Chinese Academy of Sciences (Grant No. XDC02020500), Key Program of National Natural Science Foundation of China (Grant No. U1766215), National Natural Science Foundation of China (Grant No. 61702503).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
You, J., Lv, S., Hao, Y., Feng, X., Zhou, M., Sun, L. (2020). Characterizing Internet-Scale ICS Automated Attacks Through Long-Term Honeypot Data. In: Zhou, J., Luo, X., Shen, Q., Xu, Z. (eds) Information and Communications Security. ICICS 2019. Lecture Notes in Computer Science(), vol 11999. Springer, Cham. https://doi.org/10.1007/978-3-030-41579-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-030-41579-2_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41578-5
Online ISBN: 978-3-030-41579-2
eBook Packages: Computer ScienceComputer Science (R0)