IDENTIFYING HONEYPOTS SIMULATING INTERNET-CONNECTED INDUSTRIAL-CONTROL SYSTEM DEVICES
Brown, Justin C.
Rowe, Neil C.
MetadataShow full item record
Heuristic analysis can reveal honeypots (decoy computer systems doing intelligence gathering) among Internet-connected industrial-control sites. Detectability of honeypots is undesirable, as it enables a careful adversary to avoid them, thus inhibiting valuable intelligence. However, counting honeypots is crucial to cyber-security policy and planning activities. Using a data set that includes industrial-control sites and industrial-control honeypots on the public Internet, we tested three heuristics for their ability to detect instances of the Conpot honeypot. The heuristics searched for sites containing keywords from Conpot, for services on combinations of port numbers matching Conpot, and for industrial-control sites located in a public cloud service provider. Performance of each heuristic was tested by manual inspection of data returned by hosts to Shodan's probes, which we used to assess each host's status as an instance of Conpot or not. Testing showed mixed success of the three heuristics, highlighting presence of honeypots simulating Siemens STEP 7 devices. We also tested Honeyscore, a commercial product which tries to identify honeypots, and found it had good success but was not perfect. We show that no single tool detected all honeypots, and that multiple tools can be complementary. Suggestions are offered for increasing detection rates, as well as potential additional heuristics to test.
Approved for public release. distribution is unlimited
Showing items related by title, author, creator and subject.
Adding intelligence to the Composite Warfare Commander - Distributed Dynamic Decision making paradigm. Wright, Brian Kenneth (Monterey, California. Naval Postgraduate School, 1992-03);The Composite Warfare Commander - Distributed Dynamic Decisionmaking (CWC-DDD) paradigm is a tool for experimentation and research into the area of command, control and communications (C3) team decisionmaking process in ...
Frederick, Erwin E. (Monterey, California. Naval Postgraduate School, 2011-09);The development of honeypots as decoys designed to detect, investigate, and counterattack unauthorized use of information systems has produced an "arms race" between honeypots (computers designed solely to receive cyber ...
Chong, Wai Hoe; Koh, Chong Khai Roger (Monterey, CA; Naval Postgraduate School, 2018-09);Honeypots can detect new attacks and vulnerabilities like zero-day exploits, based on an attacker’s behavior. Existing honeypots, however, are typically passive in nature and poor at detecting new and complex attacks like ...