IDENTIFYING HONEYPOTS SIMULATING INTERNET-CONNECTED INDUSTRIAL-CONTROL SYSTEM DEVICES
Brown, Justin C.
Rowe, Neil C.
MetadataShow full item record
Heuristic analysis can reveal honeypots (decoy computer systems doing intelligence gathering) among Internet-connected industrial-control sites. Detectability of honeypots is undesirable, as it enables a careful adversary to avoid them, thus inhibiting valuable intelligence. However, counting honeypots is crucial to cyber-security policy and planning activities. Using a data set that includes industrial-control sites and industrial-control honeypots on the public Internet, we tested three heuristics for their ability to detect instances of the Conpot honeypot. The heuristics searched for sites containing keywords from Conpot, for services on combinations of port numbers matching Conpot, and for industrial-control sites located in a public cloud service provider. Performance of each heuristic was tested by manual inspection of data returned by hosts to Shodan's probes, which we used to assess each host's status as an instance of Conpot or not. Testing showed mixed success of the three heuristics, highlighting presence of honeypots simulating Siemens STEP 7 devices. We also tested Honeyscore, a commercial product which tries to identify honeypots, and found it had good success but was not perfect. We show that no single tool detected all honeypots, and that multiple tools can be complementary. Suggestions are offered for increasing detection rates, as well as potential additional heuristics to test.
RightsThis publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.
Showing items related by title, author, creator and subject.
Creating Effective Industrial-Control-System Honeypots Rowe, Neil; Nguyen, Thuy; Kendrick, Marian; Rucker, Zaky; Hyun, Dahae; Brown, Justin (HICSS, 2020-01-07);Cyberattacks on industrial control systems (ICSs) can be especially damaging since they often target critical infrastructure. Honeypots are valuable network-defense tools, but they are difficult to implement for ICSs because ...
Creating Effective Industrial-Control-System Honeypots Rowe, Neil C.; Nguyen, Thuy D.; Kendrick, Marian M.; Rucker, Zaki A.; Hyun, Dahae; Brown, Justin C. (HICSS, 2020);Cyberattacks on industrial control systems (ICSs) can be especially damaging since they often target critical infrastructure. Honeypots are valuable network-defense tools, but they are difficult to implement for ICSs because ...
Identifying Anomalous Network Flow Activity Using Cloud-Based Honeypots Rowe, Neil C.; Nguyen, Thuy D.; Dougherty, Jeffrey T. (Monterey, California. Naval Postgraduate School, 2020-10); NPS-CS-20-003This work addressed efficient and effective implementation of honeypots (decoy devices) in cloud services. Honeypots are essential tools for detecting new attacks on computers and networks, and cloud services are distributed ...