Identifying Anomalous Network Flow Activity Using Cloud-Based Honeypots

Abstract

This work addressed efficient and effective implementation of honeypots (decoy devices) in cloud services. Honeypots are essential tools for detecting new attacks on computers and networks, and cloud services are distributed processing systems that can be used to provide great flexibility in software deployment. The particular subtype of honeypot we investigated was for industrial control systems (ICS) that manage electrical-power systems. Starting with two existing software frameworks called Conpot and GridPot, we added new obfuscation techniques, new simulated features of a fake electric grid, and new interfaces that looked like real power-plant controls to increase their deceptive power. These deceptions were effective in our first experiments with a standalone honeypot, as we were attacked twice by a sophisticated adversary as well as by many other less sophisticated attackers. In our second experiments, not yet complete, we deployed the same honeypot configurations at two cloud sites in the U.S. and in Asia. We saw clear differences between all three deployments, showing that context is very important in deceiving attackers and collecting useful data about their attacks. We were concerned deployment in the cloud could be detected by attackers and discourage their investigation, but we saw no evidence of that; apparently enough real electric-generation systems are deployed in the cloud today that they are not suspicious. We conclude that honeypots for industrial control systems using cloud services are a useful tool for information security.