ICS Honeypot System (CamouflageNet) Based on Attacker's Human Factors

Abstract: In order to protect ICS (Industrial Control System), there are many discussions about ICS security from the viewpoint of cyber defenders. ICS, however, has its specific difficulties to install IT security means such as antivirus with firewall software, because of its 24 hour-a-day, 365 days-a-year non-stop operation under the safety first culture. Comparing IT system, ICS has a certain advantage related to handling against cyber-attacks with operation staffs and safety devices installed in a plant. It is indis… Show more

“…As the THS deceives attackers and emulates responses as a real PLC, it can observe payload sent from the attackers. This enhanced function to record attack procedures in detail and for the extended area is the significant difference from the preceding study [8]. As the two examples have demonstrated, the THS is more heavily focused on response to commands compared to conventional honeypots.…”

“…Another research collected device-specific information contained in the response from devices in ICS networks (e.g. product name, model number, vendor information) and integrated them in the honeypot's response, which successfully observed some attacker activities against ICS networks [8].…”

“…In this sense, as a means to detect threats in ICS network, technologies applying honeypots have been proposed [8]. A honeypot is a system imitating a vulnerable system, which attracts attackers and bypasses possible attacks against devices in use.…”

“…Generally, honeypots are directly connected to the Internet and used for observing attack methods through receiving attacks. In detecting threats in ICS networks [8], it can also be connected to networks which have control devices (e.g. programmable logic controllers (PLCs)) to detect lateral movement.…”

“…Given the discussion, JPCERT/CC developed a honeypot which detects scans out of obtained logs and analyses the source host and attacking packets [14]. The system was also tested to identify attack sources, based on attack detection method in ICS networks using honeypot [8]. The details of the honeypot will be described in section 2.…”

Developing Deception Network System with Traceback Honeypot in ICS Network

“…As the THS deceives attackers and emulates responses as a real PLC, it can observe payload sent from the attackers. This enhanced function to record attack procedures in detail and for the extended area is the significant difference from the preceding study [8]. As the two examples have demonstrated, the THS is more heavily focused on response to commands compared to conventional honeypots.…”

“…Another research collected device-specific information contained in the response from devices in ICS networks (e.g. product name, model number, vendor information) and integrated them in the honeypot's response, which successfully observed some attacker activities against ICS networks [8].…”

“…In this sense, as a means to detect threats in ICS network, technologies applying honeypots have been proposed [8]. A honeypot is a system imitating a vulnerable system, which attracts attackers and bypasses possible attacks against devices in use.…”

“…Generally, honeypots are directly connected to the Internet and used for observing attack methods through receiving attacks. In detecting threats in ICS networks [8], it can also be connected to networks which have control devices (e.g. programmable logic controllers (PLCs)) to detect lateral movement.…”

“…Given the discussion, JPCERT/CC developed a honeypot which detects scans out of obtained logs and analyses the source host and attacking packets [14]. The system was also tested to identify attack sources, based on attack detection method in ICS networks using honeypot [8]. The details of the honeypot will be described in section 2.…”

Developing Deception Network System with Traceback Honeypot in ICS Network

An ICS Based Scenario Generator for Cyber Ranges

Network traffic intelligence using a low interaction honeypot