Tracking attack sources based on traceback honeypot for ICS network

Abe, Shingo; Tanaka, Yohei; Uchida, Yukako; Horata, Shinichi

doi:10.23919/sice.2017.8105603

Cited by 11 publications

(1 citation statement)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Given the discussion, JPCERT/CC developed a honeypot which detects scans out of obtained logs and analyses the source host and attacking packets [14]. The system was also tested to identify attack sources, based on attack detection method in ICS networks using honeypot [8].…”

Section: Introductionmentioning

confidence: 99%

Developing Deception Network System with Traceback Honeypot in ICS Network

Abe

Tanaka²,

Uchida³

et al. 2018

SICE Journal of Control, Measurement, and System Integration

Self Cite

View full text Add to dashboard Cite

In industrial control system (ICS) network, communication is often conducted using custom protocols. Methods for analysis and protection from cyber threats that are specific to ICS network need to be discussed in line with each device and system specification. In this research, the honeypot technology, which is already practiced in IT networks, was further improved for ICS networks so that it responds to packets reaching the honeypots and even conducts counter-scan to collect information of the attack method and its sources. It has been already presented that machines infected with some known malware (e.g. Havex RAT) in ICS networks conduct scan activities against certain devices. For this type of attack, interaction honeypot is considered effective in identifying infected devices out of such scans. In the simulation based on Modbus Stager, which affects programmable logic controller (PLC) operation and connected PCs, the suggested interaction honeypot, namely "traceback honeypot system (THS)" successfully collected payload that is actually sent in the attacks by emulating responses to commands on Modbus protocols. Information obtained from THS-based observation can be used for proactive purposes as in separating infected devices from the operating network and restricting access to certain devices to prevent further infection in the ICS network. This paper discusses methods of tracking attack sources using the THS and preventing further infection within the network based on the search result.

show abstract

Section: Introductionmentioning

confidence: 99%