当前位置:
X-MOL 学术
›
IEEE Trans. Inform. Forensics Secur.
›
论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
HoneyJudge: A PLC Honeypot Identification Framework Based on Device Memory Testing
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 2024-05-30 , DOI: 10.1109/tifs.2024.3407520 Hengye Zhu 1 , Mengxiang Liu 2 , Binbin Chen 3 , Xin Che 1 , Peng Cheng 1 , Ruilong Deng 1
IEEE Transactions on Information Forensics and Security ( IF 6.3 ) Pub Date : 2024-05-30 , DOI: 10.1109/tifs.2024.3407520 Hengye Zhu 1 , Mengxiang Liu 2 , Binbin Chen 3 , Xin Che 1 , Peng Cheng 1 , Ruilong Deng 1
Affiliation
The widespread use of programmable logic controllers (PLCs) in critical infrastructures has given rise to escalating cybersecurity concerns regarding PLC attacks. As a proactive defense mechanism, PLC honeypots emulate genuine controllers to engage adversaries so as to observe their attack tactics and techniques. As part of the arms race between the offense and defense, multiple PLC honeypot identification tools have been developed. However, many existing tools cannot recognize high-fidelity honeypots, since they rely on identifying common network services and fingerprints. In this paper, we propose an innovative and practical honeypot identification framework called HoneyJudge, which goes beyond state-of-the-art (SOTA) network fingerprint-based identification tools like Nmap and the PLCScan tool. HoneyJudge tests the suspected target’s special memory content and features. Specifically, HoneyJudge models the internal memory of a PLC in three categories, from system-level, user-level, to process-level categories, based on which it extracts six representative memory features. All characteristics are acquired through automated network request messages. Then, we design a weighted voting algorithm to combine the test results over different memory features to reach the final conclusion. We validate the effectiveness of HoneyJudge in comparison with several SOTA honeypot identification tools, and the results indicate that the memory-related issues have not been well addressed in existing PLC honeypots and still need substantial research efforts.
中文翻译:
HoneyJudge:基于设备内存测试的PLC蜜罐识别框架
可编程逻辑控制器 (PLC) 在关键基础设施中的广泛使用引发了有关 PLC 攻击的网络安全担忧不断升级。作为一种主动防御机制,PLC蜜罐模拟真正的控制器来攻击对手,从而观察他们的攻击策略和技术。作为攻防军备竞赛的一部分,多种PLC蜜罐识别工具已经被开发出来。然而,许多现有工具无法识别高保真蜜罐,因为它们依赖于识别常见的网络服务和指纹。在本文中,我们提出了一种创新且实用的蜜罐识别框架,称为HoneyJudge,它超越了最先进的(SOTA)基于网络指纹的识别工具,如Nmap和PLCScan工具。 HoneyJudge测试可疑目标的特殊记忆内容和特征。具体来说,HoneyJudge将PLC的内存分为系统级、用户级和过程级三类进行建模,并在此基础上提取出六种有代表性的内存特征。所有特征都是通过自动网络请求消息获取的。然后,我们设计了一种加权投票算法来结合不同内存特征的测试结果来得出最终结论。我们通过与几种SOTA蜜罐识别工具的比较来验证HoneyJudge的有效性,结果表明现有PLC蜜罐中与内存相关的问题尚未得到很好的解决,仍然需要大量的研究工作。
更新日期:2024-05-30
中文翻译:
HoneyJudge:基于设备内存测试的PLC蜜罐识别框架
可编程逻辑控制器 (PLC) 在关键基础设施中的广泛使用引发了有关 PLC 攻击的网络安全担忧不断升级。作为一种主动防御机制,PLC蜜罐模拟真正的控制器来攻击对手,从而观察他们的攻击策略和技术。作为攻防军备竞赛的一部分,多种PLC蜜罐识别工具已经被开发出来。然而,许多现有工具无法识别高保真蜜罐,因为它们依赖于识别常见的网络服务和指纹。在本文中,我们提出了一种创新且实用的蜜罐识别框架,称为HoneyJudge,它超越了最先进的(SOTA)基于网络指纹的识别工具,如Nmap和PLCScan工具。 HoneyJudge测试可疑目标的特殊记忆内容和特征。具体来说,HoneyJudge将PLC的内存分为系统级、用户级和过程级三类进行建模,并在此基础上提取出六种有代表性的内存特征。所有特征都是通过自动网络请求消息获取的。然后,我们设计了一种加权投票算法来结合不同内存特征的测试结果来得出最终结论。我们通过与几种SOTA蜜罐识别工具的比较来验证HoneyJudge的有效性,结果表明现有PLC蜜罐中与内存相关的问题尚未得到很好的解决,仍然需要大量的研究工作。
京公网安备 11010802027423号