| Attacker traceback is a critical method for the identification of attack groups,especially the Industrial Control System(ICS)as a key facility,which requires accurate attacker traceback to improve the protection capability of ICS.The existing IP traceback technology needs to change the routing equipment,and has some disadvantages such as high equipment cost,poor traceback accuracy,inability to handle multi-ip associated attack events,and difficulty in effective verification.In addition,a large number of existing means of attack are mostly completed by attack agency,which also brings severe challenges to the traditional IP tracebck technology.In fact,most of the current ICS attacks are organized and large-scale attacks,the attacker is not a single individual.Therefore,the comprehensive traceback of the attack group is of higher value in practical production safety.This paper proposes a method of analysis of homologous attacks in the field of attacker traceback,which defines attacks with the same attacker information or similar attack characteristics as homologous attacks,and the attackers with homologous attack characteristics are determined to belong to the same attack group.In this paper,through the long-term and large-scale deployment of distributed ICS protocol honeypot,the collection of malicious traffic on the Internet for ICS equipment to carry out experiments,the analysis of homologous attack.The significance of the homologous attack analysis method is that it can strengthen the isolation ability of the existing security system and effectively protect the security of national infrastructure and important industrial enterprises.In this paper,by analyzing the Modbus protocol in the honeypot packet message information,combined with the Modbus protocol specification,put forward a kind of homologous attack analysis method based on ICS protocol function code sequences,and find out similar attacks malicious IP group,improving the efficiency and accuracy of the IP traceback.Firstly,according to the data packets based on the statistics function code coarse granularity characteristics,we generated rough set.Secondly,the feature of function code sequence is modeled and the attack behavior is quantified to obtain the finegrained feature based on function code sequence.Finally,by constructing a cluster model based on attack behavior to analyze the homologous attack experiment,this method has a 100% accuracy and recall rate in the discrimination of shodan IP identified in the threat intelligence database,and a 91.065% accuracy in the discrimination of other groups belonging to malicious IP,such as plcscan,censys and university of Michigan.Based on Modbus protocol honeypot data flow information,this paper puts forward the homologous industrial homologous attack detection based on CNNLSTM method.Through the extract the feature of data flow,using CNN and LSTM network based on attention mechanism,learn the flow characteristics of the Modbus.Based on the BP back propagation algorithm and activation function,the model of attention weighting matrix iterative optimization,generated the classification results based on unsupervised learning and supervised fine-tuning treatment,Compared with other methods,this method has higher accuracy and F1 value,the processing offline honeypot control in the data with the advantages of quite excellent,with 93.7% accuracy through ICS protocol based on CNN-LSTM homologous attack detection method,and discovered including shodan,cencys such well-known search engine,including 10 equipment,involving more than 200 IP nodes. |
PDF Full Text Request