Design And Development Of An Industrial Control Attack Monitoring Platform Based On Honeypot

With the rapid development of Internet and the deep integration of industrialization and information technology,the industrial control system has gradually become more open from the original closed mode,and more intelligent from automation.At the same time,the security threats in the Internet have gradually penetrated into the industrial control system.In recent years,serious attacks against the key national infrastructure have occurred frequently,which has attracted the attention of security researchers in various countries and regions on industrial control security issues.At present,the widely used security defense technologies include intrusion detection system,border firewall,etc.These security technologies have a certain defense effect on traditional network threats,but the industrial control system is not only facing the traditional security threats,but also facing the proprietary security threats of the industrial control network.On one hand,the network attack methods for industrial control system are flexible and diverse,on the other hand,the advanced persistent threat and other attack methods are emerging in endlessly.Therefore,the traditional defense technology has no power to deal with these changing attack methods.Carry out research on industrial control attack monitoring platforms and related technologies based on honeypots that use honeypot as an attack detection mechanism in the field of industrial control network security.Honeypot is used to trick attackers into attacking them,which can disrupt the attention of attackers,to obtain attack data for researchers to analyze,so as to carry out targeted defense against industrial control equipment.The specific work of this thesis is as follows:(1)This thesis designs and implements a high interaction honeypot named Greatpot,which is based on the S7comm industrial control protocol.By studying the operation mechanism of the Conpot,the simulation implementation of S7comm protocol is mainly studied,and response packages are designed for the request data of different functional structures,which improve the interaction capability of the honeypot.Experiments show that the efficiency of the improved Greatpot to obtain session data was significantly improved.(2)The interactive method of HMI interface of PLC device is proposed in this thesis.Aiming at the problem that the original HMI static interface is easily identified by a slightly experienced attacker as a honeypot system,the characteristics of the HMI interface of the real device are analyzed,and the HMI interface of the simulated PLC device is changed to a dynamic interface,which increases the authenticity of the honeypot.Finally,the purpose of deceiving attackers is achieved,and more effective attack data is obtained.At the same time,the attack data of the HMI service port is analyzed first,which can quickly filter out important attacker IPs,narrow the analysis scope and greatly improves the analysis efficiency.(3)An industrial control attack monitoring platform based on honeypot data is designed in this thesis.It mainly includes four parts of functions:user management function,honeypot management function,attack monitoring function and threat early warning function.Each function of the platform has been tested one by one.The results show that the functions of each part of the platform has achieved the expected results.The platform is built with Docker technology,which is easy to deploy in batches and greatly improves resource utilization.In summary,this system can capture and analyze the malicious behavior of industrial control system in the network to better respond to network attacks.At the same time,the system is easy to deploy and maintain,which greatly reduces the cost of simulation.