Research And Design Of Intrusion Detection System Based On Industrial Honeypot

The high integration of industrialization and information technology has gradually exposed current industrial control systems to the Internet,and the resulting security risks against traditional Internet also begin to pose a threat to industrial control systems.In the face of an endless stream of network attacks,technologies such as firewalls and gateways,which are passive defense measures,cannot meet the threats faced by traditional industrial control systems.As an active defense technology,honeypot can attract the attention of attackers by setting bait,thereby collecting their attack behaviors.Due to insufficient interactivity,traditional industrial control honeypots are easily identified by attackers,so their ability to collect security threats in the network is relatively insufficient.Therefore,this article aims to further enhance the interactivity of industrial control honeypots,further enhance the deception of honeypots,simulate real industrial control network environments through honeypots,divert attackers’ attention,and attract attackers to attack honeypots.By analyzing and timely warning the intrusion behaviors suffered by honeypots,real industrial control systems can timely detect network threats,and make corresponding defense and reinforcement measures based on the analysis results,Achieve the purpose of protecting real industrial control systems.The specific work of this article is as follows.(1)Through the research of low interaction industrial control honeypot,this article has made targeted improvements to its shortcomings such as default templates and insufficient protocol interaction,and designed a highly interactive industrial control honeypot,ICShoneypot.Firstly,aiming at the problem of the default template and specific function code 88111222 in Conpot,the real equipment information of Siemens s7-400 PLC is simulated;Secondly,in view of the fact that Conpot can only read information such as system status list(SZL)entries,this article uses packets capturing tool to capture S7 comm protocol data packets,analyzes the captured protocol information,obtains relevant functions,and implements other functions that are not implemented by Conpot;Finally,this article designs a human-computer interaction system that can be logged in to increase the deception of honeypots,enhance their interaction with attackers,and facilitate further collection of attackers’ attack behavior.(2)Aiming at the disadvantage of using a single machine learning classifier to detect network traffic data collected from honeypots,this article applies traditional machine learning algorithms,constructs corresponding integrated learning models based on the principle of selecting base learners,and conducts integrated learning training.Experiments verify the advantages of the integrated learning model in detecting effects.At the same time,this article proposes a dynamically updatable intrusion detection algorithm.Continuously collecting network attack data through deployed honeypots,using the CICFlow Meter tool to process the collected data,extracting new attack features,generating new datasets,and continuously training the model through new datasets to improve the detection performance of intrusion detection systems against unknown attacks.(3)An intrusion detection system based on industrial control honeypot is designed.The system includes honeypot management,data collection,model detection,data management,and other functional modules.The system traps attackers by deploying honeypots,captures real-time traffic information flowing through honeypot nodes,analyzes the packet content according to network protocols,and uses a machine learning detection model to detect the collected real-time traffic information.After that,the system stores the data through My SQL and visually displays it through Vue and Element UI.