The Technology Research And Threat Intelligence Analysis Of ICS High Interaction Honeypot Based On Industrial Business

The importance of the safety of industrial control systems in relation to the functioning of many important infrastructures is self-evident.Industrial control systems have been widely used in industrial area.However,the lack of safe implementation of industrial control systems presents many safety issues.In recent years,as people pay more attention to the safety of industrial control systems,more and more researchers devote themselves to the study of industrial safety.The honeypot,as a bait attracting attackers,can distract attackers and obtain attackers'aggressive behavior data,which has provided much help for the researchers of industrial safety research,while the industrial control systems have played a protective role.The thesis focuses on the research and realization of high interaction honeypot in industrial control system,and analyzes the obtained intelligence deeply and shows the result.We firstly proposed the method to improve honeypot interactivity from three aspects:HMI interaction,industrial control protocol and device simulation.According to this method,Conpot is improved and a honeypot is designed to simulate Siemens S7-400 series PLC equipment.Compared to the honeypot before the improvement,the payload recognition's rate of the improved honeypot is increased by nearly 20%,which can be used to collect more persuasive interactive information from attackers and provides data foundation for the threat intelligence data analysis.Then the data collected by the honeypot is analyzed by using the host-based and port-based based on the diamond model methods.At the same time,the intelligence analysis method based on the context timing is proposed,and the threat information is divided into four groups:active,high-threat,moderate threat and unknown threat,and the experimental results show that,the classification of unknown threats is reduced and the recognition rate of effective threats is improved which is compared with the original analysis methods.Finally,combining the improved honeypot and intelligence analysis method to implement the industrial control system's threat intelligence analysis platform.Based on the data collected by honeypots,the platform integrates the threat analysis model,real-time modeling the collected data,analyzes and displays the analysis results,and presents the attack behaviors of the attacker intuitively on the system.