Research On Scanning Characteristics Of Shodan Based On Honeypot Technology

Industrial Control Systems(ICS)are widely used to monitor and control critical infrastructure and public transport systems.With the rapid development of industrial informatization and digitization,the connection between industrial control systems and the external Internet is more frequent,and a large number of industrial control equipment are exposed to the Internet.Therefore,traditional network attacks have also entered the field of industrial control,posing a serious threat to industrial control systems.The emergence of Shodan search engine has amplified this threat.The Shodan search engine can identify and index networked industrial control devices,so it has become a favorite tool for attackers and penetration testers.In order to prevent more attacks from Shodan scanning,we need to analyze the Shodan scanning scheme in depth.In this article,we use honeypot technology to capture Shodan scanning traffic.Based on the existing Minicps framework,we implemented a honeypot system that simulates a sewage treatment system.The honeypot system comprehensively simulates the four industrial control protocols Modbus,S7 comm,IEC104 and BACnet,the control logic of PLC in the industrial control system and the state change process of sensors and actuators,and a relatively complete industrial control network topology.We used VPS to deploy honeypots in six countries and regions and conducted data collection for up to three months.This paper proposes a hierarchical DFA-SVM traffic identification model for captured industrial control traffic.The model analyzes the application layer traffic,extracts the protocol function code sequence as the load feature,and combines traditional traffic statistical characteristics,respectively using Deterministic Finite Automaton(DFA)and Support Vector Machine(SVM)algorithms to classify the traffic Identify.This hierarchical recognition model combines DPI technology with machine learning-based traffic recognition,which effectively improves the ability to identify Shodan traffic and Shodan-like traffic.This article uses two data sets to evaluate this traffic identification model.The first data set is 9883 Shodan interaction data,and the second data setcontains all 32,522 interaction data.The results show that on the two data sets,the average recognition accuracy of the DFA-SVM model reaches 99.3% and95.6%,respectively,and a total of 29 Shodan scanner IPs are identified.The model is sui Tab.for finding dynamic or hidden Shodan scanners,and its performance is better than the domain name resolution method.Finally,we conducted an in-depth analysis of Shodan traffic and displayed our analysis results in terms of scan time,scan frequency,scan port,regional preference,ICS protocol preference,and ICS protocol function code ratio.In addition,this paper also evaluates Shodan's impact on industrial control systems.The analysis results confirm that there is a positive correlation between Shodan scanning and non-Shodan attacks,which means that Shodan may become part of the attacker's tool.In response to this negative impact,this article provides some solutions to mitigate the Shodan threat.