| In the past five years,countries all over the world have paid more and more attention to the information security of industrial control systems.It has become a consensus to apply honeypot and honeynet technology to actively defend industrial control equipment in the field of industrial control system information security.The essence of a honeypot is a piece of program code or a real host,usually disguised as a vulnerable device or server to achieve the purpose of tempting attackers to attack it.Its value lies in being attacked and scanned.A honeynet is a trap network composed of multiple honeypots.It also provides various tools to facilitate the collection and analysis of attack data.However,most of the common industrial control system honeypots have problems such as incomplete protocol layer simulation and easy identification.In addition,due to limited equipment resources,operating system differences and other factors,honeynet are difficult to deploy and transplant quickly.Aiming at the above two problems,this paper relies on a laboratory industrial control system to study the existing honeypot and honeynet technology.Re-developed the honeypot Conpot based on the low-interaction industrial control system,and improved the protocol simulation layer.The Docker container technology is used to carry out the rapid deployment and transplantation of the honeynet,and the visualization technology is used to display the data trapped by the honeynet in real time.Make an assessment of the security threats faced by industrial control systems.The main work of this paper is as follows:First of all,this paper focuses on the analysis of Siemens S7 comm private protocol messages and low-interaction industrial control system honeypot Conpot source code.Developed the S7 comm server of Conpot honeypot,which fully expanded the read/write,start/stop,upload/download program block functions of the S7 comm private protocol,improving the interactivity of the honeypot.Then,multiple different types of honeypots are deployed on multiple physical machines through Docker container technology.The number of honeypots on each physical machine and the degree of interaction of the honeypots are different.The honeypot image is stored in the Docker registry and can be downloaded and run directly to achieve rapid and lightweight deployment.In addition to deploying honeypots on key physical machines,real PLC devices are also deployed to improve trapping capabilities.Each physical machine is a node in the honeynet,and the entire honeynet intrusion trap system controls all physical machines through a master node,forming a multi-node composite honeynet intrusion trap system.Finally,we summarized and analyzed the attack data trapped by the honeynet from the dimensions of time,space,and attack methods.Using Flask,Ajax and Echarts tools to design and implement a security situational awareness system,the attack data and analysis results are visually displayed on the front-end page in real time.From the final experimental results,the honeynet intrusion trapping and security situation awareness system designed in this paper can show the security threats faced by industrial control systems from multiple dimensions in real time. |
PDF Full Text Request