Design And Implementation Of Industrial Honeypot Based On Parallel Simulation Technology

With fast development of industrial internet in China the factory OT network is connected with corporate wide area networks and IOT networks,ICS network is becoming the main battlefield of network security,facing a severe test.The passive defense system represented by ICS firewall and ICS intrusion detection technology are not able to meet the industrial production scenarios with urgent requirements for realtime and reliability of OT related process.In order to improve the security protection ability of OT networks,this paper proposes an ICS honeypot based on parallel simulation technology to build a multi-level active defense system in depth,so as to reduce the risk of industrial Internet being attacked.At the begining part of this paper,it introduces stages of honeypot technology development,point out the shortcomings and limitations of the current ICS honeypot technology,and innovatively proposes an ICS honeypot system based on parallel simulation technology,which is a real high interactive ICS honeypot to undertake multiple levels of attacks by attackers;uses shadow system technology to build industrial assets in batch,capture traffic,and analyze attacks The parallel simulation technology is used to build simulation environment to reduce the probability of honeypot being found.The main efforts and innovation point of this paper are as follows:(1)Aiming at the problem that at present,the protocol simulation of ICS honeypots mostly adopts to low interaction mode,which can only carry out simple protocol simulation,which is less deceptive and easy to be discovered by attackers.This paper designs a high interactive ICS honeypot which would increase the interaction strength of simulation and can decept various levels of attackers and can accept different levels of attacks which improves the interaction ability of the honeypot and can undertake various levels of attacks by the attacker.(2)Aiming at the problem that the ICS honeypot is unable to effectively simulate basic industrial assets at low cost,this paper proposes a high interactive shadow system,which simulates IEC 60870-5 and S7Comm,MODBUS and other ICS protocols,and the associated data packets are modified.The honeypot with different business interaction capabilities is used to construct a deceptive business network topology to lure attackers,which fills the gap in the current ICS honeypot.(3)Aiming at the limitation of ICS honeypot technology in capturing attack traffic,this paper proposes a high interactive ICS honeyport with full traffic captures.Based on the intrusion detection framework Suricata as the sensor device of attack detection,it can capture attack data and display attack situation on the basis of capturing attack data.(4)To validate the effect of the ICS honeypot designed in this paper,not only can it build low-cost batch underlying assets(such as PLC)to accept multiple levels of attacks,but also it has high interactivity and capturability verified by penetration attack test.