| The emergence of "Stuxnet" has made people more aware of the security threats of industrial control systems and the consequent serious consequences.The protection of existing industrial control systems is mainly divided into passive and active defense.Honeypot,as an important active defense means,plays an important role in threat perception and security defense.However,the current industrial control system honeypot has problems such as poor security,weak trapping ability,and the deployment of honeypot systems mostly adopts the virtual machine method,which leads to a large amount of resources and is difficult to implement in batches.How to improve the security of honeypots,good trapping ability,lightweight honeynet deployment,and improve the capture of more abundant and comprehensive threat data by the honeypot system is an urgent problem to be solved in the honeypot research of industrial control systems.The problems existing in the current industrial control system honeypot are studied in the paper.The main work and innovations are as follows:(1)In view of the existence of fingerprint information that is easy to be detected in the Conpot industrial control honeypot,the attacker can find the problem of the deployed industrial system honeypot according to the fingerprint information.This paper proposes a Conpot honeypot scheme with improved fingerprint information.The solution includes two aspects: on the one hand,in view of the default default value of serial number and so on in the honeypot deployment process,the serial number in the fingerprint is erased and reconstructed.On the other hand,aiming at the problem that the honeypot naming does not conform to the actual PLC naming rules,this paper takes the mainstream S7-400 PLC as the research object and establishes its naming rules model.Therefore,an improved Conpot honeypot method based on format preservation encryption algorithm is presented to generate fingerprint information.Finally,the proposed improved honeypot scheme is verified,and the experimental results show that the improved Conpot honeypot improves the security of the honeypot at the fingerprint layer.(2)At present,the design of industrial control honeypots often does not fully consider the industrial Internet protocol model,so that attackers can realize honeypot identification by analyzing the protocol in the interaction process.To solve this problem,a honeypot protocol modeling scheme for industrial control system based on Petri net is proposed in the paper.The proposed scheme uses Petri net to formally model the communication process of the industrial control system honeypot and the PLC device S7 comm protocol respectively,and then makes a formal analysis and comparison of the models.The comparison improves the detected S7 comm protocol interaction vulnerabilities and increases the function code response reply mechanism in the honeypot.Finally,the experiment verifies that the honeypot Protocol Modeling of industrial control system using Petri Net can resist the honeypot identification method through protocol analysis and improve the interaction of Conpot honeypot.(3)Aiming at the problems of the existing industrial control system,the honeypot network is deployed in the virtual machine,the resource utilization rate is low,and the scale deployment is difficult to achieve.This paper proposes a lightweight industrial control system honeynet deployment scheme.The scheme uses Docker containers to implement honeynet deployment,and designs the deception environment,data control,data analysis and other links,and builds a lightweight honeynet.Finally,the experiment proves the lightweight deployment of the honeynet,and achieves the good trapping ability of the honeynet. |
PDF Full Text Request