Research On Honeypot Construction Technology Of High Interaction Industrial Control System

Industrial Control Systems(ICSs)play a crucial role in critical infrastructures,bridging the physical and information worlds and impacting sectors such as energy,transportation,water conservancy,and communications.These sectors are integral to societal operations and people’s livelihoods.The Purdue Reference Model primarily divides a complete ICS into Information Technology(IT)and Operational Technology(OT)networks.As traditional systems transition from closed to open and interconnected systems,the security measures outlined in the Purdue Reference Model no longer meet their cybersecurity needs.Therefore,building an active defense system for ICS has become essential to compensate for security vulnerabilities,with the design and implementation of ICS honeypots,featuring deception defense as the core measure,becoming a research hotspot.Existing ICS honeypots face challenges in extending industrial protocols and in the complexity of simulating ICS operations.This paper proposes a high-interaction ICS honeypot framework based on the traditional virtual honeypot,Honeyd.This framework integrates middleware caching and data simulation,significantly mitigating these problems.Building a request-response cache for industrial protocols reduces the development work needed for protocol extension,enhancing protocol extensibility.Data simulation reconstructs ICS operational logic by learning variations in physical process data.This paper’s innovative contributions include:(1)Industrial communication response based on middleware caching:Most research on ICS honeypots combines virtual and real elements involving ICS devices and low-interaction honeypots,achieving real responses to key requests through proxy forwarding.In practice,the virtual frontend is typically deployed on cloud servers and forwarded to local physical control devices via a proxy.Control devices usually operate within a local control network,monitoring and controlling the physical state and electrical signal changes of on-site equipment at microsecond-level response speeds.Network latency,packet loss rate,and bandwidth factors during the proxy forwarding process may reduce the credibility of response data.By capturing and classifying control network traffic data in advance,forming request-response pairs,and storing them as cache data in the frontend virtual node,we ensure immediate response matching in the cache.This supports complex ICS protocol interactions at the protocol level by caching various types of request-response messages.(2)On-site data prediction model based on the Light GBM algorithm:Existing ICS honeypots mainly simulate virtual representations of ICS protocols,devices,and system features but fail to reproduce the actual industrial production process and its data changes.While some researchers propose using mathematical modeling methods and the Matlab/Simulink tool for industrial business simulation,this approach struggles with increasingly complex industrial production scenarios.By considering the time-series characteristics of data at each node in the industrial production process,machine learning algorithms can be used to learn about the data at each node.The data prediction model,obtained from training,broadens honeypot deployment scenarios.This paper chooses the Light GBM algorithm to learn from industrial production data and obtain the data prediction model,after comparing the results from multiple regression prediction algorithms.