Sam Maesschalck,Will Fantom,Vasileios Giotsas,Nicholas Race

DOI: https://doi.org/10.1109/tnsm.2024.3361915

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Industry 4.0 and the trend of connecting legacy Industrial Control Systems (ICSs) to public networks have exposed these systems to various online threats. To combat these threats, honeypots have been widely used to provide proactive monitoring, detection and deception security capabilities. However, skilled attackers are now adept at fingerprinting and avoiding honeypots. Therefore, we take a fundamentally different approach in this paper. Instead of the honeypot representing a real system, we deploy it as a deterrent. Through obfuscation, the aim is to make an attacker believe the real system is a honeypot and collect threat intelligence data on the attacker. To achieve this, we introduce a new obfuscation technique that allows real ICSs to present themselves as honeypots. By taking advantage of honeypot fingerprinting techniques, we are able to deter attackers from interacting with the real Programmable Logic Controller (PLC) within the industrial network. The approach is implemented and evaluated using different penetration testing tools and an expert evaluation highlighting the benefits of obfuscation in that potential adversaries would be misled into assuming the PLC is a honeypot.

computer science, information systems

Christoforos Vasilatos,Dunia J. Mahboobeh,Hithem Lamri,Manaar Alam,Michail Maniatakos

2024-05-09

Abstract:Industrial Control Systems (ICS) are extensively used in critical infrastructures ensuring efficient, reliable, and continuous operations. However, their increasing connectivity and addition of advanced features make them vulnerable to cyber threats, potentially leading to severe disruptions in essential services. In this context, honeypots play a vital role by acting as decoy targets within ICS networks, or on the Internet, helping to detect, log, analyze, and develop mitigations for ICS-specific cyber threats. Deploying ICS honeypots, however, is challenging due to the necessity of accurately replicating industrial protocols and device characteristics, a crucial requirement for effectively mimicking the unique operational behavior of different industrial systems. Moreover, this challenge is compounded by the significant manual effort required in also mimicking the control logic the PLC would execute, in order to capture attacker traffic aiming to disrupt critical infrastructure operations. In this paper, we propose LLMPot, a novel approach for designing honeypots in ICS networks harnessing the potency of Large Language Models (LLMs). LLMPot aims to automate and optimize the creation of realistic honeypots with vendor-agnostic configurations, and for any control logic, aiming to eliminate the manual effort and specialized knowledge traditionally required in this domain. We conducted extensive experiments focusing on a wide array of parameters, demonstrating that our LLM-based approach can effectively create honeypot devices implementing different industrial protocols and diverse control logic.

Cryptography and Security,Machine Learning

Xy He,Ky Lam,Sl Chung,Ch Chi,Jg Sun

DOI: https://doi.org/10.1007/978-3-540-30483-8_18

2004-01-01

Abstract:Security becomes increasingly important. However, existing security tools, almost all defensive, have many vulnerabilities which are hard to overcome because of the lack of information about hackers techniques or powerful tools to distinguish malicious traffic from the huge volume of production traffic. Although honeypots mainly aim at collecting information about hackers' behaviors, they axe not very effective in that honeypot implementers tend to block or limit hackers' outbound connections to avoid harming non-honeypot systems, thus making honeypots easy to be fingerprinted. Additionally, the main concern is that if hackers were allowed outbound connections, they may attack the actual servers thus the honeypot could become a facilitator of the hacking crime. In this paper we present a new method to real-time emulate intrusion victims in a honeyfarm. When hackers request outbound connections, they are redirected to the intrusion victims which emulate the real targets. This method provides hackers with a less suspicious environment and reduces the risk of harming; other systems.

Kannan Kirishikesan,Gayakantha Jayakody,Ayesh Hallawaarachchi,Chandana Gamage

DOI: https://doi.org/10.4038/icter.v16i2.7265

2023-12-08

International Journal on Advances in ICT for Emerging Regions (ICTer)

Abstract:Industrial Control Systems (ICSs) are control systems that automate and control industrial processes. ICSs have a high-security risk since most of them are connected to the Internet for remote monitoring and controlling purposes. Compromising ICS can disrupt critical infrastructure supplies, such as water supply, power supply, transportation systems, and manufacturing systems. Programmable Logic Controllers (PLCs) are special computers used in ICSs. Many PLCs do not have built-in security systems. Many ICS application layer protocols are not designed with security in mind. Therefore, external security systems are needed to protect ICSs from cyber-attacks. Identifying the vulnerabilities, malware, and attacking patterns is useful in designing defense-in-depth security systems for ICSs. Honeypots can be used for research purposes as a way of collecting data and can also be used to protect the systems from attackers. In this paper, we present a high-interaction physics-aware ICS research honeypot that has been extended to a production honeypot using Software Defined Networking.

Mario Kahlhofer,Stefan Rass

2024-05-21

Abstract:Cyber deception techniques that are tightly intertwined with applications pose significant technical challenges in production systems. Security measures are usually the responsibility of a system operator, but they are typically limited to accessing built software artifacts, not their source code. This limitation makes it particularly challenging to deploy cyber deception techniques at application runtime and without full control over the software development lifecycle. This work reviews 19 technical methods to accomplish this and evaluates them based on technical, topological, operational, and efficacy properties. We find some novel techniques beyond honeypots and reverse proxies that seem to have received little research interest despite their promise for cyber deception. We believe that overcoming these technical challenges can drive the adoption of more dynamic and personalized cyber deception techniques, tailored to specific classes of applications.

Cryptography and Security,Distributed, Parallel, and Cluster Computing,Networking and Internet Architecture,Software Engineering

Jacob Williams,Matthew Edwards,Joseph Gardiner

2024-10-23

Abstract:The convergence of information and operational technology networks has created previously unforeseen security issues. To address these issues, both researchers and practitioners have integrated threat intelligence methods into the security operations of converged networks, with some of the most valuable tools being honeypots that imitate industrial control systems (ICS). However, the development and deployment of such honeypots is a process rich with pitfalls, which can lead to undiagnosed weaknesses in the threat intelligence being gathered. This paper presents a side-channel method of covertly identifying ICS honeypots using the time-to-live (TTL) values of target devices. We show that many ICS honeypots can be readily identified, via minimal interactions, using only basic networking tools. In a study of over 8,000 devices presenting as ICS systems, we detail how our method compares to an existing honeypot detection approach, and outline what our methodology reveals about the current population of live ICS honeypots. In demonstrating our method, this study aims to raise awareness of the viability of the TTL heuristic and the prevalence of its misconfiguration despite its presence in literature.

Cryptography and Security,Systems and Control

Upendra Bartwal,Subhasis Mukhopadhyay,Rohit Negi,Sandeep Shukla

DOI: https://doi.org/10.1109/DSC54232.2022.9888808

2022-01-14

Abstract:Cyber Security is a critical topic for organizations with IT/OT networks as they are always susceptible to attack, whether insider or outsider. Since the cyber landscape is an ever-evolving scenario, one must keep upgrading its security systems to enhance the security of the infrastructure. Tools like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Threat Intelligence Platform (TIP), Information Technology Service Management (ITSM), along with other defensive techniques like Intrusion Detection System (IDS), Intrusion Protection System (IPS), and many others enhance the cyber security posture of the infrastructure. However, the proposed protection mechanisms have their limitations, they are insufficient to ensure security, and the attacker penetrates the network. Deception technology, along with Honeypots, provides a false sense of vulnerability in the target systems to the attackers. The attacker deceived reveals threat intel about their modus operandi. We have developed a Security Orchestration, Automation, and Response (SOAR) Engine that dynamically deploys custom honeypots inside the internal network infrastructure based on the attacker's behavior. The architecture is robust enough to support multiple VLANs connected to the system and used for orchestration. The presence of botnet traffic and DDOS attacks on the honeypots in the network is detected, along with a malware collection system. After being exposed to live traffic for four days, our engine dynamically orchestrated the honeypots 40 times, detected 7823 attacks, 965 DDOS attack packets, and three malicious samples. While our experiments with static honeypots show an average attacker engagement time of 102 seconds per instance, our SOAR Engine-based dynamic honeypots engage attackers on average 3148 seconds.

Cryptography and Security,Machine Learning

Rajat Gupta,Madhu Viswanatham V.,Manikandan K

DOI: https://doi.org/10.48550/arXiv.2105.04773

2021-05-11

Cryptography and Security

Abstract:Nowadays, web applications have become most prevalent in the industry, and the critical data of most organizations stored using web apps. Hence, web applications a much bigger target for diverse cyber-attacks, which varies from database injections-SQL injection, PHP object injection, template injection, XML external entity injection, unsanitized input attacks- Cross-Site Scripting(XSS), and many more. As mitigation for them, among many proposed solutions, web application honeypots are a much sophisticated and powerful protection mechanism. In this paper, we propose a low interaction, adaptive, and dynamic web application honeypot that imitates the vulnerabilities through HTTP events. The honeypot is built with SNARE and TANNER; SNARE creates the attack surface and sends the requests to TANNER, which evaluates them and decides how SNARE should respond to the requests. TANNER is an analysis and classification tool, which analyzes and evaluates HTTP requests served by SNARE and to compose the response, it is powered by emulators, which are engines used for the emulation of vulnerabilities.

Daniel Reti,Norman Becker

DOI: https://doi.org/10.48550/arXiv.2104.03651

2021-04-08

Abstract:In the field of network security, the concept of honeypots is well established in research as well as in production. Honeypots are used to imitate a legitimate target on the network and to raise an alert on any interaction. This does not only help learning about a breach, but also allows researchers to study the techniques of an attacker. With the rise of cloud computing, container-based virtualization gained popularity for application deployment. This paper investigates the possibilities of container-based honeypots and introduces the concept of simulating container escapes as a deception technique.

Cryptography and Security,Networking and Internet Architecture

Christoph Pohl,Michael Meier,Hans-Joachim Hof

DOI: https://doi.org/10.48550/arXiv.1507.03117

2015-07-11

Abstract:Honeypots are used in IT Security to detect and gather information about ongoing intrusions, e.g., by documenting the approach of an attacker. Honeypots do so by presenting an interactive system that seems just like a valid application to an attacker. One of the main design goals of honeypots is to stay unnoticed by attackers as long as possible. The longer the intruder interacts with the honeypot, the more valuable information about the attack can be collected. Of course, another main goal of honeypots is to not open new vulnerabilities that attackers can exploit. Thus, it is necessary to harden the honeypot and the surrounding environment. This paper presents Apate, a Linux Kernel Module (LKM) that is able to log, block and manipulate system calls based on preconfigurable conditions like Process ID (PID), User Id (UID), and many more. Apate can be used to build and harden High Interaction Honeypots. Apate can be configured using an integrated high level language. Thus, Apate is an important and easy to use building block for upcoming High Interaction Honeypots.

Cryptography and Security,Networking and Internet Architecture

Liu B. Songsong,Pengbin Feng,Jiahao Cao,Xu He,Tommy Chin,Kun Sun,Qi Li

DOI: https://doi.org/10.1007/978-3-031-09484-2_11

2022-01-01

Abstract:The honeypot technique has proved its value in system protection and attack analysis over the past 20 years. Distributed honeypot solutions emerge to solve the high cost and risk of maintaining a functional honeypot system. In this paper, we uncover that all existing distributed honeypot systems suffer from one type of anti-honeypot technique called network context cross-checking (NC3) which enables attackers to detect network context inconsistencies before and after breaking into a targeted system. We perform a systematic study of NC3 and identify nine types of network context artifacts that may be leveraged by attackers to identify distributed honeypot systems. As a countermeasure, we propose HoneyPortal, a stealthy traffic redirection framework to defend against the NC3 attack. The basic idea is to project a remote honeypot into the protected local network as a believable host machine. We conduct experiments in a real testbed, and the experimental results show that HoneyPortal can effectively defeat NC3 attacks with a low performance overhead.

Tianxiang Yu,Yang Xin,Chunyong Zhang

DOI: https://doi.org/10.3390/electronics13020361

IF: 2.9

2024-01-16

Electronics

Abstract:Honeynet and honeypot originate as network security tools to collect attack information during the network being compromised. With the development of virtualization and software defined networks, honeynet has recently achieved many breakthroughs. However, existing honeynet architectures treat network attacks as interactions with a single honeypot which is supported by multiple honeypots to make this single one more realistic and efficient. The scale and depth of existing honeynets are limited, making it hard to capture complicated attack information. Existing honeynet frameworks also have low-level simulation of protected network and lacks test metrics. To address these issues, we design and implement a novel container-based comprehensive cyber deception honeynet architecture that consists of five modules, called HoneyFactory. Just like factory producing products according to customer preferences, HoneyFactory generates honeynet using containers based on business networks under protection. In HoneyFactory architecture, we propose a novel honeynet deception model based on hmm model to evaluate deception stage. We also design other modules to make this architecture comprehensive and efficient. Experiments show that HoneyFactory performs better than existing research in communication latency and connections per second. Experiments also show that HoneyFactory can effectively evaluate deception stage and perform deep cyber deception.

engineering, electrical & electronic,computer science, information systems,physics, applied

Beibei Li,Yue Xiao,Yaxin Shi,Qinglei Kong,Yuhao Wu,Haiyong Bao

DOI: https://doi.org/10.1109/ojcs.2020.3030825

2020-01-01

IEEE Open Journal of the Computer Society

Abstract:Honeypots have been widely used in the security community to understand the cyber threat landscape, for example to study unauthorized penetration attempts targeting industrial cyber-physical systems (ICPS) and observing the behaviors in such activities. However, some better-resourced cyber attackers may attempt to identify honeypots and develop strategies to compromise them, aka anti-honeypot. In this paper, we present an anti-honeypot enabled optimal attack strategy for ICPS, by employing a novel game-theoretical approach. Specifically, the interactions between the attacker and ICPS defender are captured with a proposed hybrid signaling and repeated game, i.e., a non-cooperative two-player one-shot game with incomplete information. By taking into account both various possible defenses of an ICPS and diverse offensive acts of attackers, a Nash equilibrium is derived, which exhibits an optimal attack strategy for attackers with varying technical sophistication. Extensive simulation experiments on multiple test cases demonstrate that, the derived strategy offers the attackers an optimal tactic to compromise the target ICPS protected by honeypots, while having only incomplete knowledge of the defensive mechanisms.

Stefan Machmeier

2024-07-17

Abstract:In this age of digitalization, Internet services face more attacks than ever. An attacker's objective is to exploit systems and use them for malicious purposes. Such efforts are rising as vulnerable systems can be discovered and compromised through Internet-wide scanning. One known methodology besides traditional security leverages is to learn from those who attack it. A honeypot helps to collect information about an attacker by pretending to be a vulnerable target. Thus, how honeypots can contribute to a more secure infrastructure makes an interesting topic of research. This thesis will present a honeypot solution to investigate malicious activities in heiCLOUD and show that attacks have increased significantly. To detect attackers in restricted network zones at Heidelberg University, a new concept to discover leaks in the firewall will be created. Furthermore, to consider an attacker's point of view, a method for detecting honeypots at the transport level will be introduced. Lastly, a customized OpenSSH server that works as an intermediary instance will be presented to mitigate these efforts.

Cryptography and Security

Wei Yang,Yu Yao,Tong Zhao,Yao Shan

DOI: https://doi.org/10.1109/TII.2023.3240739

IF: 12.3

2023-10-01

IEEE Transactions on Industrial Informatics

Abstract:Honeypots have proven to be an effective defense method for industrial control systems (ICSs). However, as attacker skills become more sophisticated, it becomes increasingly difficult to develop honeypots that can effectively recognize and respond to such attacks. In this article, we propose a neural network-based ICS honeypot scheme named NeuPot that improves security from two aspects: 1) honeypot interaction; and 2) cyber threats detection capability. NeuPot can respond to attacker requests depending on a specific industrial scenario without constant communication with the ICS and detect malicious traffic. To create this honeypot scheme, a new seq2seq time-series forecast model guided by Huber loss is designed to simulate the long-term changes in actual ICS physical processes. Second, a Modbus honeypot framework is created to react to changes in these ICS physical processes in their interactions with attackers and to capture various cyber threats against the ICS. Further, a novel loss function for industrial protocol-level malicious traffic detection is devised to identify known and unknown threats. According to our experiments, the proposed honeypot scheme is highly effective and outperforms state-of-the-art schemes in terms of interactivity and in detecting cyber threats.

Computer Science,Engineering

P.V. Sai Charan,Subhasis Mukhopadhyay,Subhajit Manna,Nanda Rani,Ansh Vaid,Hrushikesh Chunduri,P. Mohan Anand,Sandeep Kumar Shukla

DOI: https://doi.org/10.1145/3651991

2024-03-08

Digital Threats Research and Practice

Abstract:Honeypots serve as a valuable deception technology, enabling security teams to gain insights into the behaviour patterns of attackers and investigate cyber security breaches. However, traditional honeypots prove ineffective against advanced adversaries like APT groups due to their evasion tactics and awareness of typical honeypot solutions. This paper emphasises the need to capture these attackers for enhanced threat intelligence, detection, and protection. To address this, we propose the design and deployment of a customized honeypot network based on adaptive camouflaging techniques. Our work focuses on orchestrating a behavioral honeypot network tailored for three APT groups, with strategically positioned attack paths aligning with their Tactics, Techniques, and Procedures, covering all cyber kill chain phases. We introduce a novel approach, deploying a camouflaged chatterbox application within the honeypot network. This application offers a regular chat interface while periodically tracking attacker activity by enabling periodic log transfers. Deployed for 100 days, our orchestrated honeypot recorded 13,906,945 hits from 4,238 unique IP addresses. Our approach categorizes attackers, discerning varying levels of sophistication, and identifies attacks from Hong Kong with similarities to known Chinese threat groups. This research significantly advances honeypot technology and enhances the understanding of sophisticated threat actors' strategies in real operating networks.

Feng Xiao,Enhong Chen,Qiang Xu

DOI: https://doi.org/10.1007/978-3-319-89500-0_36

2018-01-01

Abstract:Intensively happened cyber-attacks against industrial control system pose a serious threat to the critical national infrastructure. It is significant to capture the detection and the attacking data for industrial control system by means of honeypot technology, as it provides the ability of situation awareness to reveal potential attackers and their motivations before a fatal attack happens. We develop a high interactive honeypot for industrial control system-S7commTrace, based on Siemens' S7 protocol. S7commTrace supports more function codes and sub-function codes in protocol simulation, and improves the depth of interaction with the attacker to induce more high-level attacks effectively. A series of comparative experiments is carried out between S7commTrace and Conpot, by deploying these two kinds of honeypots under the same circumstance in four countries. Data captured by these two kinds of honeypots is analyzed respectively in four dimensions, which are query results in Shodan, count of data and valid data, coverage of function code and diversity of source IP address. Experiment results show that S7commTrace has better performance over Conpot.

Weizhe Zhang,Hui He,Tai-hoon Kim

DOI: https://doi.org/10.1007/s11042-013-1499-4

IF: 2.577

2013-01-01

Multimedia Tools and Applications

Abstract:Honeynet is a framework containing more than one honeypot to provide data control, data capture, and data analysis. This framework aims to simulate a highly controllable attack or decoy for the security analysis of a network. In this paper, the Xen-based virtual machine solution is proposed to build the virtual honeynet. A virtual honeynet deploys a honeynet on a physical machine based on virtual machine technology with the advantages of low cost as well as convenient management, and maintenance features. The virtual honeynet system includes dynamic resource allocation, data control, data capture, data presentation, and analysis. It is lightweight but has high performance, which is verified with extensive experiments.

Xingyuan Yang,Jie Yuan,Hao Yang,Ya Kong,Hao Zhang,Jinyu Zhao

DOI: https://doi.org/10.3390/fi15040127

2023-03-29

Future Internet

Abstract:In this paper, considering the problem that the common defensive means in the current cyber confrontation often fall into disadvantage, honeypot technology is adopted to turn reactive into proactive to deal with the increasingly serious cyberspace security problem. We address the issue of common defensive measures in current cyber confrontations that frequently lead to disadvantages. To tackle the progressively severe cyberspace security problem, we propose the adoption of honeypot technology to shift from a reactive to a proactive approach. This system uses honeypot technology for active defense, tempting attackers into a predetermined sandbox to observe the attacker's behavior and attack methods to better protect equipment and information security. During the research, it was found that due to the singularity of traditional honeypots and the limitations of low-interactivity honeypots, the application of honeypot technology has difficulty in achieving the desired protective effect. Therefore, the system adopts a highly interactive honeypot and a modular design idea to distinguish the honeypot environment from the central node of data processing, so that the honeypot can obtain more sufficient information and the honeypot technology can be used more easily. By managing honeypots at the central node, i.e., adding, deleting, and modifying honeypots and other operations, it is easy to maintain and upgrade the system, while reducing the difficulty of using honeypots. The high-interactivity honeypot technology not only attracts attackers into pre-set sandboxes to observe their behavior and attack methods, but also performs a variety of advanced functions, such as network threat analysis, virtualization, vulnerability perception, tracing reinforcement, and camouflage detection. We have conducted a large number of experimental comparisons and proven that our method has significant advantages compared to traditional honeypot technology and provides detailed data support. Our research provides new ideas and effective methods for network security protection.

Chongqi Guan,Heting Liu,Guohong Cao,Sencun Zhu,Thomas La Porta

DOI: https://doi.org/10.48550/arXiv.2305.06430

2023-05-10

Cryptography and Security

Abstract:As IoT devices are becoming widely deployed, there exist many threats to IoT-based systems due to their inherent vulnerabilities. One effective approach to improving IoT security is to deploy IoT honeypot systems, which can collect attack information and reveal the methods and strategies used by attackers. However, building high-interaction IoT honeypots is challenging due to the heterogeneity of IoT devices. Vulnerabilities in IoT devices typically depend on specific device types or firmware versions, which encourages attackers to perform pre-attack checks to gather device information before launching attacks. Moreover, conventional honeypots are easily detected because their replying logic differs from that of the IoT devices they try to mimic. To address these problems, we develop an adaptive high-interaction honeypot for IoT devices, called HoneyIoT. We first build a real device based attack trace collection system to learn how attackers interact with IoT devices. We then model the attack behavior through markov decision process and leverage reinforcement learning techniques to learn the best responses to engage attackers based on the attack trace. We also use differential analysis techniques to mutate response values in some fields to generate high-fidelity responses. HoneyIoT has been deployed on the public Internet. Experimental results show that HoneyIoT can effectively bypass the pre-attack checks and mislead the attackers into uploading malware. Furthermore, HoneyIoT is covert against widely used reconnaissance and honeypot detection tools.