基于仿真的工控蜜罐研究进展与挑战

摘要/Abstract

摘要： 随着工业互联网的快速发展，针对工业控制系统的攻击层出不穷，造成工业基础设施瘫痪、生产中断、经济损失和人身伤害等严重后果.工控蜜罐是一种欺骗工具，可以作为诱饵吸引攻击者并伪装成真实系统提供访问权限，以诱骗攻击者进行下一步攻击，保护真正的工业控制系统.针对工控蜜罐研究现状进行了深入分析，给出了工控蜜罐的定义及其特征，并重点从基于协议模拟的工控蜜罐、基于结构仿真的工控蜜罐、基于模拟工具的工控蜜罐、基于漏洞模拟的工控蜜罐以及基于混合模拟的工控蜜罐等方面全面分析了基于仿真的工控蜜罐研究进展情况.最后，讨论和分析了当前工控蜜罐仿真模拟过程中面临的挑战和未来发展方向.

关键词: 工控安全, 蜜罐, 工控协议, 可编程逻辑控制器, 工控仿真

Abstract: With the rapid development of the industrial Internet, attacks against industrial control systems have emerged one after another, causing serious consequences such as industrial infrastructure paralysis, production interruptions, economic losses, and personal injury. Honeypot for industrial control system is one kind of deceptive tools which can lure attackers and masquerade as genuine systems to provide access privileges, thus deceiving attackers into conducting subsequent attacks and safeguarding the actual industrial control systems. This paper conducts an indepth analysis of the current research status of industrial honeypots, providing definitions and characteristics of industrial honeypots. It particularly focuses on various types of simulationbased industrial honeypots, including protocolbased simulation honeypots, structurebased simulation honeypots, simulationtoolbased honeypots, vulnerabilitybased simulation honeypots, and hybrid simulation honeypots, comprehensively analyzing the research progress in simulationbased industrial honeypots. Finally, the challenges and future development directions in the simulation and emulation progress of industrial honeypots are discussed and analyzed.

Key words: ICS security, honeypot, ICS protocol, programmable logic controller, ICS simulation

中图分类号:

TP393.08

颜欣晔, 李昕, 张博, 付安民, . 基于仿真的工控蜜罐研究进展与挑战[J]. 信息安全研究, 2024, 10(4): 325-.

参考文献

［1］Stouffer K, Lightman S, Pillitteri V, et al. Guide to industrial control systems (ICS) security［EBOL］. 2011 ［20240322］. https:nvlpubs.nist.govnistpubsSpecial PublicationsNIST.SP.80082.pdf［2］高志新. 工业控制系统信息安全事件分析及对安全防护的启示［J］. 信息网络安全, 2016(增刊): 1823［3］傅扬. 国内外工业互联网安全态势和风险分析［J］. 信息安全研究, 2019, 5(8): 728733［4］游建舟, 吕世超, 孙玉砚, 等. 物联网蜜罐综述［J］. 信息安全学报, 2020, 5(4): 138156［5］Wang Ping, Wu Lei, Cunningham R, et al. Honeypot detection in advanced botnet attacks［J］. International Journal of Information and Computer Security, 2010, 4(1): 3051［6］张博, 崔佳巍, 屈肃, 等. 高级持续性威胁及其重构研究进展与挑战［J］. 信息安全研究, 2021, 7(6): 512519［7］Sharma N, Sran S S. Detection of threats in honeynet using honeywall［J］. International Journal on Computer Science and Engineering, 2011, 3(10): 33323336［8］Fan Wenjun, Du Zhihui, Fernández D. Taxonomy of honeynet solutions［C］ Proc of the 2015 SAI Intelligent Systems Conf (IntelliSys). Piscataway, NJ: IEEE, 2015: 10021009［9］Campbell R M, Padayachee K, Masombuka T. A survey of honeypot research: Trends and opportunities［C］ Proc of the 10th Int Conf for Internet Technology and Secured Trans (ICITST). Piscataway, NJ: IEEE, 2015: 208212［10］Razali M F, Razali M N, Mansor F Z, et al.IoT honeypot: A review from researcher’s perspective［C］ Proc of the IEEE Conf on Application, Information and Network Security (AINS). Piscataway, NJ: IEEE, 2018: 9398［11］Fan Wenjun, Du Zhihui, Fernández D, et al. Enabling an anatomic view to investigate honeypot systems: A survey［J］. IEEE Systems Journal, 2017, 12(4): 39063919［12］Lau S, Klick J, Arndt S, et al. POSTER: Towards highly interactive honeypots for industrial control systems［C］ Proc of the 2016 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM，2016: 18231825［13］Luo Tongbo, Xu Zhaoyan, Jin Xing, et al. IoTCandyJar: Towards an intelligentinteraction honeypot for IoT devices［J］. Black Hat, 2017,1(1): 111［14］Zobal L, Koláǐ D, Fujdiak R. Current state of honeypots and deception strategies in cybersecurity［C］ Proc of the 11th Int Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT). Piscataway, NJ: IEEE, 2019: 19［15］Davidson C C, Andel T R, Yampolskiy M, et al. On SCADA PLC and fieldbus cybersecurity［COL］ Proc of the 13th Int Conf on Cyber Warfare and Security (ICCWS 2018). 2018 ［20240322］. https:www.researchgate.netprofileCordellDavidson2publication323725974_On_SCADA_PLC_and_Fieldbus_CyberSecuritylinks5aa775384585152 d7665ce5cOnSCADAPLCandFieldbusCyberSecurity.pdf［16］孙瑞勇, 李峰, 孙晓鹏, 等. 一款基于主动防御机制的伪装诱捕与威胁感知产品［J］. 信息安全研究, 2022, 7(增刊1): 114118［17］石乐义, 李阳, 马猛飞. 蜜罐技术研究新进展［J］. 电子与信息学报, 2019, 41(2): 498508［18］Krawetz N. Antihoneypot technology［J］. IEEE Security & Privacy, 2004, 2(1): 7679［19］Pouget F, Dacier M. Honeypotbased forensics［COL］ Proc of the AusCERT Asia Pacific Information Technology. 2004 ［20240322］. https:citeseerx.ist.psu.edudocument?repid=rep1&type=pdf&doi=a1321a29ef2b7d6f3c26c378 2bc1485d22ddd9bc［20］崔永富, 翟江涛, 林鹏. 一种基于格式保持加密的高安全 S7400 工控蜜罐构建方法［J］. 重庆理工大学学报, 2022, 36(4): 170176［21］Pittman J M, Hoffpauir K, Markle N, et al. Ataxonomy for dynamic honeypot measures of effectiveness［J］. arXiv preprint, arXiv:2005.12969, 2020［22］LópezMorales E, RubioMedrano C, Doupé A, et al. HoneyPLC: A nextgeneration honeypot for industrial control systems［C］ Proc of the 2020 ACM SIGSAC Conf on Computer and Communications Security. New York: ACM, 2020: 279291［23］Bagyalakshmi G, Rajkumar G, Arunkumar N, et al. Network vulnerability analysis on brain signalimage databases using Nmap and Wireshark tools［J］. IEEE Access, 2018, 6: 5714457151［24］Bodenheim R, Butts J, Dunlap S, et al. Evaluation of the ability of the Shodan search engine to identify Internetfacing industrial control devices［J］. International Journal of Critical Infrastructure Protection, 2014, 7(2): 114123［25］Franco J, Aris A, Canberk B, et al. A survey of honeypots and honeynets for Internet of things, industrial Internet of things, and cyberphysical systems［J］. IEEE Communications Surveys & Tutorials, 2021, 23(4): 23512383［26］Xiao Feng, Chen Enhong, Xu Qiang. S7commtrace: A high interactive honeypot for industrial control system based on S7 protocol［C］ Proc of the 19th Int Conf on Information and Communications Security. Berlin: Springer, 2018: 412423［27］Hui H, McLaughlin K. Investigating current PLC security issues regarding Siemens S7 communications and TIA portal［COL］ Proc of the 5th Int Symp for ICS & SCADA Cyber Security Research. 2018: 6773 ［20230706］. https:pureadmin.qub.ac.ukwsportalfilesportal161438179ewic_icscsr18_paper8.pdf［28］Jicha A, Patton M, Chen H. SCADA honeypots: An indepth analysis of Conpot［C］ Proc of the 2016 IEEE Conf on Intelligence and Security Informatics (ISI). Piscataway, NJ: IEEE, 2016: 196198［29］Provos N. Avirtual honeypot framework［C］ Proc of the USENIX Security Symp. Berkeley,CA: USENIX Association, 2004: 114［30］Radwan F A, Martin T W. Realtime monitoring and controlling of an AllenBradley SLC 500 through the Internet［C］ Proc of the IEEE Int Conf on Industrial Technology. Piscataway, NJ: IEEE, 2003: 387392［31］何跃武. ABB变频器与三菱PLC间的ModbusRTU协议通信［J］. 自动化应用, 2012 (1): 5153［32］宋国江, 肖荣华, 晏培. 工业控制系统中PLC面临的网络空间安全威胁［J］. 信息网络安全, 2016 (9): 228233［33］Aloui N B. Industrial control systems dynamic code injection［EBOL］. 2015 ［20240322］. http:grehack.orgfiles2015Grehack%202015%20%20Paper%20%20Industrial%20Control%20Systems%20Dynamic%20Code%20Injection.pdf［34］Gunathilaka P,Mashima D, Chen B. SoftGrid: A softwarebased smart grid testbed for evaluating substation cybersecurity solutions［C］ Proc of the 2nd ACM Workshop on CyberPhysical Systems Security and Privacy. New York: ACM, 2016: 113124［35］Zhang Dong, Li Shuhui, Zeng Peng, et al. Optimal microgrid control and powerflow study with different bidding policies by using PowerWorld simulator［J］. IEEE Trans on Sustainable Energy, 2013, 5(1): 282292［36］De Oliveira R L S, Schweitzer C M, Shinoda A A, et al. Using mininet for emulation and prototyping softwaredefined networks［C］ Proc of the 2014 IEEE Colombian Conf on Communications and Computing (COLCOM). Piscataway, NJ: IEEE, 2014: 16［37］Mashima D, Chen Binbin, Gunathilaka P, et al. Towards a gridwide, highfidelity electrical substation honeynet［C］ Proc of the 2017 IEEE Int Conf on Smart Grid Communications (SmartGridComm). Piscataway, NJ: IEEE, 2017: 8995［38］Ding Chenpeng, Zhai Jiangtao, Dai Yuewei. An improved ICS honeypot based on SNAP7 and IMUNES［C］ Proc of the 4th Int Conf on Cloud Computing and Security. Berlin: Springer, 2018: 303313［39］Zhang Weizhe, Zhang Bin, Zhou Ying, et al. An IoT honeynet based on multiport honeypots for capturing IoT attacks［J］. IEEE Internet of Things Journal, 2019, 7(5): 39913999［40］Seifert C, Welch I,Komisarczuk P. Taxonomy of honeypots, CSTR06［ROL］. Victoria University of Wellington, 2006 ［20240322］. http:www.mcs.vuw.ac.nzcompPublicationsarchiveCSTR06CSTR0612.pdf［41］Mokube I, Adams M. Honeypots:Concepts, approaches, and challenges［C］ Proc of the 45th Annual Southeast Regional Conf. New York: ACM, 2007: 321326［42］徐震, 周晓军, 王利明, 等. PLC攻防关键技术研究进展［J］. 信息安全学报, 2019, 4(3): 4869［43］Bringer M L,Chelmecki C A, Fujinoki H. A survey: Recent advances and future trends in honeypot research［J］. International Journal of Computer Network and Information Security, 2012, 4(10): 6375［44］Shi Leyi, Li Yang, Liu Tianxu, et al. Dynamic distributed honeypot based on blockchain［J］. IEEE Access, 2019, 7: 7223472246［45］Hajda J, Jakuszewski R, Ogonowski S. Security challenges in industry 4.0 PLC systems［J］. Applied Sciences, 2021, 11(21): 97859810

[1]	卢列文, 路丹舒, 马跃强, . 一种虚实结合的工控安全实训靶场平台设计[J]. 信息安全研究, 2024, 10(1): 75-.
[2]	肖萌, 路超, 田珊珊, 李昂, 王子亮, . 蜜罐及威胁情报技术在市场监督管理网络安全防御中的应用[J]. 信息安全研究, 2023, 9(E1): 117-.
[3]	苗维杰, 夏春宇, 赵峰, . 基于可信技术的工控系统安全解决方案研究[J]. 信息安全研究, 2022, 8(E2): 48-.
[4]	贾悦霖, 赵凡, 王瑜, . 5G+ 基于云化蜜罐网络安全感知解决方案[J]. 信息安全研究, 2022, 8(E1): 31-.
[5]	宁力军, 刘健康, 杨昀桦, . 电力调度安全监测管控解决方案[J]. 信息安全研究, 2022, 8(E1): 68-.
[6]	孙瑞勇, 李峰, 孙晓鹏, 王绍密. 一款基于主动防御机制的伪装诱捕与威胁感知产品[J]. 信息安全研究, 2021, 7(E1): 112-.
[7]	解旭东. 工业互联网安全监测审计及态势感知技术研究[J]. 信息安全研究, 2020, 6(11): 0-0.
[8]	丁剑明. 煤矿工业控制系统安全现状和解决方案[J]. 信息安全研究, 2019, 5(8): 656-662.
[9]	刘志勇朱希收王玉峰. 基于流量分析的工控系统安全防护策略研究[J]. 信息安全研究, 2019, 5(8): 668-672.
[10]	何作峰李华中张宝琨. 某油田采油作业区工控安全技术研究[J]. 信息安全研究, 2019, 5(8): 696-702.
[11]	李仲博. 热力行业工控安全防护方案设计和实践[J]. 信息安全研究, 2019, 5(8): 715-721.
[12]	傅扬. 国内外工业互联网安全态势和风险分析[J]. 信息安全研究, 2019, 5(8): 728-733.
[13]	吕佩吾葛雅川李楠周彦飞. 基于卷积神经网络的工控协议Modbus TCP 异常检测[J]. 信息安全研究, 2019, 5(7): 635-638.
[14]	景亮方晖蒋坚迪. 城市轨交AFC系统安全建设方案的设计与分析[J]. 信息安全研究, 2018, 4(1): 91-96.