Generating honeypot traffic for industrial control systems

Htein Lin; Stephen Dunlap; Mason Rice; Barry Mullins

doi:10.1007/978-3-319-70395-4_11

Generating honeypot traffic for industrial control systems

Htein Lin, Stephen Dunlap, Mason Rice, Barry Mullins

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Defending critical infrastructure assets is an important, but extremely difficult and expensive task. Historically, decoys have been used very effectively to distract attackers and, in some cases, convince attackers to reveal their attack strategies. Several researchers have proposed the use of honeypots to protect programmable logic controllers, specifically those used in the critical infrastructure. However, most of these honeypots are static systems that wait for would-be attackers. To be effective, honeypot decoys need to be as realistic as possible. This chapter introduces a proof-of-concept honeypot network traffic generator that mimics a genuine control system in operation. Experiments conducted using a Siemens APOGEE building automation system for single and dual subnet instantiations indicate that the proposed traffic generator supports honeypot integration, traffic matching and routing in a decoy building automation network.

Original language	English
Title of host publication	Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers
Editors	Sujeet Shenoi, Mason Rice
Publisher	Springer New York LLC
Pages	193-223
Number of pages	31
ISBN (Print)	9783319703947
DOIs	https://doi.org/10.1007/978-3-319-70395-4_11
State	Published - 2017
Externally published	Yes
Event	11th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2017 - Arlington, United States Duration: Mar 13 2017 → Mar 15 2017

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	512
ISSN (Print)	1868-4238

Conference

Conference	11th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2017
Country/Territory	United States
City	Arlington
Period	03/13/17 → 03/15/17

Funding

This research was partially supported by the U.S. Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Keywords

Honeypots
Industrial control systems
Network traffic generation

Access to Document

10.1007/978-3-319-70395-4_11

Cite this

Lin, H., Dunlap, S., Rice, M., & Mullins, B. (2017). Generating honeypot traffic for industrial control systems. In S. Shenoi, & M. Rice (Eds.), Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers (pp. 193-223). (IFIP Advances in Information and Communication Technology; Vol. 512). Springer New York LLC. https://doi.org/10.1007/978-3-319-70395-4_11

Lin, Htein ; Dunlap, Stephen ; Rice, Mason et al. / Generating honeypot traffic for industrial control systems. Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers. editor / Sujeet Shenoi ; Mason Rice. Springer New York LLC, 2017. pp. 193-223 (IFIP Advances in Information and Communication Technology).

@inproceedings{3c0f191848834d18b499e02641fcf19a,

title = "Generating honeypot traffic for industrial control systems",

abstract = "Defending critical infrastructure assets is an important, but extremely difficult and expensive task. Historically, decoys have been used very effectively to distract attackers and, in some cases, convince attackers to reveal their attack strategies. Several researchers have proposed the use of honeypots to protect programmable logic controllers, specifically those used in the critical infrastructure. However, most of these honeypots are static systems that wait for would-be attackers. To be effective, honeypot decoys need to be as realistic as possible. This chapter introduces a proof-of-concept honeypot network traffic generator that mimics a genuine control system in operation. Experiments conducted using a Siemens APOGEE building automation system for single and dual subnet instantiations indicate that the proposed traffic generator supports honeypot integration, traffic matching and routing in a decoy building automation network.",

keywords = "Honeypots, Industrial control systems, Network traffic generation",

author = "Htein Lin and Stephen Dunlap and Mason Rice and Barry Mullins",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2017.; 11th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2017 ; Conference date: 13-03-2017 Through 15-03-2017",

year = "2017",

doi = "10.1007/978-3-319-70395-4_11",

language = "English",

isbn = "9783319703947",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer New York LLC",

pages = "193--223",

editor = "Sujeet Shenoi and Mason Rice",

booktitle = "Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers",

}

Lin, H, Dunlap, S, Rice, M & Mullins, B 2017, Generating honeypot traffic for industrial control systems. in S Shenoi & M Rice (eds), Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers. IFIP Advances in Information and Communication Technology, vol. 512, Springer New York LLC, pp. 193-223, 11th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2017, Arlington, United States, 03/13/17. https://doi.org/10.1007/978-3-319-70395-4_11

Generating honeypot traffic for industrial control systems. / Lin, Htein; Dunlap, Stephen; Rice, Mason et al.
Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers. ed. / Sujeet Shenoi; Mason Rice. Springer New York LLC, 2017. p. 193-223 (IFIP Advances in Information and Communication Technology; Vol. 512).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Generating honeypot traffic for industrial control systems

AU - Lin, Htein

AU - Dunlap, Stephen

AU - Rice, Mason

AU - Mullins, Barry

N1 - Publisher Copyright: © IFIP International Federation for Information Processing 2017.

PY - 2017

Y1 - 2017

N2 - Defending critical infrastructure assets is an important, but extremely difficult and expensive task. Historically, decoys have been used very effectively to distract attackers and, in some cases, convince attackers to reveal their attack strategies. Several researchers have proposed the use of honeypots to protect programmable logic controllers, specifically those used in the critical infrastructure. However, most of these honeypots are static systems that wait for would-be attackers. To be effective, honeypot decoys need to be as realistic as possible. This chapter introduces a proof-of-concept honeypot network traffic generator that mimics a genuine control system in operation. Experiments conducted using a Siemens APOGEE building automation system for single and dual subnet instantiations indicate that the proposed traffic generator supports honeypot integration, traffic matching and routing in a decoy building automation network.

AB - Defending critical infrastructure assets is an important, but extremely difficult and expensive task. Historically, decoys have been used very effectively to distract attackers and, in some cases, convince attackers to reveal their attack strategies. Several researchers have proposed the use of honeypots to protect programmable logic controllers, specifically those used in the critical infrastructure. However, most of these honeypots are static systems that wait for would-be attackers. To be effective, honeypot decoys need to be as realistic as possible. This chapter introduces a proof-of-concept honeypot network traffic generator that mimics a genuine control system in operation. Experiments conducted using a Siemens APOGEE building automation system for single and dual subnet instantiations indicate that the proposed traffic generator supports honeypot integration, traffic matching and routing in a decoy building automation network.

KW - Honeypots

KW - Industrial control systems

KW - Network traffic generation

UR - http://www.scopus.com/inward/record.url?scp=85036662175&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-70395-4_11

DO - 10.1007/978-3-319-70395-4_11

M3 - Conference contribution

AN - SCOPUS:85036662175

SN - 9783319703947

T3 - IFIP Advances in Information and Communication Technology

SP - 193

EP - 223

BT - Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers

A2 - Shenoi, Sujeet

A2 - Rice, Mason

PB - Springer New York LLC

T2 - 11th IFIP WG 11.10 International Conference on Critical Infrastructure Protection, ICCIP 2017

Y2 - 13 March 2017 through 15 March 2017

ER -

Lin H, Dunlap S, Rice M, Mullins B. Generating honeypot traffic for industrial control systems. In Shenoi S, Rice M, editors, Critical Infrastructure Protection XI - 11th IFIP WG 11.10 International Conference, ICCIP 2017, Revised Selected Papers. Springer New York LLC. 2017. p. 193-223. (IFIP Advances in Information and Communication Technology). doi: 10.1007/978-3-319-70395-4_11

Generating honeypot traffic for industrial control systems

Abstract

Publication series

Conference

Funding

Keywords

Access to Document

Other files and links

Fingerprint

Cite this