Litcius/Paper detail

<i>HoneyJudge</i>: A PLC Honeypot Identification Framework Based on Device Memory Testing

Hengye Zhu, Mengxiang Liu, Binbin Chen, Xin Che, Peng Cheng, Ruilong Deng

2024IEEE Transactions on Information Forensics and Security10 citationsDOI

Abstract

The widespread use of programmable logic controllers (PLCs) in critical infrastructures has given rise to escalating cybersecurity concerns regarding PLC attacks. As a proactive defense mechanism, PLC honeypots emulate genuine controllers to engage adversaries so as to observe their attack tactics and techniques. As part of the arms race between the offense and defense, multiple PLC honeypot identification tools have been developed. However, many existing tools cannot recognize high-fidelity honeypots, since they rely on identifying common network services and fingerprints. In this paper, we propose an innovative and practical honeypot identification framework called <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HoneyJudge</i> , which goes beyond state-of-the-art (SOTA) network fingerprint-based identification tools like Nmap and the PLCScan tool. <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HoneyJudge</i> tests the suspected target’s special memory content and features. Specifically, <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HoneyJudge</i> models the internal memory of a PLC in three categories, from system-level, user-level, to process-level categories, based on which it extracts six representative memory features. All characteristics are acquired through automated network request messages. Then, we design a weighted voting algorithm to combine the test results over different memory features to reach the final conclusion. We validate the effectiveness of <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">HoneyJudge</i> in comparison with several SOTA honeypot identification tools, and the results indicate that the memory-related issues have not been well addressed in existing PLC honeypots and still need substantial research efforts.

Topics & Concepts

HoneypotComputer scienceIdentification (biology)Embedded systemOperating systemComputer securityBotanyBiologyIndustrial Automation and Control SystemsSmart Grid Security and ResilienceECG Monitoring and Analysis