物联网、工业物联网及网络物理系统领域蜜罐和蜜网相关研究综述(下)
日期:2022年06月01日 阅:72
Javier Franco,Ahmet Aris,Berk Canberk,A. Selcuk Uluagac
网络物理系统安全实验室,佛罗里达国际大学,佛罗里达,USA
计算机工程系,伊斯坦布尔技术大学,伊斯坦布尔,土耳其
邮箱:{jfran243, aaris, suluagac}@fiu.edu, [email protected]
【摘要】
物联网(IoT)、工业物联网(IIoT)和网络物理系统(CPS)是关乎国计民生不可或缺的基本生产要素,广泛应用于居家、建筑、城市、健康、交通、制造、基础设施以及农业等各种生活场景。因其固有局限性难以避免引发漏洞,这些系统已成为攻击者的重点关注目标。蜜罐和蜜网欺诈攻击者,伪装成真实的业务环境,能够精准捕获攻击数据,分析攻击行为,有效防御针对IoT、IIoT和CPS环境的攻击,是防火墙和入侵检测系统(IDS)等其他安全解决方案的有力补充。本文全面调研IoT、IIoT和CPS领域中蜜罐和蜜网的相关研究工作,深入分析已知的蜜罐和蜜网,提出一种分类方法,详细阐述最前沿工作的关键要素,明确指出亟待解决的热点问题。
关键字:蜜罐、蜜网、IoT、IIoT、CPS
本文为本文为《物联网、工业物联网及网络物理系统领域蜜罐和蜜网相关研究综述》下篇,欲阅读完整内容,请点击下方链接:
《物联网、工业物联网及网络物理系统领域蜜罐和蜜网相关研究综述》(上)
《物联网、工业物联网及网络物理系统领域蜜罐和蜜网相关研究综述》(中)
9. 经验教训和未解决的问题
对于IoT、IIoT和CPS场景的蜜罐和蜜网而言,强调关键技术的重要性至关重要。这非常有助于理解最新技术并引导进一步的研究和实践。
A. 经验教训
任何IoT、IIoT和CPS蜜罐/蜜网项目开发和研究人员在立项阶段都会考虑若干关键因素。主要因素包括目标业务场景、蜜罐/蜜网的安全目的、成本、部署位置、预期交互级别、资源级别、预期提供/模拟/仿真的服务、对攻击者提供的真实服务、使用的工具、被指纹识别或索引的可能性,以及可能面对的责任问题。
确定目标应用领域:IIoT和CPS业务场景固有的特点将影响整个蜜罐/蜜网设计。设备、通信信道特征、协议、流量比率、应用的QoS需求以及诸多其他因素,因具体业务场景不同而不同。CPS和IIoT设备与常规物联网设备迥异,并且他们使用的工业协议与传统工控系统或物联网场景不同。这类工业设备的生命周期往往长达数十年,具有实时性的限制,严格要求业务不能中断[9][134],控制着国家关键的基础设施。尽管传统物联网应用不包含任何需要持续监控的物理过程,但这类需求在IIoT和CPS业务场景下非常普遍。出于这些原因,明确目标业务应用及其特征至关重要。
蜜罐/蜜网的部署目的:部署蜜罐或蜜网的目的显著影响需要采取的措施,以确保针对蜜网的攻击不会破坏它所依赖的基础设施。在研究场景中,往往通过隔离蜜网系统来达到上述目的。譬如,将蜜网部署在DMZ域中。但是,若在IIoT和CPS场景中部署生产蜜罐,由于此类场景中工业设备监控关键的工厂处理过程,因此需要格外仔细进行欺骗系统的设计。在工业环境中,此类生产蜜罐需要确保无法被攻击者破坏,并确保不妨碍已有工业设备的通信和控制过程(如:运维资源)。另外,需注意的是蜜罐和蜜网无法阻拦攻击[8]。因此,管理员必须格外留意蜜罐产生的告警和日志信息。
部署位置:尽管部署位置将对蜜罐行为产生重要的影响,只有12项研究声明了部署位置。两项CPS研究[130][134]在校园网内部署了他们的蜜罐项目,引起了攻击者的警醒,因为攻击者在实施攻击之前会先检查攻击目标的地址范围,在校园内部署CPS项目显然会引起攻击者的怀疑。另外两项CPS研究[130][134]和三项物联网研究[74][88][93]在云平台中实施部署。该方法将向蜜罐/蜜网所有者提供攻击的全局视图,同时也比部署在校园网中更加吸引攻击者。但是,攻击者仍然能识别出目标系统运行在云供应商的IP网段内。另外,两项CPS研究[40][155]和三项物联网研究[63][86][92]选用了公网IP地址进行部署,这是一种更好的解决方案。Guarnizo[92]指出,就部署的国家或城市而言,地理位置的选择或者说对攻击者暴露的位置信息,是非常重要的考虑项。因为攻击者在开始定位攻击目标时,倾向于在特定的城市选择目标设备,并且攻击者攻陷设备后往往会考虑转售设备的IP地址。
成本:成本是蜜罐和蜜网项目开发时的关键考核因素。若选择物理资源和闭源工具而不是虚拟资源和开源工具,创建一个蜜罐或蜜网项目将会非常昂贵。同时,需要注意的是,工业业务应用中使用的PLCs、IEDs、RTUs和RIOs等设备,比开箱即用(Commercial of-the-shelf, COTS)的物联网设备要昂贵的多。此外,蜜罐,尤其是蜜网的复杂性,是提高系统成本的另外一个重要因素。复杂性和交互级别与对外支持的服务/协议数量成正比。随着蜜罐和蜜网交互级别的提高以及支持的服务/协议数量的增加,所捕获攻击数据的数据量和保真度都会提升,因而需要更多资源进行存储和处理。此外,部署位置直接影响系统成本。需要注意的是,尽管在校园网中部署蜜罐或蜜网能够很好地节约成本,但是,这种部署方案也极易引起攻击者的质疑。选择云平台部署比选择校园网的成本更高,并且攻击者仍然能够很容易地定位出IP地址属于云供应商的IP资源池。第三种部署方案是租用私有IP地址,可以有效避免攻击者怀疑,但是该部署方案的成本比选择云平台更加昂贵。因此,蜜罐/蜜网开发和研究人员需要综合考量项目所需的资源、交互级别、部署环境以及影响成本的复杂度。
交互级别:如第4节所述,蜜罐/蜜网的交互级别将影响诸多方面。根据第6小结和第8小结的阐述,现有IoT、IIoT和CPS蜜罐和蜜网研究工作几乎囊括了所有可能的交互级别。但是,为了有效识别针对IoT、IIoT和CPS设备的复杂攻击,理解攻击对工业过程和关键基础设施的可能影响,往往需要部署高交互蜜罐。尽管开箱即用的物联网设备更加经济适用,但是专业的工业设备通常需要数千美金的高昂成本。因此,项目初期,需要考量资源级别和高保真的仿真模拟。这些因素在接下来的分类中会继续探讨。
资源级别选择:IoT、IIoT和CPS蜜罐/蜜网项目选用真实设备、仿真设备还是混合设备来创建,是一个至关重要的问题。真实设备可以创建高交互蜜罐,捕获高保真的攻击数据,并且不易被攻击者识别蜜罐身份。但是,根据具体业务系统的不同,所需工业设备的成本也随之发生变化。完全基于真实的工业设备构造蜜网的成本十分高昂。因此,研究者们更倾向于选择虚拟资源设计蜜罐/蜜网。虚拟化为IoT、IIoT和CPS蜜罐提供了可扩展、异构、易运维且成本优化的可选部署方案。Dang等人[88]发现,利用恶意软件的攻击中近92.1%针对多种物联网设备架构,并且明确指出需要虚拟物联网蜜罐的解决方案。同时,他们指出,相比物理蜜罐,虚拟蜜罐接收的可疑连接数减少37%,捕获的攻击数量减少39%,抓捕到的攻击种类也比物理蜜罐多,针对性较低。Dang等人[88]也指出,虚拟蜜罐的建设和运维成本比物理蜜罐小12.5倍。这些因素在蜜罐/蜜网项目设计阶段均需要考量。混合部署解决方案中,很重要的一点是考虑物理设备资源和虚拟设备资源之间的利益平衡。另外,选择真实还是仿真的设备模型将影响对攻击者的诱捕力。Guarnizo[92]指出,选择包含已知漏洞的设备模型更有利于诱骗攻击者。
仿真服务的选择及其保真度:选择提供或仿真的服务,并确保服务的保真度是蜜罐/蜜网设计的关键要素。这些考虑因素甚至比IIoT和CPS系统更加重要。将提供哪些服务?在目标业务领域中支持所有协议和服务是否符合逻辑?若不符合逻辑,如何在待选协议/服务集合中进行选择?Scott[8]指出蜜罐和蜜网应该只模拟被仿真设备可以容纳的服务。如果被模仿的设备没有或不支持某个特定服务,但蜜罐支持,攻击者将很容易意识到自己正在与欺骗系统交互。确定了待支持的服务/协议后,接下来是另外一个重要的方面:保真度。
在IoT、IIoT或CPS业务场景中部署蜜罐或蜜网系统时,考量原则之一是如何有效仿真一个真实的系统,以避免攻击者和网络空间搜索引擎识别交互对象是一个欺骗系统。这对蜜罐系统而言至关重要,因为蜜罐的初衷就是吸引攻击者并通过与攻击者交互尽可能多地收集攻击数据。为了使得部署在IoT环境中的蜜网更有效地避免检测,Surnin等人[33]提出如下建议:应该运行有限个服务来仿真一个更真实的环境;ping命令主机请求对象是一个已知主机;攻击者创建的文件不能删除;实用程序命令应该返回一组运行过程列表;没有可用的硬编码值;仿真的Linux实用程序应该具备原实例程序的完备功能;攻击者文件请求应先发送到具有指定延迟的沙盒,然后再在如VirusTotal的外部服务上进行检查。Zamiri-Gourabi等人[35]指出,默认硬编码配置、缺少仿真服务或协议的功能、不寻常或不切实际的行为、托管平台的指纹识别性和响应时间可以变成蜜罐和蜜网的可能指纹。IIoT和CPS蜜罐/蜜网应该以真实的方式模拟工厂流程。不幸的是,只有一小部分蜜罐/蜜网项目考量了IIoT和CPS业务场景下的关键问题。在IoT蜜罐中,各种研究考量了这一因素。事实上,IoT蜜罐和蜜网研究中最通用的工具是用来检查各种可用服务、响应的真实性,包括响应时间和其他影响指纹识别性的因素,这些将在下文讨论。
工具的选择:当选择扫描器等工具时,蜜罐或蜜网设计者应该考虑部署区域或目标业务区域的特征。并非每个工具都可以支持所有IoT、IIoT和CPS应用及其相应的协议和服务。此外,还应考虑部署支持漏洞检查的工具[8]。设计人员应同时考虑蜜罐或蜜网与附加工具之间的匹配,利用这些附加工具有效缓解对蜜网的攻击。尽管中高交互蜜罐与攻击者的交互程度更充分,攻击者通常仍有可用的工具来检测自己是否正与虚拟环境交互以及所执行的操作行为是否正在被记录。研究人员利用诸如Sebek工具来无缝记录攻击者的行为。
搜索引擎的出现和指纹识别能力:蜜罐/蜜网设计最重要的因素之一是确保在搜索引擎中但是没有被指纹识别成一个欺骗系统。因此,蜜罐/蜜网所有者必须监控物联网搜索引擎,这类引擎检测识别互联网中的设备和蜜罐,其中最具代表性的是Shodan。关于被这类引擎索引是否会对受到的攻击有影响,文献存在不同的观点。譬如:Guarnizo[92]发现,设备在Shodan上列出后的最初几周,设备受到的攻击次数显著增加。尽管如此,通过明确指出接入互联网的可攻击目标,这种检索服务可能使得攻击任务变得更加容易。被此类搜索引擎检索验证了蜜罐/蜜网系统的可访问性。被列为真实系统而不是蜜罐/蜜网,是蜜罐项目创始人的终极目标。
IoT、IIoT 和 CPS 蜜罐/蜜网的比较:IoT、IIoT和CPS场景下的蜜罐和蜜网研究是一个重要的研究领域。尽管我们在前几节中总结了相关研究,并提出了分类法,但是比较IoT、IIoT和CPS的欺骗系统并突出它们的异同非常重要。第一个显著的差异源自支持的服务。虽然物联网欺骗系统考虑的最多的是支持Telnet、SSH和HTTP这类并非物联网特殊的协议,但是CPS欺骗系统考虑最多的是支持工业协议,譬如:Modbus、S7comm、EtherNet/IP,以及HTTP和SNMP等非工业特殊的协议。由于IIoT只有两个欺骗系统并且只有一个对外服务,可见,IIoT欺骗系统处于中间位置,同时支持工业协议和非工业协议。第二个差异性源自处理过程模拟。虽然一些CPS欺骗系统利用的工业过程仿真的业务场景包括ICS工厂、供水管理、电网和建筑HVAC系统,本文调研过程中并没有在提出的IoT欺骗系统中看到此类过程仿真。第三个差异源自提出的蜜罐和蜜网的交互级别。虽然为 IoT 领域提出的大多数欺骗系统是中交互的(10 项研究),但是CPS的大多数蜜罐是低交互诱饵(16 项研究)。物理ICS设备的成本和真实过程仿真的难度在CPS 蜜罐和蜜网交互级别选择中起到重要作用。在IoT、IIoT和CPS场景中基于虚拟资源实现的蜜罐和服务器角色最常见。
控制和责任:当在IoT、IIoT和CPS场景中部署蜜罐或蜜网时,控制和责任问题是被大大忽视的方面,但是设计⼈员应始终考量这个因素。蜜罐允许的交互级别越高,其可能被攻击者破坏和使用来攻击网络中其他系统甚至攻击其他网络的风险越大。Scott [8] 建议在部署蜜罐之前先熟悉法律,因为蜜罐在某些地方被解释为司法管辖区的陷阱。Haney[131]强调了将责任和法律问题考虑在内并将数据控制作为首要任务的重要性,即使这意味着数据采集可能会受到影响。 Haney建议设置自动和手动数据控制机制,至少有两种保护机制,以便在一种数据控制方法失败时始终有第二种选择。Sokol[26]强调,为了解决安全、数据控制和责任问题,蜜网应包含以下部分:一个防火墙,仅打开必需的网络端口;一个动态连接(重连接)机制,负责决策连接是否可信,是否允许接入;一个用于分析数据的测试平台;一个仿真的专用虚拟网络来限制攻击者,以及一个控制中心,监控连接并进行应急响应。
增强IoT、IIoT和CPS的安全性:尽管物联网业务场景存在固有的限制,但是蜜罐和蜜网的研究成果表明,部署蜜罐和蜜网是增强物联网安全的有效创新途径。Dang等人[88]提出的 IoTCheck是其中一个典型的案例。IoTCheck是一系列安全检测标准,旨在增强物联网设备的安全性,包括:物联网设备是否设置了强口令;默认的系统用户是否设置为非root用户;设备上是否部署了非必要的组件。Dang等人同时建议设备供应商直接禁用安全敏感的无用shell命令。这些shell命令在基于Linux的物联网设备中是默认打开的,但并不是物联网业务场景所必须,反而常被攻击者利用,带来安全隐患。
B. 开放问题
过去十年,IoT、IIoT 和 CPS业务场景下的蜜罐和蜜网一直是非常活跃的研究领域。本文详细地调研了其中79个蜜罐/蜜网研究成果,该领域仍然存在一些亟待解决的关键问题。
新兴技术/领域:本文调研发现,在物联网欺骗系统领域,已有关于智能家居蜜罐/蜜网的相关研究,但是一些新兴场景,诸如可穿戴设备、医疗设备和智慧城市,还不存在研究案例。针对IIoT和CPS业务场景的欺骗系统,在通用工控、智能电网、供水、天然气以及建筑自动化系统等业务场景中,都出现了蜜罐/蜜网研究成果;但是,在智慧城市、交通、核电厂、医疗设备等场景中还没有发现这类欺骗系统。随着智能医疗设备在现代大健康生态应用中的普及,这些设备已成为各种攻击的热门目标[161]-[163],因此,现代大健康生态应用场景需要部署欺骗系统,来增强安全性。此外,本文调研过程中,仅发现一项建筑自动化系统的蜜罐研究。随着勒索软件攻击、挖矿木马攻击和企业物联网攻击的肆虐,在建筑自动化领域,急需更加深入的蜜罐/蜜网研究,以保护智能建筑免受勒索软件攻击。值得注意的是,在全新的IoT、IIoT和CPS业务场景中构建蜜罐和蜜网,需要逼真的过程模型,譬如:患者生命体征模型、车辆运行模型、核反应模型等,以实现虚拟或混合的欺骗系统。
未仿真的协议:现有IoT、IIoT 和 CPS 蜜罐/蜜网广泛支持工控、物联网和工业协议。各种物联网蜜罐纷纷实现全设备仿真。但是,没有一项研究成果可以声称自己是最先进的蜜罐/蜜网,仿真了所有协议或服务。此外,现有研究成果很少关注物联网专用协议。蜜罐研究领域仍有多种协议和服务需要模拟,譬如:HART(Highway Addressable Remote Transducer)和WirelessHART[171]工业协议。此外,企业物联网业务场景通常采用各种私有通信协议,通过保护知识产权实现安全性[170]。因此,为这类私有解决方案设计欺骗系统也是未来的需求之一。研究尚未仿真实现的协议和服务将为蜜罐/蜜网研究与实践带来宝贵的价值。一个可选的实现方案是基于Conpot、Honeyd、Dionaea、Kippo等开源蜜罐和蜜网进行扩展,增加对新协议的仿真功能。尽管可以找到知名协议的开源库,研究人员仍然须要对这类私有通信协议进行逆向工程,深入理解其中的实现细节。
新兴平台:近年来,研究者和供应商提出多个物联网设备管理平台[172],具有代表性的有:openHAB、Samsung SmartThings、thingworx、Amazon AWS IoT、IBM Watson IoT、Apple HomeKit等。这些平台的产品特性各有不同,主要体现在支持的物联网设备、通信协议和网络拓扑、数据处理和事件方法和安全等几个方面。尽管已有不少研究成果实现了针对通用物联网业务场景的欺骗系统,但是,还没有发现上述新兴平台的蜜罐和蜜网解决方案。随着这些新兴平台的不断普及应用,基于平台实现的物联网应用开始成为攻击者的重点关注对象。因此,面向新兴物联网平台的蜜罐/蜜网研究将是未来亟待解决的需求之一。研究人员可以基于已有物联网蜜罐/蜜网研究成果,通过扩展开源的物联网欺骗系统项目,构建针对新兴平台的欺骗系统。
最佳部署位置:如前文所述,本文调研的IoT、IIoT和CPS蜜罐和蜜网研究成果,实验环境多种多样,包括:校园网、云平台和私有化部署。每种部署位置优缺点各不相同,测评维度有:指纹识别的难易度[21][173];对IoT、IIoT或CPS业务场景的适配度;复杂性及成本。尽管少数研究工作调研了在受限的部署环境中如何诱捕攻击者,但是还没有发现基于一组限制条件优化诱饵系统部署位置的文献研究。尽管这个问题很难解决,研究人员仍然可以采用松弛策略近似确定IoT、IIoT和CPS欺骗系统的最佳部署位置。
远程管理:蜜罐/蜜网的本地或远程管理有若干可选工具。基于虚拟资源实现的欺骗系统可以很方便地实现本地或远程管理,但是,基于物理资源实现的欺骗系统必须要求研发人员现场实施运维。新冠病毒的爆发造成全球封锁,强迫研究人员不得不远程执行任务。类似的自然灾害均会迫使运维人员远程管理欺骗系统。IoT、IIoT和CPS欺骗系统的设计和部署阶段,必须考虑这些因素。远程运维需要安全工具和安全配置。正如SolarWinds[174]所提,只要保证持续的漏洞检查和补丁修复,这些安全工具中的漏洞就被认为是安全的。
反检测机制:IoT、IIoT和CPS业务场景中广泛应用了基于虚拟资源实现的蜜罐和蜜网。如前文所述,基于虚拟化技术的解决方案具有若干优点。但是,通过对恶意软件研究领域的调研,本文发现,恶意软件开发者已将虚拟化环境作为判定目标系统是否为蜜罐的指标之一。但是,在IoT、IIoT和CPS蜜罐/蜜网研究工作中,研究人员均没有重视这一问题。并且,实验分析部分也没有提到攻击者基于虚拟化环境识别蜜罐。尽管如此,本文认为虚拟环境将成为未来攻击者识别蜜罐的重要指标。因此,IoT、IIoT和CPS蜜罐和蜜网项目应该在其中/高交互的虚拟化欺骗系统中应用反检测机制。研究人员可以参考恶意软件分析领域的已知反检测技术成果,譬如:隐藏有关分析环境的工具;将分析逻辑下沉到hypervisor或裸金属等系统的低层[175]。
工业设备的漏洞:IoT、IIoT和CPS业务场景中部署着源自不同供应商的各种设备。诸如CVE(Common Vulnerabilities and Exposures)[176]等漏洞数据库中披露了这些设备的固件、操作系统和其他软件中的已知漏洞。正如前文所述,携带此类漏洞的设备会吸引攻击者,并成为易受攻击的目标。在现有蜜罐和蜜网研究成果中,已有研究工作在设计蜜罐时考虑了这些漏洞因素。但是,IIoT和CPS蜜罐领域,还没有研究者关注工业设备的漏洞。本文认为,关于攻击者选择目标时是否真的关注工业设备漏洞,是学术界尚未解决的问题。针对这一开放性问题,一个可能的方法是在IIoT和CPS业务场景中部署蜜罐,其中部分蜜罐仿真有漏洞的工控设备固件或管理软件版本,部分蜜罐仿真已补丁修复过的工控设备固件或管理软件版本。通过这种方式,研究人员可以分析攻击者选择攻击目标时是否关注已披露的漏洞。
内部攻击:IoT、IIoT和CPS业务系统的用户非常多样化,在部署蜜罐/蜜网系统方面,技术水平不一。但是,没有一项研究工作解决简化部署的问题,并给出未来如何大范围普及应用其研究成果的方案。另外,现有研究工作都没有关注由企业内部心怀不满的员工或间谍发起的内网攻击。不过,研究人员不会在企业内网直接部署物理或虚拟蜜罐,以防止内部员工通过物理或虚拟化的方式访问欺骗系统。本文认为,网络功能虚拟化(Network Function Virtualization, NFV)和容器等虚拟化技术,以及SDN,可以被用来开发移动目标防御类蜜罐解决方案,缓解内网攻击。
机器学习:另外一个开放性问题是机器学习和人工智能在蜜罐中的应用。本文调研过程中发现已有若干蜜罐/蜜网研究工作利用机器学习来实现自动化配置和数据分析。其中,物联网蜜罐/蜜网领域已有8项研究工作[55]-[57][64][66][67][70][72]应用了机器学习,但是IIoT和CPS蜜罐领域只有一项研究[111]应用了机器学习。本文认为,IoT、IIoT和CPS蜜罐和蜜网将普及人工智能的应用,以实现更加智能的欺骗系统:i)基于攻击行为的自适应能力;ii)区分已知攻击和新型攻击协助研究人员重点关注新型威胁;iii)提高蜜罐和蜜网的效率和普及率。
识别非恶意的诱饵流量:传统假定蜜罐和蜜网只接收恶意流量。这些流量有助于增强IDS和IPS的准确率。但是,基于物理设备实现的物联网蜜罐和蜜网可以接收源自供应商的非恶意流量。譬如,Google、Apple、Samsung和Amazon提供的智能家居设备能够接收来自供应商的非恶意流量,以实现应用特定的目的,如:云连接、健康检查、更新等。这些源自供应商的非恶意流量,以及Shodan和Censys等非恶意的网络空间资产扫描和索引工具产生的流量,都会被欺骗系统接收,打破了蜜罐和蜜网只接收恶意流量的假设。因此,研究人员在分析蜜罐流量时必须考虑到这些非恶意的流量。本文认为,通过检查流量来源的IP地址,可以协助识别非恶意的蜜罐流量。此外,Ferretti等人[120]分析了Shodan等合法扫描器的扫描模式,能够为研究人员提供识别合法流量的线索依据。
生产型蜜罐:本文通过调研分析现有IoT、IIoT和CPS蜜罐和蜜网研究成果,发现大部分研究工作均为研究型蜜罐。尽管研究型蜜罐对于理解攻击行为和新型攻击手段至关重要,但是这些蜜罐并不真实地应用在IoT、IIoT或CPS业务场景中,以增强业务的安全性。因此,现网系统需要更多真实参与IoT、IIoT和CPS网络安全能力建设的生产型蜜罐。将蜜罐/蜜网与IDS结合在一起的解决方案,是未来的主要致力方向。研究人员可以利用Snort、Zeek、Suricata等开源IDS,Cuckoo等恶意软件分析平台,以及SDN等下一代网络技术为IoT、IIoT和CPS业务场景构建创新的欺骗系统解决方案。
10. 结论
本文全面系统地调研分析IoT、IIoT和CPS蜜罐和蜜网的研究成果,提出一种多元化的分类体系,体系维度包括:用途、角色、交互级别、可扩展性、资源级别、源代码的可用性以及仿真的IoT、IIoT或CPS应用。此外,本文广泛分析已知蜜罐和蜜网的研究成果,提取IoT、IIoT和CPS领域最新蜜罐和蜜网的通用特征,列出并讨论IoT、IIoT和CPS蜜罐和蜜网的关键设计要素。同时,本文总结了蜜罐和蜜网研究工作应该解决的开放性研究问题。未来,本文计划基于当前的调研综述,提出创新的IoT和CPS蜜罐/蜜网系统。
致谢
本文工作得到美国国家科学基金的支持:NSF-CAREER-CNS-1453647和NSF-1663051。本文观点仅代表作者个人,与资助机构无关。
参考文献
E. Sisinni, A. Saifullah, S. Han, U. Jennehag, and M. Gidlund, “Industrial internet of things: Challenges, opportunities, and directions,” IEEE Trans. on Ind. Inf., vol. 14, no. 11, pp. 4724–4734, 2018.
B. Bordel, R. Alcarria, T. Robles, and D. Mart´ın, “Cyber–physical systems: Extending pervasive sensing from control theory to the internet of things,” Pervasive Mobile Comput., vol. 40, pp. 156 – 184, 2017.
A. Humayed, J. Lin, F. Li, and B. Luo, “Cyber-physical systems security—a survey,” IEEE Internet of Things J., vol. 4, no. 6, pp. 1802–1831, Dec 2017.
C. Greer, M. Burns, D. Wollman, and E. Griffor, “Cyber-physical systems and internet of things,” NIST, Tech. Rep., March 2019. [Online]. Available: https://doi.org/10.6028/NIST.SP.1900-202
I. Makhdoom, M. Abolhasan, J. Lipman, R. P. Liu, and W. Ni, “Anatomy of threats to the internet of things,” IEEE Communications Surveys Tutorials, vol. 21, no. 2, pp. 1636–1675, 2019.
F. Meneghello, M. Calore, D. Zucchetto, M. Polese, and A. Zanella, “Iot: Internet of threats? a survey of practical security vulnerabilities in real iot devices,” IEEE Internet of Things J., vol. 6, no. 5, pp. 8182–8201, Oct 2019.
N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, and N. Ghani, “Demystifying iot security: An exhaustive survey on iot vulnerabilities and a first empirical look on internet-scale iot exploitations,” IEEE Communications Surveys Tutorials, vol. 21, no. 3, pp. 2702–2733, 2019.
C. Scott, “Designing and Implementing a Honeypot for a SCADA Network,” June 2014, White Paper. [Online]. Available: https://www.sans.org/reading-room/whitepapers/detection/ designing-implementing-honeypot-scada-network-35252
P. Simoes, T. Cruz, J. Gomes, and E. Monteiro, “On the use of ˜ honeypots for detecting cyber attacks on industrial control networks,” in Proc. 12th Eur. Conf. on Inf. Warfare and Secur. (ECIW 2013), 2013, pp. 263–270.
Z. Yu, Z. Kaplan, Q. Yan, and N. Zhang, “Security and privacy in the emerging cyber-physical world: A survey,” IEEE Communications Surveys Tutorials, pp. 1–1, 2021.
J. Lopez, L. Babun, H. Aksu, and S. Uluagac, “A survey on function and system call hooking approaches,” Journal of Hardware and Systems Security, vol. 1, 06 2017.
W. Fan, Z. Du, D. Fernandez, and V. A. Villagr ´ a, “Enabling an ´ anatomic view to investigate honeypot systems: A survey,” IEEE Syst. J., vol. 12, no. 4, pp. 3906–3919, Dec 2018.
L. Spitzner, “The value of honeypots, part one:definitions and values of honeypots,” http://www.symantec.com/connect/articles/valuehoneypots-part-onedefinitions-and-values-honeypots/, Oct 2001, [Online; accessed 14-Apr-2020].
P. Kumar and R. Verma, “A review on recent advances & future trends of security in honeypot,” Int. J. of Adv. Res. Computer Science, vol. 8, no. 3, pp. 1108–1113, Mar-Apr 2017.
I. Butun, P. Osterberg, and H. Song, “Security of the internet of things: ¨ Vulnerabilities, attacks, and countermeasures,” IEEE Communications Surveys Tutorials, vol. 22, no. 1, pp. 616–644, 2020.
E. Lee, Y.-D. Seo, S.-R. Oh, and Y.-G. Kim, “A survey on standards for interoperability and security in the internet of things,” IEEE Communications Surveys Tutorials, vol. 23, no. 2, pp. 1020–1047, 2021.
J. Granjal, E. Monteiro, and J. Sa Silva, “Security for the internet of things: A survey of existing protocols and open research issues,” IEEE Communications Surveys Tutorials, vol. 17, no. 3, pp. 1294– 1312, 2015.
A. K. Sikder, G. Petracca, H. Aksu, T. Jaeger, and A. S. Uluagac, “A survey on sensor-based threats and attacks to smart devices and applications,” IEEE Communications Surveys Tutorials, vol. 23, no. 2, pp. 1125–1159, 2021.
M. A. Al-Garadi, A. Mohamed, A. K. Al-Ali, X. Du, I. Ali, and M. Guizani, “A survey of machine and deep learning methods for internet of things (iot) security,” IEEE Communications Surveys Tutorials, vol. 22, no. 3, pp. 1646–1685, 2020.
M. H. Cintuglu, O. A. Mohammed, K. Akkaya, and A. S. Uluagac, “A survey on smart grid cyber-physical system testbeds,” IEEE Communications Surveys Tutorials, vol. 19, no. 1, pp. 446–464, 2017.
L. Babun, H. Aksu, L. Ryan, K. Akkaya, E. Bentley, and A.S.Uluagac, “Z-iot: Passive device-class fingerprinting of zigbee and z-wave iot devices,” in 2020 IEEE Int. Conf. Commun. (ICC). IEEE, 2020, pp. 1–7.
W. Fan, Z. Du, and D. Fernandez, “Taxonomy of honeynet solutions,” in 2015 SAI Intelligent Systems Conference (IntelliSys), Nov 2015, pp. 1002–1009.
A. Mairh, D. Barik, K. Verma, and D. Jena, “Honeypot in network security: A survey,” in Proceedings of the 2011 International Conference on Communication, Computing & Security, ser. ICCCS ’11. New York, NY, USA: Association for Computing Machinery, 2011, p. 600–605.
R. M. Campbell, K. Padayachee, and T. Masombuka, “A survey of honeypot research: Trends and opportunities,” in 2015 10th International Conference for Internet Technology and Secured Transactions (ICITST), 2015, pp. 208–212.
L. Zobal, D. Kola´ˇr, and R. Fujdiak, “Current state of honeypots and deception strategies in cybersecurity,” in 2019 11th International Congress on Ultra Modern Telecommunications and Control Systems and Workshops (ICUMT), 2019, pp. 1–9.
P. Sokol and M. Andrejko, “Deploying honeypots and honeynets: Issues of liability,” in Computer Networks. Cham: Springer International Publishing, 2015, pp. 92–101.
P. Sokol, M. Husak, and F. Liptak, “Deploying honeypots and honeynets: Issue of privacy,” in 2015 10th International Conference on Availability, Reliability and Security, 2015, pp. 397–403.
M. F. Razali, M. N. Razali, F. Z. Mansor, G. Muruti, and N. Jamil, “Iot honeypot: A review from researcher’s perspective,” in 2018 IEEE Conference on Application, Information and Network Security (AINS), Nov 2018, pp. 93–98.
C. Dalamagkas, P. Sarigiannidis, D. Ioannidis, E. Iturbe, O. Nikolis, F. Ramos, E. Rios, A. Sarigiannidis, and D. Tzovaras, “A survey on honeypots, honeynets and their applications on smart grid,” in 2019 IEEE Conference on Network Softwarization (NetSoft), June 2019, pp. 93–100.
S. Dowling, M. Schukat, and H. Melvin, “Data-centric framework for adaptive smart city honeynets,” in 2017 Smart City Symposium Prague (SCSP), 2017, pp. 1–7.
W. Fan, D. Fernandez, and V. A. Villagr ´ a, “Technology independent ´ honeynet description language,” in 2015 3rd International Conference on Model-Driven Engineering and Software Development (MODEL SWARD), Feb 2015, pp. 303–311.
A. Acien, A. Nieto, G. Fernandez, and J. Lopez, “A comprehensive methodology for deploying iot honeypots,” in TrustBus 2018, vol. 11033, Sept 2018, pp. 229–243.
O. Surnin, F. Hussain, R. Hussain, S. Ostrovskaya, A. Polovinkin, J. Lee, and X. Fernando, “Probabilistic estimation of honeypot detection in internet of things environment,” in 2019 International Conference on Computing, Networking and Communications (ICNC), Feb 2019, pp. 191–196.
O. Surnin, “honeypot,” https://gitlab.com/legik/honeypot, [Online; accessed 1-Apr-2020].
M.-R. Zamiri-Gourabi, A. R. Qalaei, and B. A. Azad, “Gas what? i can see your gaspots. studying the fingerprintability of ics honeypots in the wild,” in Proceedings of the Fifth Annual Industrial Control System Security (ICSS) Workshop. ACM, 2019, p. 30–37.
Honeynet Project, “Know your enemy: Honeynets,” http://www.symantec.com/connect/articles/knowyour-enemy-honeynets, April 2001, [Online; accessed 2-Apr-2020].
A.Guerra Manzanares, “Honeyio4: The construction of a virtual, lowinteraction iot honeypot,” Ph.D. dissertation, Universitat Politecnica ` de Catalunya, 2017. [Online]. Available: https://pdfs.semanticscholar.org/3124/456d251e3657746de4c34472224f5b2d8efe.pdf
G. Evron, “Mirai open-source iot honeypot: New cymmetria research release,” https://cymmetria.com/blog/mirai-open-source-iot-honeypotnew-cymmetria-research-release/, Nov. 2016, [Online; accessed 16- Apr-2020].
R. Piggin and I. Buffey, “Active defence using an operational technology honeypot,” in 11th International Conference on System Safety and Cyber-Security (SSCS 2016), 2016, pp. 1–6.
S. Hilt, F. Maggi, C. Perine, L. Remorin, M. Rosler, and ¨ R. Vosseler, “Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats,” 2020, White Paper. [Online]. Available: https://documents.trendmicro.com/assets/white papers/ wp-caught-in-the-act-running-a-realistic-factory-honeypot-to-capture\-real-threats.pdf
S. Litchfield, D. Formby, J. Rogers, S. Meliopoulos, and R. Beyah, “Rethinking the honeypot for cyber-physical systems,” IEEE Internet Computing, vol. 20, no. 5, pp. 9–17, Sep. 2016.
A. D. Oza, G. N. Kumar, and M. Khorajiya, “Survey of snaring cyber attacks on iot devices with honeypots and honeynets,” in 2018 3rd International Conference for Convergence in Technology (I2CT), April 2018, pp. 1–6.
D. Antonioli and N. O. Tippenhauer, “Minicps: A toolkit for security research on cps networks,” in Proc. First ACM Workshop on CyberPhysical Systems-Secur. and/or Privacy, 2015, p. 91–100.
M. Zec, “Implementing a clonable network stack in the freebsd kernel,” in Proceedings of the FREENIX Track: USENIX Annual Technical Conference, June 9-14, San Antonio, Texas, USA, 2003, pp. 137–150.
“GridLab-D Simulation Software,” https://www.gridlabd.org/, 2020, [Online; accessed 7-April-2020].
P. Gunathilaka, D. Mashima, and B. Chen, “Softgrid: A software-based smart grid testbed for evaluating substation cybersecurity solutions,” in Proc. 2nd ACM Workshop on Cyber-Physical Syst. Secur. and Privacy, 2016, p. 113–124.
Powerworld, “PowerWorld Simulator,” https://www.powerworld.com/, 2020, [Online; accessed 15-May-2020].
B. Lantz, B. Heller, and N. McKeown, “A network in a laptop: Rapid prototyping for software-defined networks,” in Proceedings of the 9th ACM SIGCOMM Workshop on Hot Topics in Networks, 2010.
A. Pauna, “Improved self adaptive honeypots capable of detecting rootkit malware,” in 2012 9th International Conference on Communications (COMM), June 2012, pp. 281–284.
N. Provos, “Honeyd,” https://github.com/DataSoft/Honeyd, 2007, [Online; accessed 2-Apr-2020].
DinoTools, “Dionaea,” https://github.com/DinoTools/dionaea, [Online; accessed 2-Apr-2020].
Kippo, “Kippo- ssh honeypot,” https://github.com/desaster/kippo, 2016, [Online; accessed 2-Apr-2020].
Cowrie, “Cowrie ssh and telnet honeypot,” https://www.cowrie.org/, 2019, [Online; accessed 2-Apr-2020].
foospidy, “Honeypy,” https://github.com/foospidy/HoneyPy, 2013, [Online; accessed 30-Apr-2020].
G. Wagener, “Self-adaptive honeypots coercing and assessing attacker behaviour,” Ph.D. dissertation, Institut National Polytechnique de Lorraine – INPL, 2011. [Online]. Available: https://tel.archives-ouvertes. fr/tel-00627981/file/thesis_gerard_wagener_after_defense.pdf
A. Pauna and I. Bica, “Rassh – reinforced adaptive ssh honeypot,” in 2014 10th International Conference on Communications (COMM), May 2014, pp. 1–6.
A. Pauna, A. Iacob, and I. Bica, “Qrassh – a self-adaptive ssh honeypot driven by q-learning,” in 2018 International Conference on Communications (COMM), June 2018, pp. 441–446.
L. Stafira, “Examining effectiveness of web-based internet of things honeypots,” Ph.D. dissertation, Air Force Institute of Technology, 2019. [Online]. Available: https://scholar.afit.edu/etd/2284
Dionaea, “Service,” https://dionaea.readthedocs.io/en/latest/introduction .html, 2015, [Online; accessed 2-Apr-2020].
L. Metongnon and R. Sadre, “Beyond telnet: Prevalence of iot protocols in telescope and honeypot measurements,” in 2018 WTMC, Aug. 2018, pp. 21–26.
B. Kaur and P. K. Pateriya, “A survey on security concerns in internet of things,” in 2018 Second International Conference on Intelligent Computing and Control Systems (ICICCS), June 2018, pp. 27–34.
S. Dowling, M. Schukat, and H. Melvin, “A zigbee honeypot to assess iot cyberattack behaviour,” in 2017 28th Irish Signals and Systems Conference (ISSC), June 2017, pp. 1–6.
G.Wagener, “Adaptive honeypot alternative (aha),” http://git.quuxlabs.com/, 2018, [Online; accessed 23-Apr-2020].
A. Pauna, I. Bica, F. Pop, and A. Castiglione, “On the rewards of self-adaptive iot honeypots,” Annals of Telecommunications, vol. 74, pp. 501–515, Jul 2019.
A. Pauna, “Irassh,” https://github.com/adpauna/irassh/, 2018, [Online; accessed 23-Apr-2020].
R. Shrivastava, B. Bashi, and C. Hota, “Attack detection and forensics using honeypot in iot environment,” in International Conference on Distributed Computing and Internet Technology, Bhubaneswar, India, Jan 2019, pp. 402–409.
B. Lingenfelter, I. Vakilinia, and S. Sengupta, “Analyzing variation among iot botnets using medium interaction honeypots,” in 2020 10th Annual Computing and Communication Workshop and Conference (CCWC), 2020, pp. 0761–0767.
A. Pauna, “Qrassh,” https://github.com/adpauna/qrassh/, 2018, [Online; accessed 16-Apr-2020].
D. Chen, M. Egeley, M. Woo, and D. Brumley, “Towards automated dynamic analysis for linux-based embedded firmware,” in 2016 NDSS. Internet Society, Feb. 2016, pp. 21–24.
M. Wang, J. Santillan, and F. Kuipers, “Thingpot: an interactive internet-of-things honeypot,” Computing Research Repository, vol. abs/1807.04114, Jul 2018. [Online]. Available: http://arxiv.org/abs/ 1807.04114
R. Vishwakarma and A. K. Jain, “A honeypot with machine learning based detection framework for defending iot based botnet ddos attacks,” in 2019 3rd International Conference on Trends in Electronics and Informatics (ICOEI), April 2019, pp. 1019–1024.
T. Luo, Z. Xu, X. Jin, Y. Jia, and X. Ouyang, “Iotcandyjar: Towards an intelligent-interaction honeypot for iot devices.” in Black Hat 2017, 2017.
Y. Zhou, “Chameleon: Towards adaptive honeypot for internet of things,” in Proceedings of the ACM Turing Celebration Conference – China, May 2019.
A. Vetterl and R. Clayton, “Honware: A virtual honeypot framework for capturing cpe and iot zero days,” in 2019 APWG Symposium on Electronic Crime Research (eCrime), 2019, pp. 1–13.
D. Chen, M. Egeley, M. Woo, and D. Brumley, “Firmadyne,” https://github.com/firmadyne/firmadyne, 2016, [Online; accessed 30- Apr-2020].
M. Wang, “Thingpot,” https://github.com/Mengmengada/ThingPot, 2017, [Online; accessed 14-May-2020].
I. Tor Project, “Tor project,” https://www.torproject.org/, [Online; accessed 26-Jul-2020].
Shodan, “Honeyscore,” https://honeyscore.shodan.io/, [Online; accessed 26-Jul-2020].
Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow, “Iotpot – analysing the rise of iot compromises,” https://ipsr.ynu.ac.jp/iot/, June 2016, [Online; accessed 2-Apr-2020].
Cymmetria, “Mtpot,” https://github.com/Cymmetria/MTPot, [Online; accessed 1-Apr-2020].
H. Semic and S. Mrdovic, “Iot honeypot: A multicomponent solution for handling manual and mirai-based attacks,” in 2017 Telecommunication Forum (TELFOR), 2017, pp. 1–4.
Phype, “Telnet iot honeypot,” https://github.com/Phype/telnet-iothoneypot, 2019, [Online; accessed 2-Apr-2020].
P. Krishnaprasad, “Capturing attacks on iot deviceswith a multi-purpose iothoneypot,” Ph.D. dissertation, Indian Institute of Technology Kanpur, 2017. [Online]. Available: https://security.cse.iitk.ac.in/sites/default/files/15111021.pdf
A. Oza, G. Kumar, M. Khorajiya, and V. Tiwari, Snaring Cyber Attacks on IoT Devices with Honeynet. Springer Nature Singapore Pte Ltd., 2019.
M. Anirudh, S. A. Thileeban, and D. J. Nallathambi, “Use of honeypots for mitigating dos attacks targeted on iot networks,” in 2017 International Conference on Computer, Communication and Signal Processing (ICCCSP), Jan 2017, pp. 1–4.
A. Tambe, Y. Aung, R. Sridaran, M. O. an A. K. Jain, N. Tippenhauer, A. Shabtai, and Y. Elovici, “Detection of threats to iot devices using scalable vpn-forwarded honeypots,” in Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy (CODASPY), Mar 2019, pp. 85–96.
A. Molina Zarca, J. B. Bernabe, A. Skarmeta, and J. M. A. Calero, “Virtual iot honeynets to mitigate cyberattacks in sdn/nfv-enabled iot networks,” IEEE Journal on Selected Areas in Communications, 2020.
F. Dang, Z. Li, Y. Liu, E. Zhai, Q. I. Chen, T. Xu, Y. Chen, and J. Yang, “Understanding fileless attacks on linux-based iot devices with honeycloud,” in 17th Annual International Conference on Mobile Systems, Applications, and Services, Nov 2019, pp. 482–493.
M. A. Hakim, “u-pot,” https://github.com/azizulhakim/u-pot/, [Online; accessed 1-Apr-2020].
U. Gandhi, P. Kumar, S. Kadu, R. Varatharajan, G. Manogaran, and R. Sundarasekar, “Hiotpot: Surveillance on iot devices against recent threats,” Wireless Personal Communications, vol. 103, no. 2, pp. 1179– 1194, 2018.
V. Martin, Q. Cao, and T. Benson, “Fending off iot-hunting attacks at home networks,” in Proceedings of the 2nd Workshop on CloudAssisted Networking. ACM, Dec. 2017, pp. 67–72.
J. Guarnizo, A. Tambe, S. Bhunia, M. Ochoa, N. Tippenhauer, A. Shabtail, and Y. Elovici, “Siphon: Towards scalable high-interaction physical honeypots,” in 2017 Cyber Physical Systems Security Workshops (CPSS), April 2017, pp. 57–68.
W. Zhang, B. Zhang, Y. Zhou, H. He, and Z. Ding, “An iot honeynet based on multi-port honeypots for capturing iot attacks,” IEEE Internet of Things Journal, pp. 1–1, 2019.
Y. M. P. Pa, S. Suzuki, K. Yoshioka, T. Matsumoto, T. Kasama, and C. Rossow, “Iotpot: Analysing the rise of iot compromises,” in 9th USENIX Workshop on Offensive Technologies (WOOT 15), Washington, D.C., Aug 2015.
T. M. Labs, “Welcome to the twisted documentation,” https://twistedmatrix.com/documents/current/, Sept. 2014, [Online; accessed 9-Apr-2020].
Elastic, “Getting started with logstash,” https://www.elastic.co/guide/en/logstash/current/getting-startedwith-logstash.html, 2020, [Online; accessed 9-Apr-2020].
——, “Elasticsearch 5.2.2,” https://www.elastic.co/downloads/pastreleases/elasticsearch-5-2-2/, 2017, [Online; accessed 9-Apr-2020].
——, “Kibana: Your window into the elastic stack,” https://www.elastic.co/kibana, 2020, [Online; accessed 9-Apr-2020].
N. Provos, “Honeyd frequently asked questions,” http://www.honeyd.org/faq.php, May 2007, [Online; accessed 1- Apr-2020].
Symantec, “Internet security threat report (istr) 2019,” Symantec, Tech. Rep., Feb 2019. [Online]. Available: https://www.symantec.com/security-center/threat-report
“Shodan,” https://www.shodan.io/, 2020, [Online; accessed 14-May2020].
“Nmap,” https://nmap.org/, 2020, [Online; accessed 14-May-2020].
R. Graham, “Masscan,” https://github.com/robertdavidgraham/masscan/, 2019, [Online; accessed 14-May-2020].
V. Pothamsetty and M. Franz, “SCADA HoneyNet Project: Building Honeypots for Industrial Networks,” http://scadahoneynet.sourceforge.net/, 2004, [Online; accessed 2-May-2020].
D. Peterson, “SCADA Honeywall: Use Your Own PLC As The Target,” https://dale-peterson.com/2008/07/08/scada-honeywall-use-yourown-plc-as-the-target/, 2006, [Online; accessed 2-May-2020].
D. Bond, “Digital Bond SCADA Honeynet,” https://web.archive.org/web/20111215085656/http://www.digitalbond. com/tools/scada-honeynet/, 2011, [Online; accessed 2-May-2020].
S. M. Wade, “SCADA Honeynets: The attractiveness of honeypots as critical infrastructure security tools for the detection and analysis of advanced threats,” Master’s thesis, Iowa State University, 2011. [Online]. Available: https://lib.dr.iastate.edu/etd/12138
L. Rist, J. Vestergaard, D. Haslinger, A. De Pasquale, and J. Smith, “Conpot ICS/SCADA Honeypot,” http://conpot.org/, 2020, [Online; accessed 2-May-2020].
“Honeynet Project,” https://www.honeynet.org/, 2020, [Online; accessed 2-May-2020].
C. Zhao and S. Qin, “A research for high interactive honepot based on industrial service,” in 2017 3rd IEEE International Conference on Computer and Communications (ICCC), 2017, pp. 2935–2939.
J. Cao, W. Li, J. Li, and B. Li, “Dipot: A distributed industrial honeypot system,” in Smart Computing and Communication, M. Qiu, Ed. Cham: Springer International Publishing, 2018, pp. 300–309.
S. Lau, J. Klick, S. Arndt, and V. Roth, “Poster: Towards highly interactive honeypots for industrial control systems,” in Proc. 2016 ACM SIGSAC Conf. on Computer and Commun. Sec., ser. CCS ’16, 2016, p. 1823–1825.
E. Vasilomanolakis, S. Srinivasa, C. G. Cordero, and M. Muhlh ¨ auser, ¨ “Multi-stage attack detection and signature generation with ics honeypots,” in IEEE/IFIP Network Operations and Management Symposium, 2016, pp. 1227–1232.
F. Xiao, E. Chen, and Q. Xu, “S7commtrace: A high interactive honeypot for industrial control system based on s7 protocol,” in Information and Communications Security. Cham: Springer International Publishing, 2018, pp. 412–423.
M. Winn, M. Rice, S. Dunlap, J. Lopez, and B. Mullins, “Constructing cost-effective and targetable industrial control system honeypots for production networks,” International J. of Critical Infrastructure Protection, vol. 10, pp. 47 – 58, 2015.
J. K. Gallenstein, “Integration of the Network and Application Layers of Automatically-Configured Programmable Logic Controller Honeypots,” Master’s thesis, Air Force Institute of Technology Air University, March 2017. [Online]. Available: https://apps.dtic.mil/dtic/ tr/fulltext/u2/1054643.pdf
S. Abe, Y. Tanaka, Y. Uchida, and S. Horata, “Developing deception network system with traceback honeypot in ics network,” SICE Journal of Control, Measurement, and System Integration, vol. 11, no. 4, pp. 372–379, 2018.
A. Jicha, M. Patton, and H. Chen, “Scada honeypots: An in-depth analysis of conpot,” in 2016 IEEE Conference on Intelligence and Security Informatics (ISI), Sep. 2016, pp. 196–198.
K.-C. Lu, I.-H. Liu, J.-W. Liao, S.-C. Wu, Z.-C. Liu, J.-S. Li, and C.-F. Li, “Evaluation and build to honeypot system about scada security for large-scale iot devices,” Journal of Robotics, Networking and Artificial Life, vol. 6, pp. 157–161, 2019.
P. Ferretti, M. Pogliani, and S. Zanero, “Characterizing background noise in ics traffic through a set of low interaction honeypots,” in Proceedings of the ACM Workshop on Cyber-Physical Systems Security & Privacy, 2019, p. 51–61.
H. Naruoka, M. Matsuta, W. Machii, T. Aoyama, M. Koike, I. Koshijima, and Y. Hashimoto, “Ics honeypot system (camouflagenet) based on attacker’s human factors,” Procedia Manufacturing, vol. 3, pp. 1074 – 1081, 2015, 6th Int. Conf. Applied Human Factors and Ergonomics.
E. Vasilomanolakis, S. Karuppayah, M. Fischer, M. Muhlh ¨ auser, ¨ M. Plasoianu, L. Pandikow, and W. Pfeiffer, “This network is infected: Hostage – a low-interaction honeypot for mobile devices,” in Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, 2013, p. 43–48.
J. P. Disso, K. Jones, and S. Bailey, “A plausible solution to scada security honeypot systems,” in 8th Int. Conf. on Broadband and Wireless Comput., Comm. and Applications, 2013, pp. 443–448.
Honeynet Project, “Honeywall CDROM,” https://www.honeynet.org/projects/old/honeywall-cdrom/, 2011, [Online; accessed 15-May-2020].
P. C. Warner, “Automatic configuration of programmable logic controller emulators,” Master’s thesis, Air Force Institute of Technology Air University, March 2015. [Online]. Available: https://apps.dtic.mil/dtic/tr/fulltext/u2/a620212.pdf
C. Leita, K. Mermoud, and M. Dacier, “Scriptgen: an automated script generation tool for honeyd,” in 21st Annual Computer Security Applications Conference (ACSAC’05), 2005, pp. 12 pp.–214.
M. Haney and M. Papa, “A framework for the design and deployment of a scada honeynet,” in Proceedings of the 9th Annual Cyber and Information Security Research Conference. New York, NY, USA: ACM, 2014, p. 121–124.
S. Kuman, S. Gros, and M. Mikuc, “An experiment in using imunes ˇ and conpot to emulate honeypot control networks,” in 2017 40th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), 2017, pp. 1262–1268.
C. Ding, J. Zhai, and Y. Dai, “An improved ics honeypot based on snap7 and imunes,” in Cloud Computing and Security. Cham: Springer International Publishing, 2018, pp. 303–313.
R. C. Bodenheim, “Impact of the Shodan Computer Search Engine on Internet-facing Industrial Control System Devices,” Master’s thesis, Air Force Institute of Technology Air University, March 2014. [Online]. Available: https://apps.dtic.mil/docs/citations/ADA601219
M. Haney, “Leveraging cyber-physical system honeypots to enhance threat intelligence,” in Critical Infrastructure Protection XIII. Springer International Publishing, 2019, pp. 209–233.
D. J. Berman, “Emulating Industrial Control System Devices using Gumstix Technology,” Master’s thesis, Air Force Institute of Technology Air University, June 2012. [Online]. Available: https://scholar.afit.edu/etd/1080/
R. M. Jaromin, “Emulation of Industrial Control Field Device Protocols,” Master’s thesis, Air Force Institute of Technology Air University, March 2013. [Online]. Available: https://apps.dtic.mil/dtic/ tr/fulltext/u2/a582482.pdf
T. Holczer, M. Felegyhazi, and L. Buttyan, “The design and implementation of a plc honeypot for detecting cyber attacks against industrial control systems,” in Proc. Int. Conf. on Computer Security in a Nuclear World: Expert Discussion and Exchange. IAEA, 2015.
A. V. Serbanescu, S. Obermeier, and D.-Y. Yu, “Ics threat analysis using a large-scale honeynet,” in Proceedings of the 3rd Int. Symposium for ICS & SCADA Cyber Security Research. Swindon, GBR: BCS Learning & Development Ltd., 2015, p. 20–30.
P. Simoes, T. Cruz, J. Proenc¸a, and E. Monteiro, ˜ Specialized Honeypots for SCADA Systems. Springer International Publishing, 2015, pp. 251–269.
S. Ahn, T. Lee, and K. Kim, “A study on improving security of ics through honeypot and arp spoofing,” in Int. Conference on Information and Communication Technology Convergence, Oct 2019, pp. 964–967.
A. Belqruch and A. Maach, “Scada security using ssh honeypot,” in 2019 Proceedings of the 2nd International Conference on Networking, Information Systems & Security, Mar 2019, pp. 1–5.
A. V. Serbanescu, S. Obermeier, and D. Yu, “A flexible architecture for industrial control system honeypots,” in 12th Int. Joint Conference on e-Business and Telecommunications, vol. 04, 2015, pp. 16–26.
D. I. Buza, F. Juhasz, G. Miru, M. F ´ elegyh ´ azi, and T. Holczer, “Cryplh: ´ Protecting smart energy systems from targeted attacks with a plc honeypot,” in Smart Grid Security. Cham: Springer International Publishing, 2014, pp. 181–192.
K. Kołtys and R. Gajewski, “Shape: A honeypot for electric power ´ substation,” Journal of Telecommunications and Information Technology, vol. nr 4, pp. 37–43, 2015.
O. Redwood, J. Lawrence, and M. Burmester, “A symbolic honeynet framework for scada system threat intelligence,” in Critical Infrastructure Protection IX. Springer International Publishing, 2015, pp. 103–118.
D. Mashima, B. Chen, P. Gunathilaka, and E. L. Tjiong, “Towards a grid-wide, high-fidelity electrical substation honeynet,” in 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm), Oct 2017, pp. 89–95.
D. Pliatsios, P. Sarigiannidis, T. Liatifis, K. Rompolos, and I. Siniosoglou, “A novel and interactive industrial control system honeypot for critical smart grid infrastructure,” in 2019 IEEE 24th International Workshop on Computer Aided Modeling and Design of Communication Links and Networks (CAMAD), Sep. 2019, pp. 1–6.
D. Mashima, Y. Li, and B. Chen, “Who’s scanning our smart grid? empirical study on honeypot data,” in 2019 IEEE Global Communications Conference (GLOBECOM), Dec 2019, pp. 1–6.
M. M. Kendrick and Z. A. Rucker, “Energy Grid Threat Analysis Using Honeypots,” Master’s thesis, Naval Postgraduate School, June 2019. [Online]. Available: https://calhoun.nps.edu/handle/10945/62843
D. Hyun, “Collecting cyberattack data for industrial control systems using honeypots,” Master’s thesis, Naval Postgraduate School, March 2018. [Online]. Available: http://hdl.handle.net/10945/58316
K. Wilhoit, “Who’s Really Attacking Your ICS Equipment?” 2013, White Paper. [Online]. Available: https://www.trendmicro.com.tr/media/wp/ whos-really-attacking-your-ics-equipment-whitepaper-en.pdf
D. Antonioli, A. Agrawal, and N. O. Tippenhauer, “Towards highinteraction virtual ics honeypots-in-a-box,” in Proceedings of the 2nd ACM Workshop on Cyber-Physical Systems Security and Privacy, 2016, p. 13–22.
A. F. Murillo, L. F. Combita, A. C. Gonzalez, S. Rueda, A. A. ´ Cardenas, and N. Quijano, “A virtual environment for industrial control systems: A nonlinear use-case in attack detection, identification, and response,” in Proceedings of the 4th Annual Industrial Control System Security Workshop. New York, NY, USA: ACM, 2018, p. 25–32.
C. Petre and A. Korodi, “Honeypot inside an opc ua wrapper for water pumping stations,” in 2019 22nd International Conference on Control Systems and Computer Science (CSCS), 2019, pp. 72–77.
G. Bernieri, M. Conti, and F. Pascucci, “Mimepot: a model-based honeypot for industrial control networks,” in 2019 IEEE Int. Conference on Systems, Man and Cybernetics (SMC), Oct 2019, pp. 433–438.
K. Wilhoit, “The SCADA That Didn’t Cry Wolf Who’s Really Attacking Your ICS Equipment? (Part 2),” 2013, White Paper. [Online]. Available: https: //www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/ white-papers/wp-the-scada-that-didnt-cry-wolf.pdf
“OPC Unified Architecture,” https://opcfoundation.org/about/opctechnologies/opc-ua/, 2020, [Online; accessed 2-May-2020].
K. Wilhoit and S. Hilt, “The GasPot experiment : Unexamined perils in using gas-tank-monitoring systems,” in Black Hat USA, 2015.
Z. Ammar and A. AlSharif, “Deployment of iot-based honeynet model,” in ICIT 2018: Proceedings of the 6th Int. Conference on Information Technology: IoT and Smart City, Dec 2018, pp. 134–139.
M. Du and K. Wang, “An sdn-enabled pseudo-honeypot strategy for distributed denial of service attacks in industrial internet of things,” IEEE Transactions on Industrial Informatics, vol. 16, no. 1, pp. 648– 657, Jan 2020.
B. Green, A. Lee, R. Antrobus, U. Roedig, D. Hutchison, and A. Rashid, “Pains, gains and plcs: Ten lessons from building an industrial control systems testbed for security research,” in 10th USENIX Workshop on Cyber Security Experimentation and Test, Vancouver, BC, Aug. 2017.
T. Alves, R. Das, and T. Morris, “Virtualization of industrial control system testbeds for cybersecurity,” in Proceedings of the 2nd Annual Industrial Control System Security Workshop. New York, NY, USA: ACM, 2016, p. 10–14.
S. Almulla, E. Bou-Harb, and C. Fachkha, “Cyber security threats targeting CPS systems: A novel approach using honeypot,” in SECURWARE 2018: The Twelfth International Conference on Emerging Security Information, Systems and Technologies, Dec 2018, pp. 85–91.
A. I. Newaz, A. K. Sikder, M. A. Rahman, and A. S. Uluagac, “A survey on security and privacy issues in modern healthcare systems: Attacks and defenses,” 2020.
A. I. Newaz, A. K. Sikder, L. Babun, and A. S. Uluagac, “Heka: A novel intrusion detection system for attacks to personal medical devices,” in 2020 IEEE Conference on Communications and Network Security (CNS), 2020, pp. 1–9.
A. I. Newaz, A. K. Sikder, M. A. Rahman, and A. S. Uluagac, “Healthguard: A machine learning-based security framework for smart healthcare systems,” in 2019 Sixth International Conference on Social Networks Analysis, Management and Security (SNAMS), 2019, pp. 389–396.
H. Oz, A. Aris, A. Levi, and A. Selcuk Uluagac, “A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions,” arXiv eprints, p. arXiv:2102.06249, Feb. 2021.
F. Naseem, A. Aris, L. Babun, E. Tekiner, and S. Uluagac, “MINOS: A lightweight real-time cryptojacking detection system,” in 28th Annual Network and Distributed System Security Symposium, NDSS, February 21-24, 2021. The Internet Society, 2021.
E. Tekiner, A. Acar, A. Selcuk Uluagac, E. Kirda, and A. Aydin Selcuk, “SoK: Cryptojacking Malware,” arXiv e-prints, p. arXiv:2103.03851, Mar. 2021.
L. P. Rondon, L. Babun, K. Akkaya, and A. S. Uluagac, “Hdmi-walk: Attacking hdmi distribution networks via consumer electronic control protocol,” in Proceedings of the 35th Annual Computer Security Applications Conference, ser. ACSAC ’19. ACM, 2019, p. 650–659.
L. C. PucheRondon, L. Babun, K. Akkaya, and A. S. Uluagac, “Hdmiwatch: Smart intrusion detection system against hdmi attacks,” IEEE Transactions on Network Science and Engineering, pp. 1–1, 2020.
L. P. Rondon, L. Babun, A. Aris, K. Akkaya, and A. S. Uluagac, “Poisonivy: (in)secure practices of enterprise iot systems in smart buildings,” in Proceedings of the 7th ACM International Conference on Systems for Energy-Efficient Buildings, Cities, and Transportation, ser. BuildSys ’20. ACM, 2020, p. 130–139.
L. Puche Rondon, L. Babun, A. Aris, K. Akkaya, and A. Selcuk Uluagac, “Survey on Enterprise Internet-of-Things Systems (E-IoT): A Security Perspective,” arXiv e-prints, p. arXiv:2102.10695, Feb. 2021.
FieldComm Group, “HART Communication Protocol,” https://fieldcommgroup.org/technologies/hart, 2020, [Online; accessed 14-May-2020].
L. Babun, K. Denney, Z. B. Celik, P. McDaniel, and A. S. Uluagac, “A survey on iot platforms: Communication, security, and privacy perspectives,” Computer Networks, 2021.
H. Aksu, A. S. Uluagac, and E. Bentley, “Identification of wearable devices with bluetooth,” IEEE Transactions on Sustainable Computing, pp. 1–1, 2018.
Center for Internet Security, “The SolarWinds Cyber-Attack: What You Need to Know,” https://www.cisecurity.org/solarwinds/, 2021, [Online; accessed 26-March-2021].
A. Afianian, S. Niksefat, B. Sadeghiyan, and D. Baptiste, “Malware dynamic analysis evasion techniques: A survey,” ACM Comput. Surv., vol. 52, no. 6, Nov. 2019.
The MITRE Corporation, “Common Vulnerabilities and Exposures,” https://cve.mitre.org/, 2020, [Online; accessed 17-May-2020].
本文为本文为《物联网、工业物联网及网络物理系统领域蜜罐和蜜网相关研究综述》下篇,欲阅读完整内容,请点击下方链接: