基于数据包分片的工控蜜罐识别方法

游建舟; 张悦阳; 吕世超; 陈新; 尹丽波; 孙利民

引用本文：

游建舟,张悦阳,吕世超,陈新,尹丽波,孙利民.基于数据包分片的工控蜜罐识别方法[J].信息安全学报,2019,4(3):83-92 [点击复制]
YOU Jianzhou,ZHANG Yueyang,LV Shichao,CHEN Xin,YIN Libo,SUN Limin.Method of ICS Honeypot Identification Based on Packet-Sharding[J].Journal of Cyber Security,2019,4(3):83-92 [点击复制]

本文已被：浏览 6069次下载 7368次	码上扫一扫！
基于数据包分片的工控蜜罐识别方法
游建舟^1,2, 张悦阳^1,2, 吕世超^1,2, 陈新^1,2, 尹丽波³, 孙利民^1,2
0 字体:加大+\|默认\|缩小-
(1.中国科学院信息工程研究所物联网信息安全技术北京市重点实验室, 北京中国 100093;2.中国科学院大学网络空间安全学院, 北京中国 100049;3.国家工业信息安全发展中心, 北京中国 100040)

摘要:

蜜罐是一种用于安全威胁发现与攻击特征提取的主动防御技术，能够提供高价值且低误报率的攻击流量和样本。蜜罐的应用压缩了网络黑客的隐匿空间，攻击者可通过蜜罐识别技术来发现和规避蜜罐。因此，安全人员有必要从攻击者的角度深入研究蜜罐识别的方法，以便优化蜜罐系统的设计与实现。本文从蜜罐的结构出发，总结了8种蜜罐识别要素，并评估了不同识别要素的准确性和隐蔽性。结合互联网蜜罐分布特点，归纳了一种互联网中的蜜罐识别流程，并基于Conpot工控蜜罐架构的固有缺陷，提出了一种基于数据包分片的工控蜜罐识别方法。通过三次互联网扫描，共发现2432个Conpot工控蜜罐，并进一步分析了其分布特点。

关键词: 蜜罐识别数据包分片蜜罐

DOI：10.19363/J.cnki.cn10-1380/tn.2019.05.06

投稿时间：2019-02-16修订日期：2019-05-10

基金项目:本课题得到国家重点研发计划（No.2016YFB0800202），国家自然科学基金重点项目（No.U1766215），中国科学院战略性先导科技专项课题（No.XDC02020500），中国科学院信息工程研究所国际合作项目（No.Y7Z0461104）资助。

Method of ICS Honeypot Identification Based on Packet-Sharding

YOU Jianzhou^1,2, ZHANG Yueyang^1,2, LV Shichao^1,2, CHEN Xin^1,2, YIN Libo³, SUN Limin^1,2

(1.Beijing Key Laboratory of IoT Information Security Technology, Institute of Information Engineering, Chinese Academy of Sciences, Beijing 100093, China;2.School of Cyber Security, University of Chinese Academy of Sciences, Beijing 100049, China;3.National Industrial Information Security Development Research Center, Beijing 100040, China)

Abstract:

Honeypot is one kind of active defence technology for threat discovery and attack signature generation, providing highly valuable data and samples with low false alarm rate. With the development of honeypot technology, there is less and less space for attackers to disguise themselves. Attackers devote themselves to recognize honeypot and circumvent them via honeypot identification technology. Therefore, it is critical that researchers dive into the identification technology and point out the optimization direction of Honeypot. By assessing the honeypot architecture, this paper summarizes 8 identification factors for honeypot. After evaluating the identification accuracy and concealment of these factors, this paper proposes an anti-honeypot scheme on the Internet and a concrete method based on packet-sharding. The effectiveness of our proposed method is validated through case study of 3 detection experiments of Conpot (a typical honeypot for industrial control system) on the Internet. 2432 Conpot honeypots are found and their distribution is also derived.

Key words: honeypot identification packet sharding honeypot