Characterizing Internet-Scale ICS Automated Attacks Through Long-Term Honeypot Data

Industrial control system (ICS) devices with IP addresses are accessible on the Internet and become an essential part of critical infrastructures. The adoption of ICS devices also yields cyber-attacks targeted specific port based on proprietary industrial protocols. However, there is a lack of comprehensive understanding of these ICS threats in cyberspace. To this end, this paper uniquely exploits active interaction on ICS-related ports and analysis of long-term multi-port traffic in a first attempt ever to capture and comprehend ICS automated attacks based on private protocols. Specially, we first propose a minimal-interaction scheme for ICS honeypot(MirrorPot), which can listen on any port and respond automatically without understanding the protocol format. Then, we devise a pre-processing algorithm to extract requests payload and classify them from long-term honeypot-captured data. Finally, to better characterize the ICS attacks based on private industrial protocols, we propose a Markov state transition model for describing their attack complexity. Our experiments show that there are several unknown probing methods have not been observed by previous works. We concur that our work provides a solid first step towards capturing and comprehending real ICS attacks based on private protocols.