|
|
@@ -210,12 +210,27 @@ Early research on Mobile Honeypots focused only on Bluetooth communications[5,1
|
|
|
//Write about Mobile Honeypots
|
|
|
There has been existing work that focused on detection of mobile specific malware. The first to discuss the idea of a Honeypot for smartphones were Mulliner et al., by providing the initial ideas, challenges and an architecture for their proposed system\cite{mulliner2011poster}. Nomadic Honeypots\cite{Liebergeld_nomadichoneypots:} concentrates on mobile specific malware and also trades off with a lot of personal information.
|
|
|
|
|
|
- //List about HosTaGe and other related work on mobile Honeypots
|
|
|
+\begin{itemize}
|
|
|
+
|
|
|
+\item\textbf{HoneyDroid}(cite HoneyDroid) HoneyDroid is a smartphone Honeypot for Android operating system which claims to be the first ever Honeypot in the Mobile Honeypots category which makes use of smart phone hardware to host the Honeypot.It is built on a Linux micro-kernel and is customized to impose restrictions on the Android operating system for monitoring its activities. The architecture is comprised of a Event Monitor, to monitor active connection requests and also system calls in the kernel level; Filters to mitigate any attempts of malware trying to affect the system and a log software to log all the activities. This Honeypot is also focused on detecting attacks from apps installed in the device which try to infiltrate the kernel for gaining unauthorized access. The system also involves virtualization which enables simulation of various services.
|
|
|
+This could also result in an overhead, hereby causing a signature which can be detected by attackers and malware. However, the direction of HoneyDroid was to introduce the concept of Mobile Honeypots.
|
|
|
+
|
|
|
+
|
|
|
+\item\textbf{Cellpot:} (cite Cellpot) Cellpot concentrates on detection and defence of attacks in the cellular network. It comprises of a collection of Honeypots, or Honeynets that are deployed on mobile phones. Cellpot consists of applications like SMS spam prevention, mobile phone theft and malware protection. The Honeypot mainly is concentrated towards Small Cells(cite from paper), wireless infrastructure deployed in customers site and operated in licensed bands. The main use of Small cells is to support the need of coverage and capacity. These points are a good place to deploy the Honeypots to detect malware and other intrusion attacks. Denial Of Service is the most common category of attack in the area of cellular networks, and with the help of few devices,this attack can be executed successfully. Introducing a Honeypot approach for detecting such attacks at small cells is a feasible solution.The concept of Cellpot is to detect, collect intelligence and
|
|
|
+mitigate threats against the cellular network directly on the base stations. Further, it has the ability to
|
|
|
+deploy countermeasures against detected threats, and enables
|
|
|
+a wide area of applications. It provides a good platform
|
|
|
+for mobile network operators to deploy and run additional
|
|
|
+applications to reduce signaling.
|
|
|
+
|
|
|
+\item\textbf{Nomadic Honeypots:}
|
|
|
+
|
|
|
+\item\textbf{HosTaGe:}\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a Mobile Honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
+
|
|
|
+
|
|
|
+\end{itemize}
|
|
|
|
|
|
- HosTaGe\cite{Vasilomanolakis:2013:TNI:2516760.2516763},\cite{Vasilomanolakis:2014:HMH:2659651.2659663} is an Android App which acts as a Mobile Honeypot, determined to detect malicious networks and probe for attacks. It is user centric and aims at creating security awareness to its users. The results obtained in this process are synchronised with a global repository and also can be shared locally through bluetooth. The current version has capabilities of emulating as Windows, Unix, Apache Server, SQL and Paranoid host. Attacks through HTTP, SMB, SSH, HTTPS, Telnet and FTP can be identified.
|
|
|
-
|
|
|
-
|
|
|
-
|
|
|
+
|
|
|
\subsection{SCADA Honeypots}
|
|
|
|
|
|
Analysing the security concerns of ICS SCADA systems and the advantages of Honeypots, a solution could be implemented to combine the needs and features. SCADA Honeypots could be deployed in ICS Networks for monitoring and analysis. They act as an additional line of defense providing warnings and notifications for attacks. Designing a SCADA Honeypot involves studying the architecture of the SCADA systems and the components, protocols involved in communication and processing of data. Further, as discussed before, SCADA networks comprise of hardware devices like PLCs and RTUs which play a very critical role in processing and communication of data. SCADA systems rely on PLCs for data processing. If PLCs are targeted by attackers to compromise their working, it could bring down the entire plant, hereby resulting in a huge catastrophe. Modern day PLCs offer TCP/IP communication which can used to control and manage the data flow between other PLCs and control servers. On investigating attacks that have occured in the past, STUXNET a malware, was found to be injected in a Nuclear Enrichment Facility in Iran. STUXNET was found to be injected into the network using a USB drive to one of the host control systems. The malware spread from that system to other systems through intranet and remained hidden from operators. STUXNET was able to interfere with the working of a PLC that controlled centrifuges and managed to compromise the conditions on which the PLC depends. It was only by the observation of an operator that the PLC was causing the centrifuges to run more fast than usual was detected. But nobody could determine what caused the centrifuges run abnormally.
|
|
|
@@ -285,45 +300,54 @@ The Siemens S7 200 is a micro-programmable logic controller which can control a
|
|
|
|
|
|
Siemens S7 200 PLCs boasts of a compact design, powerful performance, optimum modularity and open communications. This Micro PLC has been in successful use in millions of applications around the world – in both stand-alone and net-worked solutions.
|
|
|
|
|
|
-This PLC uses communication protocols such as PROFINET, an advanced version of MODBUS communication protocol. This protocol is also based on Ethernet. It also supports TELNET, HTTP, FTP, SNMP, MODBUS and S7 Comm protocols. Though this PLC is designed to be used to control critical systems, security was not a part of its design. The above mentioned protocols were not customized to facilitate secure communication. The standards were defined to create an interconnected environment between industrial automation devices and common networking protocols.Security was either ignored or rather was thought to be expensive on these devices. This makes it an easier target for attackers.
|
|
|
+This PLC uses communication protocols such as PROFINET, an advanced version of MODBUS communication protocol. This protocol is also based on Ethernet. It also supports TELNET, HTTP, FTP, SNMP, SMTP, MODBUS and S7 Comm protocols. Though this PLC is designed to be used to control critical systems, security was not a part of its design. The above mentioned protocols were not customized to facilitate secure communication. The standards were defined to create an interconnected environment between industrial automation devices and common networking protocols.Security was either ignored or rather was thought to be expensive on these devices. This makes it an easier target for attackers.
|
|
|
|
|
|
|
|
|
+The Simatic S7 PLC is also subjected to various vulnerabilities and attacks including the STUXNET as discussed earlier. We simulate the Siemens SIMATIC S7 200 PLC as our target system to attract attackers.
|
|
|
+
|
|
|
+ \subsection{Protocols}
|
|
|
|
|
|
|
|
|
-The S7 200 is also widely used for variousl applications because of its flexibility, usablilty and comptibility.
|
|
|
+The Siemens SIMATIC S7 supports (MODBUS TCP), HTTP, TELNET, FTP, SNMP, SMTP, MODBUS and S7Comm protocols
|
|
|
|
|
|
-\begin{itemize}
|
|
|
|
|
|
-\item\textbf{Open Communications}
|
|
|
+ \subsection{Design of HosTaGe ICS Honeypot}
|
|
|
+
|
|
|
+ \subsection{Perspective}
|
|
|
+ Make points of Adversary Perspective and Administrator Perspective
|
|
|
|
|
|
-\item\textbf{:}
|
|
|
+ Honeypots as stated above are active entities that capture attacks targeted at them. They must be designed carefully considering the services and vulnerabilities of the targeted system. One of the design decisions which is imporatant
|
|
|
|
|
|
-\item\textbf{:}
|
|
|
+ \section{Implementation}
|
|
|
|
|
|
-\end{itemize}
|
|
|
+ \subsection{SCADA PLC Profiles}
|
|
|
|
|
|
+SCADA ICS devices can be classified into master and slave device types based on the interaction and functionality. The master system is responsible for controlling the slaves and send them appropriate commands for a task. These systems are usually control servers or host systems connected to PLCs or slaves, that receive critical information and updates from the sensors placed on devices and PLcs. The other most imporant systems are the automation PLCs. Slave devices interact with many other devices and collectively process information to perform a task assigned by the master. When a MODBUS master wants information from a device, it sends a message that contains the device address, the data it needs and the checksum for integrity. The network is typically like a hub structure. The data is broadcasted in the network and the device from which the information was requested only responds. The slave devices cannot initiate communication and only can respond to a request made from the master. MODBUS/TCP allows multiple masters to poll the same device in parallel. A unit can be either a master or a slave but not both.
|
|
|
|
|
|
|
|
|
+ \begin{figure}[ht]
|
|
|
+ \centering
|
|
|
+ \includegraphics[scale=0.75]{Master-Slave}
|
|
|
+ \caption[SCADA Architecture]{\label{f:SCADA Master and Slave}SCADA Master and Slave profile }
|
|
|
+ \end{figure}
|
|
|
|
|
|
-Open Communication
|
|
|
-
|
|
|
- \subsection{Protocols}
|
|
|
+The above figure represents devices connected on the industrail LAN and the MODBUS master-slave communication. The master devices poll the slave devices and request information. The information is processed and sent back to the master. There is also possibility that a PLC acting as a master polls its data to the other devices like HMI and other PLC's in the network.
|
|
|
|
|
|
|
|
|
+In the past there have been attacks both internal and external on SCADA systems. Popular attacks using STUXNET, were carried out internally by deloying the malware on a host computer with the help of a USB drive. However, the malware made use of the vulnerabilities of the host system to replicate and spread through the network. Detecting such kind of attacks are very imporatant and cannot be ignored. These attacks are more dangerous than the external attacks as there are various mechanisms to detect attacks from external sites. Internal attacks have proved to be more catastrophic. We also concentrate on the slave profile. This is required as the slave devices today have Ethernet communication and can communicate with the Internet. Due to some network configuration loop holes, the device may be accessed due to the internet or the device itself may be configured to be accessed through the internet by the administrator. For example, the slave devices also run HTTP servers which can display the sensor information in the form of a webpage. This device may be configured to be accessed thorugh the internet to check and monitor the sensor readings from a external system. There is no doubt about the possibilities of attack of such systems from the internet. Thus we concentrate on simulating both the master profile, to check internal attacks and also slave profile to check external attacks.
|
|
|
|
|
|
- \subsection{Design of HosTaGe ICS Honeypot}
|
|
|
-
|
|
|
- \subsection{Perspective}
|
|
|
- Make points of Adversary Perspective and Administrator Perspective
|
|
|
|
|
|
- \section{Implementation}
|
|
|
+\subsubsection
|
|
|
+
|
|
|
|
|
|
- \subsection{SCADA PLC Profiles}
|
|
|
- \subsection{Protocol Implementation}
|
|
|
- \subsection{Vulnerabilities}
|
|
|
\subsection{Attacks Log}
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
+
|
|
|
\subsection{Challenges}
|
|
|
- \subsection{Detection of Multistage Attack approach}
|
|
|
+ \subsection{Detection of Multistage Attack Approach}
|
|
|
\subsection{Detecting malware}
|
|
|
|
|
|
\section{Evaluation and Results}
|
