NeuPot: A Neural Network-Based Honeypot for Detecting Cyber Threats in Industrial Control Systems

Honeypots have proven to be an effective defense method for industrial control systems (ICSs). However, as attacker skills become more sophisticated, it becomes increasingly difficult to develop honeypots that can effectively recognize and respond to such attacks. In this article, we propose a neura...

Full description

Saved in:
Bibliographic Details
Published in:IEEE transactions on industrial informatics 2023-10, Vol.19 (10), p.10512-10522
Main Authors: Shan, Yao, Yao, Yu, Zhao, Tong, Yang, Wei
Format: Article
Language:English
Subjects:
Control systems
Cybersecurity
Defense industry
Feature extraction
Honeypot
industrial control system
Industrial electronics
Integrated circuits
malicious traffic detection
neural network
Neural networks
Predictive models
Protocols
Security
Servers
System effectiveness
time series forecast
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Honeypots have proven to be an effective defense method for industrial control systems (ICSs). However, as attacker skills become more sophisticated, it becomes increasingly difficult to develop honeypots that can effectively recognize and respond to such attacks. In this article, we propose a neural network-based ICS honeypot scheme named NeuPot that improves security from two aspects: 1) honeypot interaction; and 2) cyber threats detection capability. NeuPot can respond to attacker requests depending on a specific industrial scenario without constant communication with the ICS and detect malicious traffic. To create this honeypot scheme, a new seq2seq time-series forecast model guided by Huber loss is designed to simulate the long-term changes in actual ICS physical processes. Second, a Modbus honeypot framework is created to react to changes in these ICS physical processes in their interactions with attackers and to capture various cyber threats against the ICS. Further, a novel loss function for industrial protocol-level malicious traffic detection is devised to identify known and unknown threats. According to our experiments, the proposed honeypot scheme is highly effective and outperforms state-of-the-art schemes in terms of interactivity and in detecting cyber threats.
ISSN:1551-3203
1941-0050
DOI:10.1109/TII.2023.3240739