Abstract

In Industrial Control System (ICS) networks, it is generally difficult to discover security threats from logs recorded in ICS devices, such as packets originated from malware-infected devices and evidence of the devices remotely controlled by attackers. This is due to the fact that ICS devices output logs not for detecting security threats but simply for recording operation history. Some researchers have suggested placing honeypots within ICS networks to observe packets from attackers in order to detect threats. In the research for this paper, the suggested method was further improved so that it responds to packets reaching the honeypots and collects information of the attack sources. Previous analysis has revealed that machines infected with some known malware (e.g. Havex RAT - a Remote Access Tool) in ICS networks conduct scan activities against certain devices, and therefore the traceback honeypots are expected to identify infected devices out of such scans in an effective manner. Information about attack sources collected from the analysis can be utilised for proactive purposes, which could be useful in detecting or blocking certain communication to prevent further infection. This paper discusses methods of tracking attack sources using traceback honeypots.