A symbolic honeynet framework for SCADA system threat intelligence

Abstract

Current SCADA honeypot technologies present attackers with static or pseudo-random data, and are unlikely to entice attackers to use high value or zero-day attacks. This chapter presents a symbolic cyberphysical honeynet framework that addresses the problem, enhances the screening and coalescence of attack events for analysis, provides attack introspection down to the physics level of a SCADA system and enables forensic replays of attacks. The work extends honeynet methodologies with integrated physics simulation and anomaly detection utilizing a symbolic data flow model of system physics. Attacks that trigger anomalies in the physics of a system are captured and organized via a coalescing algorithm for efficient analysis. Experimental results are presented to demonstrate the effectiveness of the approach.