| Summary: | 碩士 === 國立中興大學 === 資訊科學與工程學系所 === 107 === Industrial Control Systems (ICS) are often used in critical infrastructures such as energy, water resources, chemical, manufacturing, and transportation. With the development of information communication technologies, ICS faces more and more cyber-attack risks. Intrusion Detection System (IDS) is a commonly used approach to improve the security of ICS, and honeypot techniques are very useful in collecting hacker behavior data in ICS.
In this thesis, a honeypot-based intrusion detection method using Long Short- Term Memory (LSTM) neural network for Modbus TCP protocol is proposed. Honeypot is a technique that is used to capture malicious data by pretending the real system. Honeypots can be classified into either low-interaction honeypots or high-interaction honeypots. Low-interaction honeypot is easy to develop and deploy, but it is easy to be recognized by hacker or by ICS search engine like Shodan. On the other hand, high-interaction honeypot is more difficult to be recognized because it provides more complicated features of devices with high interaction capabilities. Physical honeypot is regarded as an implementation of high-interaction honeypot by using real device to lure hackers. In this thesis, we build a Modbus TCP physical honeypot to capture malicious data.
In the proposed intrusion detection model, both normal and malicious data are used in training. In the preprocessing phase, the log data are transformed from packets into session data. Because the network packets in ICS network have strong temporal relationship, LSTM neural network and ensemble method are used to improve the performance of the proposed intrusion detection method. The experimental results show that the accuracy for detecting Modbus TCP attacks is about 92%.
|
|---|
