Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol
碩士 === 國立中興大學 === 資訊科學與工程學系所 === 107 === Industrial Control Systems (ICS) are often used in critical infrastructures such as energy, water resources, chemical, manufacturing, and transportation. With the development of information communication technologies, ICS faces more and more cyber-attack risk...
Main Authors: | , |
---|---|
Other Authors: | |
Format: | Others |
Language: | en_US |
Published: |
2019
|
Online Access: | http://ndltd.ncl.edu.tw/cgi-bin/gs32/gsweb.cgi/login?o=dnclcdr&s=id=%22107NCHU5394041%22.&searchmode=basic |
id |
ndltd-TW-107NCHU5394041 |
---|---|
record_format |
oai_dc |
spelling |
ndltd-TW-107NCHU53940412019-11-30T06:09:40Z http://ndltd.ncl.edu.tw/cgi-bin/gs32/gsweb.cgi/login?o=dnclcdr&s=id=%22107NCHU5394041%22.&searchmode=basic Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol 應用LSTM 建置基於Modbus TCP 協定蜜罐之入侵偵測方法 Xiao-Zhen Huang 黃筱真 碩士 國立中興大學 資訊科學與工程學系所 107 Industrial Control Systems (ICS) are often used in critical infrastructures such as energy, water resources, chemical, manufacturing, and transportation. With the development of information communication technologies, ICS faces more and more cyber-attack risks. Intrusion Detection System (IDS) is a commonly used approach to improve the security of ICS, and honeypot techniques are very useful in collecting hacker behavior data in ICS. In this thesis, a honeypot-based intrusion detection method using Long Short- Term Memory (LSTM) neural network for Modbus TCP protocol is proposed. Honeypot is a technique that is used to capture malicious data by pretending the real system. Honeypots can be classified into either low-interaction honeypots or high-interaction honeypots. Low-interaction honeypot is easy to develop and deploy, but it is easy to be recognized by hacker or by ICS search engine like Shodan. On the other hand, high-interaction honeypot is more difficult to be recognized because it provides more complicated features of devices with high interaction capabilities. Physical honeypot is regarded as an implementation of high-interaction honeypot by using real device to lure hackers. In this thesis, we build a Modbus TCP physical honeypot to capture malicious data. In the proposed intrusion detection model, both normal and malicious data are used in training. In the preprocessing phase, the log data are transformed from packets into session data. Because the network packets in ICS network have strong temporal relationship, LSTM neural network and ensemble method are used to improve the performance of the proposed intrusion detection method. The experimental results show that the accuracy for detecting Modbus TCP attacks is about 92%. 廖宜恩 2019 學位論文 ; thesis 37 en_US |
collection |
NDLTD |
language |
en_US |
format |
Others
|
sources |
NDLTD |
description |
碩士 === 國立中興大學 === 資訊科學與工程學系所 === 107 === Industrial Control Systems (ICS) are often used in critical infrastructures such as energy, water resources, chemical, manufacturing, and transportation. With the development of information communication technologies, ICS faces more and more cyber-attack risks. Intrusion Detection System (IDS) is a commonly used approach to improve the security of ICS, and honeypot techniques are very useful in collecting hacker behavior data in ICS.
In this thesis, a honeypot-based intrusion detection method using Long Short- Term Memory (LSTM) neural network for Modbus TCP protocol is proposed. Honeypot is a technique that is used to capture malicious data by pretending the real system. Honeypots can be classified into either low-interaction honeypots or high-interaction honeypots. Low-interaction honeypot is easy to develop and deploy, but it is easy to be recognized by hacker or by ICS search engine like Shodan. On the other hand, high-interaction honeypot is more difficult to be recognized because it provides more complicated features of devices with high interaction capabilities. Physical honeypot is regarded as an implementation of high-interaction honeypot by using real device to lure hackers. In this thesis, we build a Modbus TCP physical honeypot to capture malicious data.
In the proposed intrusion detection model, both normal and malicious data are used in training. In the preprocessing phase, the log data are transformed from packets into session data. Because the network packets in ICS network have strong temporal relationship, LSTM neural network and ensemble method are used to improve the performance of the proposed intrusion detection method. The experimental results show that the accuracy for detecting Modbus TCP attacks is about 92%.
|
author2 |
廖宜恩 |
author_facet |
廖宜恩 Xiao-Zhen Huang 黃筱真 |
author |
Xiao-Zhen Huang 黃筱真 |
spellingShingle |
Xiao-Zhen Huang 黃筱真 Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol |
author_sort |
Xiao-Zhen Huang |
title |
Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol |
title_short |
Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol |
title_full |
Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol |
title_fullStr |
Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol |
title_full_unstemmed |
Honeypot-based Intrusion Detection Method Using LSTM for Modbus TCP Protocol |
title_sort |
honeypot-based intrusion detection method using lstm for modbus tcp protocol |
publishDate |
2019 |
url |
http://ndltd.ncl.edu.tw/cgi-bin/gs32/gsweb.cgi/login?o=dnclcdr&s=id=%22107NCHU5394041%22.&searchmode=basic |
work_keys_str_mv |
AT xiaozhenhuang honeypotbasedintrusiondetectionmethodusinglstmformodbustcpprotocol AT huángxiǎozhēn honeypotbasedintrusiondetectionmethodusinglstmformodbustcpprotocol AT xiaozhenhuang yīngyònglstmjiànzhìjīyúmodbustcpxiédìngmìguànzhīrùqīnzhēncèfāngfǎ AT huángxiǎozhēn yīngyònglstmjiànzhìjīyúmodbustcpxiédìngmìguànzhīrùqīnzhēncèfāngfǎ |
_version_ |
1719300458935222272 |