Abstract
As an essential component of the critical infrastructure, the Industrial Control System (ICS) is facing increasing cyber threats. The emergence of the Shodan search engine also magnified this threat. Since it can identify and index Internet-connected industrial control devices, the Shodan search engine has become a favorite toolkit for attackers and penetration testers. In this paper, we use honeypot technology to conduct a comprehensive exploring on Shodan search engine. We first deploy six distributed honeypot systems and collect three-month traffic data. For exploring Shodan, we design a hierarchical DFA-SVM recognition model to identify Shodan scans based on the function code and traffic feature, which is adapted to find the Shodan and Shodan-like scanners superior to the predominant method of reverse resolving IPs. Finally, we conduct an in-depth analysis for Shodan scans and evaluate the impact of Shodan on industrial control systems in terms of scanning time, scanning frequency, scanning port, region preferences, ICS protocol preferences and ICS protocol function code proportion. Accordingly, we provide some defensive measures to mitigate Shodan threat.
Highlights
Industrial control systems (ICS) are widely deployed in critical fields such as oil and gas transportation, water supplies, and power facilities [1]
We propose a hierarchical deterministic finite automaton (DFA)-SVM recognition model to identify Shodan scans based on function code and traffic feature
We propose a hierarchical DFA-SVM traffic recognition model based on the function code and traffic features, which can improve the ability to identify Shodan and Shodan-like scans in honeypot data
Summary
Industrial control systems (ICS) are widely deployed in critical fields such as oil and gas transportation, water supplies, and power facilities [1]. We propose a hierarchical DFA-SVM recognition model to identify Shodan scans based on function code and traffic feature. We propose a hierarchical DFA-SVM traffic recognition model based on the function code and traffic features, which can improve the ability to identify Shodan and Shodan-like scans in honeypot data. Since the Shodan scanning traffic sequence is more stable, we can establish a DFA model to generate some function code subsequences for each industrial control protocol. We just match these function code subsequences in DFA model with interactive packets to judge the state transition, which can distinguish whether the captured interactive packets belong to Shodan scan. DFA-SVM recognition model to identify Shodan scans by using function code and traffic feature. We use IBM X-Force [30] threat intelligence and an open abuse IP database of AbuseIPDB [31] to identify the 16 new Shodan-likes scanners, where 10 belongs to Censys, 6 belongs to PLCscan which is a PLC scanning and identifying platform launched by Beacon Lab
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
