SaTC: CORE: Small: Towards Deceptive and Domain-Specific Cyber-Physical Honeypots

SaTC：核心：小型：走向欺骗性和特定领域的网络物理蜜罐

• 批准号: 2231651
• 负责人: Saman Zonouz
• 金额: $ 60万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-03-01 至 2026-02-28
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2231651&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Towards; Deceptive

Cyber-physical critical infrastructures provide management and control capabilities for mission-critical utilities such as power grids. Programmable logic controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds. PLCs’ critical roles have made them the target of sophisticated cyberattacks that are designed to disrupt their operation, which creates both social unrest and financial losses. In this context, cyber honeypots have been shown to be highly valuable tools for collecting data to better understand the many different strategies and objectives of the attackers. The project’s novelty is to develop a new domain-specific stealthy honeypot for cyber-physical critical infrastructures and specifically PLC controllers. The solutions allow for active data collection using autonomous interactions with attacker’s software to activate its malicious capabilities. The project's broader significance and importance are to provide guidelines for researchers and practitioners looking to incorporate honeypots and security methods into cyber-physical systems (CPS) and embedded controllers. For complete stealth, the solutions leverage air-gapped observations of the malware behavior through physical side channels such as PLC processor power signal produced by the on-device malicious code execution. For deception, the techniques leverage mathematical models and physics-informed neural networks to provide a realistic emulation of the physical dynamics and a misleading physical process interface to the PLC input-output ports. The research outcomes address the above-mentioned semantic gap via an automated binary reverse engineering of the malicious controller code to extract the high-level adversarial objectives from low-level controller software execution traces. This enables the classification of adversaries dynamically using online data-driven meta-learning algorithms. This work transforms how people approach the problem of threat intelligence and modeling in CPS, in that the holistic view cognizant of both cyber and physical factors becomes widespread.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络物理关键基础设施为电网等关键任务公用事业提供管理和控制能力。可编程逻辑控制器（PLC）发挥着关键作用，因为它们是网络和物理世界之间的便捷桥梁。PLC的关键作用使其成为旨在破坏其运营的复杂网络攻击的目标，这造成了社会动荡和经济损失。在这种情况下，网络蜜罐已被证明是非常有价值的工具，用于收集数据，以更好地了解攻击者的许多不同策略和目标。该项目的新奇在于为网络物理关键基础设施，特别是PLC控制器开发一种新的特定领域的隐形蜜罐。这些解决方案允许使用与攻击者软件的自主交互来激活其恶意功能来主动收集数据。该项目更广泛的意义和重要性是为希望将蜜罐和安全方法纳入网络物理系统（CPS）和嵌入式控制器的研究人员和从业人员提供指导方针。为了实现完全隐形，这些解决方案通过物理侧通道（如设备上恶意代码执行产生的PLC处理器电源信号）利用恶意软件行为的气隙观察。对于欺骗，该技术利用数学模型和物理信息神经网络来提供物理动力学的真实仿真和对PLC输入-输出端口的误导性物理过程接口。研究成果通过恶意控制器代码的自动二进制逆向工程来解决上述语义差距，以从低级控制器软件执行痕迹中提取高级对抗目标。这使得能够使用在线数据驱动的元学习算法动态地对对手进行分类。这项工作改变了人们在CPS中处理威胁情报和建模问题的方式，因为认识到网络和物理因素的整体观点变得普遍。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。