SaTC: CORE: Small: Towards Deceptive and Domain-Specific Cyber-Physical Honeypots

SaTC：核心：小型：走向欺骗性和特定领域的网络物理蜜罐

• 批准号: 2231651
• 负责人: Saman Zonouz
• 金额: $ 60万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2023
• 资助国家: 美国
• 起止时间: 2023-03-01 至 2026-02-28
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2231651&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Towards; Deceptive

Cyber-physical critical infrastructures provide management and control capabilities for mission-critical utilities such as power grids. Programmable logic controllers (PLCs) play a key role as they serve as a convenient bridge between the cyber and the physical worlds. PLCs’ critical roles have made them the target of sophisticated cyberattacks that are designed to disrupt their operation, which creates both social unrest and financial losses. In this context, cyber honeypots have been shown to be highly valuable tools for collecting data to better understand the many different strategies and objectives of the attackers. The project’s novelty is to develop a new domain-specific stealthy honeypot for cyber-physical critical infrastructures and specifically PLC controllers. The solutions allow for active data collection using autonomous interactions with attacker’s software to activate its malicious capabilities. The project's broader significance and importance are to provide guidelines for researchers and practitioners looking to incorporate honeypots and security methods into cyber-physical systems (CPS) and embedded controllers. For complete stealth, the solutions leverage air-gapped observations of the malware behavior through physical side channels such as PLC processor power signal produced by the on-device malicious code execution. For deception, the techniques leverage mathematical models and physics-informed neural networks to provide a realistic emulation of the physical dynamics and a misleading physical process interface to the PLC input-output ports. The research outcomes address the above-mentioned semantic gap via an automated binary reverse engineering of the malicious controller code to extract the high-level adversarial objectives from low-level controller software execution traces. This enables the classification of adversaries dynamically using online data-driven meta-learning algorithms. This work transforms how people approach the problem of threat intelligence and modeling in CPS, in that the holistic view cognizant of both cyber and physical factors becomes widespread.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

网络物理关键基础设施为关键任务电网（例如电网）提供管理和控制功能。可编程逻辑控制器（PLC）起着关键作用，因为它们是网络和物理世界之间的便捷桥梁。 PLC的关键作用使它们成为了旨在破坏其运营的复杂网络攻击的目标，从而造成了社会动荡和财务损失。在这种情况下，网络蜜饯已被证明是收集数据的高度有价值的工具，以更好地了解攻击者的许多不同策略和目标。该项目的新颖性是为网络物理关键基础设施，特别是PLC控制器开发一种新的特定领域的隐身蜜罐。该解决方案允许使用与Attacker的软件进行自主互动的活动收集，以激活其恶意功能。该项目的重要意义和重要性是为希望将蜜罐和安全方法纳入网络物理系统（CPS）和嵌入式控制器的研究人员和从业者提供指南。为了完整的隐身，解决方案通过物理侧渠道（例如，在设备恶意代码执行中产生的PLC处理器电源信号）对恶意软件行为进行空白观察。为了欺骗，这些技术利用数学模型和物理知识的神经网络提供对物理动力学的现实仿真以及误导性的物理过程接口到PLC输入输出端口。研究结果通过恶意控制器代码的自动二进制逆向工程来解决上述语义差距，以从低级控制器软件执行跟踪中提取高级对抗性目标。这样可以使用在线数据驱动的元学习算法动态地对对手进行分类。这项工作改变了人们如何处理CPS中威胁智力和建模的问题，因为对网络和物理因素的整体观点都变得广泛。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识分子和更广泛影响的评估标准通过评估来评估的。