CN214011787U - High-interaction honeypot device based on real industrial control environment - Google Patents
High-interaction honeypot device based on real industrial control environment Download PDFInfo
- Publication number
- CN214011787U CN214011787U CN202021600370.6U CN202021600370U CN214011787U CN 214011787 U CN214011787 U CN 214011787U CN 202021600370 U CN202021600370 U CN 202021600370U CN 214011787 U CN214011787 U CN 214011787U
- Authority
- CN
- China
- Prior art keywords
- module group
- switch
- honeypot
- industrial
- ethernet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The utility model provides a high mutual honeypot device based on true industry control environment, a serial communication port, including AB1756PLC module group, siemens S7-400PLC module group, schneider M580PLC module group, hursmann switch, industry audit equipment and industrial computer, wherein: the AB1756PLC module group, the Siemens S7-400PLC module group, the Schneider M580PLC module group and the industrial personal computer are respectively connected to four Ethernet ports of the Hessian switch through Ethernet, and any one of the rest Ethernet ports in the Hessian switch is configured to be a mirror image port and then is connected with a management port of the industrial auditing device through the Ethernet. The utility model provides a pair of high mutual honeypot device can reduce the probability that the honeypot was discerned, guarantees that the honeypot can continuously lure the attack in order to discover, analysis and research attacker's action, provides the continuity data support for the safety technology research.
Description
Technical Field
The utility model relates to an industrial control network honeypot device, in particular to high mutual honeypot device based on real industrial control environment.
Background
The honeypot system is a common tool for setting intrusion alarms and researching attacks on a computer system, applies honeypot technology to industrial control honeypot devices generated in the field of industrial control, and has important significance for researching attacks and detection behaviors on the industrial control system.
Once identified by an attacker, honeypots lose their original value and are a passive active defense means that is to be broken and disabled. In recent years, the research on the identification technology of the industrial control honeypots is increasingly active, and attackers start to systematically research how to identify and counter the industrial control honeypots and share knowledge results through hacker communities, so that a lot of industrial control honeypots fail in disputes. Under the background, the improvement of the anti-recognition capability of honeypots becomes a hot point of research in the field of network defense.
Disclosure of Invention
The to-be-solved technical problem of the utility model is: the low-interaction type industrial control honeypot and the medium-interaction type industrial control honeypot are low in authenticity and easy to be identified by attackers, so that the safety resource value is lost.
In order to solve the technical problem, the technical scheme of the utility model provides a high mutual honeypot device based on true industry control environment is provided, a serial communication port, including AB1756PLC module group, Siemens S7-400PLC module group, Schneider M580PLC module group, Heisman switch, industry audit equipment and industrial computer, wherein:
the AB1756PLC module group, the Siemens S7-400PLC module group, the Schneider M580PLC module group and the industrial personal computer are respectively connected to four Ethernet ports of the Hessian switch through Ethernet, and any one of the rest Ethernet ports in the Hessian switch is configured as a mirror image port and then is connected with a management port of the industrial auditing device through the Ethernet.
Preferably, the industrial personal computer further comprises a 220V air switch and a 24V direct current power supply which are connected, the input end of the 220V air switch is connected with a 220V power supply terminal, the output end of the 220V air switch is respectively connected with the AB1756PLC module group, the Siemens S7-400PLC module group, the Schneider M580PLC module group and the input end of the 24V direct current power supply, and the output end of the 24V direct current power supply is connected with the industrial personal computer and each I/O module.
The utility model provides a pair of high mutual honeypot device can reduce the probability that the honeypot was discerned, guarantees that the honeypot can continuously lure the attack in order to discover, analysis and research attacker's action, provides the continuity data support for the safety technology research.
Drawings
FIG. 1 is a layout diagram of the honeypot device cabinet of the present invention;
FIG. 2 is the layout of the switch interface of the honeypot device of the present invention;
FIG. 3 is a network topology diagram of the honeypot device of the present invention;
fig. 4 is the utility model discloses honeypot device switch interface layout.
Detailed Description
The present invention will be further described with reference to the following specific examples. It should be understood that these examples are for illustrative purposes only and are not intended to limit the scope of the present invention. Furthermore, it should be understood that various changes and modifications of the present invention may be made by those skilled in the art after reading the teachings of the present invention, and these equivalents also fall within the scope of the appended claims.
As shown in FIG. 1, the utility model provides a pair of high mutual honeypot device based on real industry control environment includes AB1756PLC module group 1, Siemens S7-400PLC module group 2, Schneider M580PLC module group 3, Hessiman switch 7, industrial audit equipment and industrial computer.
The input end of the 220V air switch 4 is connected with a 220V power supply terminal, the output end of the 220V air switch 4 is respectively connected with the AB1756PLC module group, the Siemens S7-400PLC module group, the Schneider M580PLC module group and the input end of the 24V direct current power supply 6, and the output end of the 24V direct current power supply 6 is connected with the industrial personal computer and each I/O module. As shown in fig. 2, the voltage transformers PT1, PT2 and PT3 are connected to corresponding devices through a connecting terminal 5, terminals 01 and 02 of the voltage transformer PT1 are 220V power supply terminals, and then power is supplied to an AB1756PLC module group, a siemens S7-400PLC module group, a schneider M580PLC module group and a 24V dc power supply 6 through a 220V air switch 4(K1, K2, K3 and K4). The 24V direct current converted by the 24V direct current power supply 6 respectively supplies power to each I/O module and the switch through a voltage transformer PT 3.
The AB1756PLC module group 1, the Siemens S7-400PLC module group 2, the Schneider M580PLC module group 3 and the industrial personal computer are respectively connected to the Husman switch 7 in an Ethernet mode. Any one of the remaining Ethernet ports in the Husman switch 7 is configured as a mirror port and then connected with the management port of the industrial auditing device through the Ethernet.
As shown in fig. 3 and 4, the AB1756PLC module group 1 is connected to the TX4 port of the hursmann switch 7, the siemens S7-400PLC module group 2 is connected to the TX3 port of the hursmann switch 7, the schneider M580PLC module group 3 is connected to the TX2 port of the hursmann switch 7, and the industrial personal computer is connected to the TX1 port of the hursmann switch 7. The TX8 port of the hursmann switch 7 is configured as a mirror port by hursmann management software, the mirror content is data communicated by the TX1, TX2, TX3 and TX4 ports, and the audit device traffic port is connected to the TX8 port. The IP address of each device is shown in table 1:
TABLE 1 Equipment IP Allocation Table
The industrial personal computer is provided with three sets of virtual machine software, and logic 5000, Portal V15 and UnitypROR software are respectively installed for configuring the three sets of PLC. And the industrial personal computer host is provided with human-computer interaction software iFix for carrying out data communication with the three sets of PLC. The AB1756PLC module group 1 communicates with the iFix in an OPC protocol mode, the Schneider M580PLC module group 3 communicates with the iFix in an MBE Modbus TCP/IP protocol, and the Siemens S7-400PLC module group 2 communicates data to the AB PLC and then transmits the data to the iFix in a Socket mode.
The data communication scheme is as follows: OPC and MBE communication tools are added in the communication protocol of the iFix software, wherein the Opc tool carries out data interaction in an OPC protocol mode, and the MBE tool carries out data interaction in a Modbus TCP/IP protocol mode. In addition, data interaction is carried out between the AB1756PLC module group 1 and the Siemens S7-400PLC module group 2 in a Socket mode.
And (3) a data auditing scheme: and setting the port No. 5 of the Husmann switch as a mirror port, namely copying the data of the ports No. 1, 2, 3 and 4 to the port No. 5 for auditing. The main content of the audit is protocol audit and flow audit, wherein: the protocol audit adopts a deep packet detection technology and an application layer communication tracking technology, the deep packet analyzes a data packet of an industrial control network, and an instruction layer analyzed by an OPC protocol for Modbus TCP. And the flow audit interface displays the total flow, the equipment flow ratio and the protocol flow ratio of the equipment in the latest period of time, and the equipment flow is displayed by using a chart. Protocol duty ranking is included in the details of each device and a 1 hour/1 day/1 week protocol duty presentation can be set. And then carrying out attack evidence obtaining, and when the invasion attack is detected, keeping the matched attack message original data packet and corresponding to the data packet through the SID. Through analysis of the attack message, the approximately buried position of the attacker is located, and the habit and the characteristics of the attacker are obtained. The attack evidence collection adopts an interface mirror image mode to extract the report file in real time, and an industrial personal computer is connected to the evidence collection interface to obtain the message of capturing the attack.
The honeypot IP mapping public network IP scheme comprises the following steps: the industrial personal computer network card is connected to a public network router, the iFix issues a process flow monitoring management interface of the honeypot device to a public network through a web issuing function, NAT mapping forwarding is conducted on the process flow monitoring management interface, an intranet IP address of the honeypot is mapped to a private network fixed IP, a protocol is set to be TCP, and a port mapping is set to be 8999 port.
Claims (2)
1. The utility model provides a high mutual honeypot device based on real industry control environment, its characterized in that includes AB1756PLC module group, Siemens S7-400PLC module group, Schneider M580PLC module group, huskman switch, industry audit equipment and industrial computer, wherein:
the AB1756PLC module group, the Siemens S7-400PLC module group, the Schneider M580PLC module group and the industrial personal computer are respectively connected to four Ethernet ports of the Hessian switch through Ethernet, and any one of the rest Ethernet ports in the Hessian switch is configured as a mirror image port and then is connected with a management port of the industrial auditing device through the Ethernet.
2. The high-interaction honeypot device based on the real industrial control environment as claimed in claim 1, further comprising a 220V air switch and a 24V dc power supply, wherein an input terminal of the 220V air switch is connected to a 220V power supply terminal, an output terminal of the 220V air switch is respectively connected to the AB1756PLC module group, the siemens S7-400PLC module group, the schneider M580PLC module group and an input terminal of the 24V dc power supply, and an output terminal of the 24V dc power supply is connected to the industrial personal computer and each I/O module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202021600370.6U CN214011787U (en) | 2020-08-05 | 2020-08-05 | High-interaction honeypot device based on real industrial control environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202021600370.6U CN214011787U (en) | 2020-08-05 | 2020-08-05 | High-interaction honeypot device based on real industrial control environment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN214011787U true CN214011787U (en) | 2021-08-20 |
Family
ID=77287837
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202021600370.6U Active CN214011787U (en) | 2020-08-05 | 2020-08-05 | High-interaction honeypot device based on real industrial control environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN214011787U (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115576265A (en) * | 2022-11-21 | 2023-01-06 | 博智安全科技股份有限公司 | PLC device simulation method, device, equipment and storage medium |
-
2020
- 2020-08-05 CN CN202021600370.6U patent/CN214011787U/en active Active
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115576265A (en) * | 2022-11-21 | 2023-01-06 | 博智安全科技股份有限公司 | PLC device simulation method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Igure et al. | Security issues in SCADA networks | |
| CN104242465B (en) | A kind of transformer substation remote monitoring system based on B/S and method | |
| CN109768880A (en) | A kind of network topology distant place visualizing monitor method towards electric power monitoring system | |
| CN105159121B (en) | Household electrical appliance and its on-off control method and system and smart machine | |
| CN107888613B (en) | Management system based on cloud platform | |
| CN214011787U (en) | High-interaction honeypot device based on real industrial control environment | |
| Kołtyś et al. | Shape: A honeypot for electric power substation | |
| CN104506342A (en) | Rack-mounted server system | |
| Paul et al. | Towards the protection of industrial control systems–conclusions of a vulnerability analysis of profinet IO | |
| CN102984202B (en) | A kind of cross-over NAT equipment realizes the System and method for of Telnet webmaster | |
| CN202444511U (en) | Wireless monitoring system as well as monitoring equipment and monitoring terminal thereof | |
| CN107046509A (en) | A kind of intelligent industrial-control network data integration method parsed based on mirror port | |
| CN110290234A (en) | Method, apparatus, system, equipment and the storage medium that node address is traced to the source | |
| CN201657204U (en) | System for realizing network video monitoring off internet platform | |
| CN102131072A (en) | System and method for realizing network video monitoring under internet platform | |
| CN103024948A (en) | Data business comprehensive access terminal based on time division long term evolution (TD-LTE) wireless private network | |
| CN202475778U (en) | Industrial grade 3rd generation (3G) wireless router | |
| CN201976140U (en) | Network access control system in Cisco environment | |
| CN205027867U (en) | System for be used for interior arc light fault detection of generator slip ring cell | |
| CN110224877A (en) | PDU management system based on Ethernet | |
| CN108228499B (en) | Out-of-band management device | |
| CN202455395U (en) | Large-scale intelligent management remote monitoring power supply distributor for data center | |
| CN214707727U (en) | Fixed asset management information system terminal and network patrol police service desk | |
| CN105553813A (en) | Remote network control system based on virtual local area network | |
| CN105306620A (en) | Data transmission control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| GR01 | Patent grant | ||
| GR01 | Patent grant |