Cryptology ePrint Archive: Report 2020/255

Novel Deception Techniques for Malware Detection on Industrial Control Systems

Takanori Machida and Dai Yamamoto and Yuki Unno and Hisashi Kojima

Abstract: To maintain the availability of industrial control systems (ICS), it is important to robustly detect malware infection that spreads within the ICS network. In ICS, a host often communicates with the determined hosts; for instance, a supervisory control host observes and controls the same devices routinely via the network. Therefore, a communication request to the unused internet protocol (IP) address space, i.e. darknet, in the ICS network is likely to be caused by malware in the compromised host in the network. That is, darknet monitoring may enable us to detect malware that tries to spread indiscriminately within the network. On the other hand, advanced malware, such as malware determining target hosts of infection with reference to host lists in the networks, infects the confined hosts in the networks, and consequently evades detection by security sensors or honeypots. In this paper, we propose novel deception techniques that lure such malware to our sensor, by embedding the sensor information continuously in the lists of hosts in the ICS networks. In addition, the feasibility of the proposed deception techniques is shown through our simplified implementation by using actual malware samples: WannaCry and Conficker.

Category / Keywords: applications / Industrial Control System (ICS), Malware Detection, Darknet Monitoring, Honeypot, Server Message Block (SMB), Address Resolution Protocol (ARP)

Date: received 24 Feb 2020

Contact author: m-takanori at fujitsu com

Available format(s): PDF | BibTeX Citation

Version: 20200225:204518 (All versions of this report)

Short URL: ia.cr/2020/255


[ Cryptology ePrint archive ]