Exploring Shodan From the Perspective of Industrial Control Systems

As an essential component of the critical infrastructure, the Industrial Control System (ICS) is facing increasing cyber threats. The emergence of the Shodan search engine also magnified this threat. Since it can identify and index Internet-connected industrial control devices, the Shodan search engine has become a favorite toolkit for attackers and penetration testers. In this paper, we use honeypot technology to conduct a comprehensive exploring on Shodan search engine. We first deploy six distributed honeypot systems and collect three-month traffic data. For exploring Shodan, we design a hierarchical DFA-SVM recognition model to identify Shodan scans based on the function code and traffic feature, which is adapted to find the Shodan and Shodan-like scanners superior to the predominant method of reverse resolving IPs. Finally, we conduct an in-depth analysis for Shodan scans and evaluate the impact of Shodan on industrial control systems in terms of scanning time, scanning frequency, scanning port, region preferences, ICS protocol preferences and ICS protocol function code proportion. Accordingly, we provide some defensive measures to mitigate Shodan threat.

[1]  Barry E. Mullins,et al.  Evaluation of the ability of the Shodan search engine to identify Internet-facing industrial control devices , 2014, Int. J. Crit. Infrastructure Prot..

[2]  Antonio Nucci,et al.  CUTE: Traffic Classification Using TErms , 2012, 2012 21st International Conference on Computer Communications and Networks (ICCCN).

[3]  Elena Baralis,et al.  Hierarchical learning for fine grained internet traffic classification , 2012, 2012 8th International Wireless Communications and Mobile Computing Conference (IWCMC).

[4]  Mark Bolas,et al.  ShodanVR: Immersive visualization of text records from the Shodan database , 2016, 2016 Workshop on Immersive Analytics (IA).

[5]  Ernest Foo,et al.  Internet-wide Scanning Taxonomy and Framework , 2015, AISC.

[6]  Jens Myrup Pedersen,et al.  A method for classification of network traffic based on C5.0 Machine Learning Algorithm , 2012, 2012 International Conference on Computing, Networking and Communications (ICNC).

[7]  Jiguo Yu,et al.  SecureGuard: A Certificate Validation System in Public Key Infrastructure , 2018, IEEE Transactions on Vehicular Technology.

[8]  Rayford B. Vaughn,et al.  Experiences with Honeypot Systems: Development, Deployment, and Analysis , 2006, Proceedings of the 39th Annual Hawaii International Conference on System Sciences (HICSS'06).

[9]  Hsinchun Chen,et al.  Identifying SCADA vulnerabilities using passive and active vulnerability assessment techniques , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[10]  Gabriella Iohom To block or not to block? , 2017, Romanian journal of anaesthesia and intensive care.

[11]  Alireza Keshavarz-Haddad,et al.  Internet traffic classification using multiple classifiers , 2015, 2015 7th Conference on Information and Knowledge Technology (IKT).

[12]  Hsinchun Chen,et al.  Shodan visualized , 2016, 2016 IEEE Conference on Intelligence and Security Informatics (ISI).

[13]  Lance Spitzner,et al.  Honeypots: catching the insider threat , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[14]  Riyad Alshammari,et al.  Can encrypted traffic be identified without port numbers, IP addresses and payload inspection? , 2011, Comput. Networks.

[15]  Tsutomu Matsumoto,et al.  IoTPOT: Analysing the Rise of IoT Compromises , 2015, WOOT.

[16]  Béla Genge,et al.  ShoVAT: Shodan-based vulnerability assessment tool for Internet-facing services , 2016, Secur. Commun. Networks.

[17]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[18]  Andrew W. Moore,et al.  Internet traffic classification using bayesian analysis techniques , 2005, SIGMETRICS '05.

[19]  Mohammed Anbar,et al.  A Preliminary Performance Evaluation of K-means, KNN and EM Unsupervised Machine Learning Methods for Network Flow Classification , 2016 .

[20]  Jiguo Yu,et al.  A Secure and Verifiable Access Control Scheme for Big Data Storage in Clouds , 2018, IEEE Transactions on Big Data.