HoneyJudge: A PLC Honeypot Identification Framework Based on Device Memory Testing

The widespread use of programmable logic controllers (PLCs) in critical infrastructures has given rise to escalating cybersecurity concerns regarding PLC attacks. As a proactive defense mechanism, PLC honeypots emulate genuine controllers to engage adversaries so as to observe their attack tactics and techniques. As part of the arms race between the offense and defense, multiple PLC honeypot identification tools have been developed. However, many existing tools cannot recognize high-fidelity honeypots, since they rely on identifying common network services and fingerprints. In this paper, we propose an innovative and practical honeypot identification framework called HoneyJudge , which goes beyond state-of-the-art (SOTA) network fingerprint-based identification tools like Nmap and the PLCScan tool. HoneyJudge tests the suspected target's special memory content and features. Specifically, HoneyJudge models the internal memory of a PLC in three categories, from system-level, user-level, to process-level categories, based on which it extracts six representative memory features. All characteristics are acquired through automated network request messages. Then, we design a weighted voting algorithm to combine the test results over different memory features to reach the final conclusion. We validate the effectiveness of HoneyJudge in comparison with several SOTA honeypot identification tools, and the results indicate that the memory-related issues have not been well addressed in existing PLC honeypots and still need substantial research efforts.