We consider the case where an adversary is conducting a surveillance campaign against a networked control system (NCS), and take the perspective of a defender/control system operator who has successfully isolated the cyber intruder. To better understand the adversary's intentions and to drive up their operating costs, the defender directs the adversary towards a ``honeypot" that emulates a real control system and without actual connections to a physical plant. We propose a strategy for adversary engagement within the ``honey" control system to increase the adversary's costs of information processing. We assume that, based on an understanding of the adversary's control theoretic goals, cyber threat intelligence (CTI) provides the defender knowledge of the adversary's preferences for information acquisition. We use this knowledge to spoof sensor readings to maximize the amount of information the adversary consumes while making it (information theoretically) difficult for the adversary to detect that they are being spoofed. We discuss the case of imperfect versus perfect threat intelligence and perform a numerical comparison.
翻译:我们考虑对手对网络控制系统进行监视活动的情形,并从已成功隔离网络入侵者的防御方/控制系统操作者视角出发。为更好地理解对手意图并提高其运营成本,防御方将对手引导至模拟真实控制系统且与实际物理设备无连接的"蜜罐"。我们提出一种在"蜜罐"控制系统中与对手进行对抗的策略,以增加对手的信息处理成本。基于对对手控制理论目标的理解,我们假设网络威胁情报为防御方提供了对手信息获取偏好的认知。利用该认知,防御方通过伪造传感器读数来最大化对手消耗的信息量,同时使对手在信息论意义上难以察觉被欺骗的事实。我们讨论了非完美与完美威胁情报的情形,并进行了数值比较。