Towards agnostic Operational Technology (OT) honeypot fingerprinting

Arthur Cordeiro; Emmanouil Vasilomanolakis

Towards agnostic Operational Technology (OT) honeypot fingerprinting

Arthur Cordeiro, Emmanouil Vasilomanolakis

Research output: Chapter in Book/Report/Conference proceeding › Article in proceedings › Research › peer-review

37 Downloads (Orbit)

Abstract

Honeypots are versatile cyber-deception tools used to detect and analyze malicious activity across various environments, including operational technology (OT) systems that support critical infrastructure. Their effectiveness, however, depends on remaining undetectable to increasingly sophisticated attackers who employ fingerprinting techniques. This work introduces Aletheia, a framework for fingerprinting OT honeypots agnostically, by reversing the TCP/IP stack. We conduct an Internet-wide scan targeting the Modbus and S7comm protocols, identifying approximately 6 million responsive IPv4 addresses. Applying only a subset of our methodology, we uncover around 7,000 potential honeypot instances—including custom implementations—demonstrating, even at this preliminary stage, how our holistic framework combines established techniques with novel fingerprinting methods to reveal previously unidentified honeypots.

Original language	English
Title of host publication	Proceedings of the 9th Network Traffic Measurement and Analysis Conference (TMA conference 2025)
Number of pages	4
Publisher	IFIP
Publication status	Accepted/In press - 2025
Event	9^th Network Traffic Measurement and Analysis Conference - Copenhagen, Denmark Duration: 10 Jun 2025 → 13 Jun 2025

Conference

Conference	9^th Network Traffic Measurement and Analysis Conference
Country/Territory	Denmark
City	Copenhagen
Period	10/06/2025 → 13/06/2025

Keywords

Fingerprinting
Internet scan
Honeypot
OT
Cyber-defense

Access to Document

FulltextAccepted author manuscript, 186 KB

Cite this

@inproceedings{1431a01b95d0424f8b58d48cb1f21993,

title = "Towards agnostic Operational Technology (OT) honeypot fingerprinting",

abstract = "Honeypots are versatile cyber-deception tools used to detect and analyze malicious activity across various environments, including operational technology (OT) systems that support critical infrastructure. Their effectiveness, however, depends on remaining undetectable to increasingly sophisticated attackers who employ fingerprinting techniques. This work introduces Aletheia, a framework for fingerprinting OT honeypots agnostically, by reversing the TCP/IP stack. We conduct an Internet-wide scan targeting the Modbus and S7comm protocols, identifying approximately 6 million responsive IPv4 addresses. Applying only a subset of our methodology, we uncover around 7,000 potential honeypot instances—including custom implementations—demonstrating, even at this preliminary stage, how our holistic framework combines established techniques with novel fingerprinting methods to reveal previously unidentified honeypots.",

keywords = "Fingerprinting, Internet scan, Honeypot, OT, Cyber-defense",

author = "Arthur Cordeiro and Emmanouil Vasilomanolakis",

year = "2025",

language = "English",

booktitle = "Proceedings of the 9th Network Traffic Measurement and Analysis Conference (TMA conference 2025)",

publisher = "IFIP",

note = "9<sup>th</sup> Network Traffic Measurement and Analysis Conference , TMA ; Conference date: 10-06-2025 Through 13-06-2025",

}

TY - GEN

T1 - Towards agnostic Operational Technology (OT) honeypot fingerprinting

AU - Cordeiro, Arthur

AU - Vasilomanolakis, Emmanouil

PY - 2025

Y1 - 2025

N2 - Honeypots are versatile cyber-deception tools used to detect and analyze malicious activity across various environments, including operational technology (OT) systems that support critical infrastructure. Their effectiveness, however, depends on remaining undetectable to increasingly sophisticated attackers who employ fingerprinting techniques. This work introduces Aletheia, a framework for fingerprinting OT honeypots agnostically, by reversing the TCP/IP stack. We conduct an Internet-wide scan targeting the Modbus and S7comm protocols, identifying approximately 6 million responsive IPv4 addresses. Applying only a subset of our methodology, we uncover around 7,000 potential honeypot instances—including custom implementations—demonstrating, even at this preliminary stage, how our holistic framework combines established techniques with novel fingerprinting methods to reveal previously unidentified honeypots.

AB - Honeypots are versatile cyber-deception tools used to detect and analyze malicious activity across various environments, including operational technology (OT) systems that support critical infrastructure. Their effectiveness, however, depends on remaining undetectable to increasingly sophisticated attackers who employ fingerprinting techniques. This work introduces Aletheia, a framework for fingerprinting OT honeypots agnostically, by reversing the TCP/IP stack. We conduct an Internet-wide scan targeting the Modbus and S7comm protocols, identifying approximately 6 million responsive IPv4 addresses. Applying only a subset of our methodology, we uncover around 7,000 potential honeypot instances—including custom implementations—demonstrating, even at this preliminary stage, how our holistic framework combines established techniques with novel fingerprinting methods to reveal previously unidentified honeypots.

KW - Fingerprinting

KW - Internet scan

KW - Honeypot

KW - OT

KW - Cyber-defense

M3 - Article in proceedings

BT - Proceedings of the 9th Network Traffic Measurement and Analysis Conference (TMA conference 2025)

PB - IFIP

T2 - 9<sup>th</sup> Network Traffic Measurement and Analysis Conference

Y2 - 10 June 2025 through 13 June 2025

ER -