The capability of entrapment is significantly influenced by the degree of simulation in industrial control honeypots. In view of the lack of business logic simulation of existing industrial control honeypots, the high-interaction Programmable Logic Controller (PLC) honeypot design framework and implementation method based on industrial control business simulation were proposed. First, based on the interaction level of industrial control system, a new classification method of Industrial Control System (ICS) honeypots was proposed. Then, according to different simulation dimensions of ICS devices, the entrapment process in honeypot was divided into a process simulation cycle and a service simulation cycle. Finally, in order to realize the real-time response to business logic data, the process data was transferred to the service simulation cycle through a customized data transfer module. Combining typical ICS honeypot software Conpot and the modeling simulation tool Matlab/Simulink, the experiments were carried out with Siemens S7-300 PLC device as the reference, and so as to realize the collaborative work of information service simulation and control process simulation. The experimental results show that compared with Conpot, the proposed PLC honeypot system newly adds 11 private functions of Siemens S7 devices. Especially, the operating read (function code 04 Read) and write (function code 05 Write) in the new functions realize 7 channel monitoring for I area data and 1 channel control for Q area data in PLC. This new honeypot system breaks through the limitations of existing interaction levels and methods and finds new directions for ICS honeypot design.

In order to overcome the difficulty in discovering multi-stage attack from multi-source alerts, an algorithm was proposed to mine the attack sequence pattern. The multi-source alerts were normalized into a unified format by matching them with regular expressions. The redundant information of alerts was compressed, and the alerts of the same stage were clustered according to the association rule set trained by strong association rules, efficiently removing the redundant alerts, so that the number of alerts was reduced. Then, the clustered alerts were divided to obtain candidate attack event dataset by sliding-window, and the attack pattern mining algorithm PrefixSpan was used to find out the attack sequence patterns of multi-stage attack events. The experimental results show that the proposed algorithm can lead to an accurate and efficient analysis of alert correlation and extract the attack steps of attack events without expert knowledge. Compared with the traditional algorithm PrefixSpan, the algorithm has an increase in attack pattern mining efficiency of 48.05%.