Evaluating the Realism of Cyber-Physical Honeynets Against Advanced Attackers

Abstract

Cyber-physical honeynets are increasingly deployed to study adversarial behavior in operational technology (OT) and industrial control systems (ICS), yet their effectiveness depends on their perceived realism. This work presents a multi-stage research program systematically characterizing, measuring, and quantifying the realism of cyber-physical honeynets against advanced attackers. First, we conduct two systematic literature reviews: one on cyber-physical honeynets, producing an updated taxonomy and a reference architecture, and another on anti-honeypot techniques, revealing a critical gap between academic detection methods and real-world adversarial practices. We then empirically investigate attacker behavior through a large-scale Capture-the-Flag (CTF) experiment, analyzing 8,544 shell commands to identify real-world anti-honeypot strategies and behavioral indicators of perceived authenticity. Building on these insights, we propose a novel evaluation methodology using real threat actors and ICS-targeting malware to derive quantitative metrics of honeypot realism. Finally, we outline the design of an automated pentesting framework that operationalizes validated detection techniques to compute a reproducible Realism Score for heterogeneous honeypot deployments