Neural-network-based Modbus Tcp communication deep packet inspection method

Abstract

The invention discloses a neural-network-based Modbus Tcp communication deep packet inspection method. A back propagation (BP) neural network is obtained by training of a training sample to perform inspection; a training sample obtaining method comprises the steps: obtaining N pairs of data packets by extraction, respectively extracting source port numbers and function codes of request packets and response packets in the data packets, forming a sample data queue by utilizing two groups of the source port numbers and two groups of the function codes, obtaining a decision value of the sample data queue according to value ranges of the source port numbers and consistency of the function codes, normalizing the sample data queue, utilizing the normalized sample data queue as an input of the BP neural network, and utilizing the corresponding decision value as an output; and during inspection, obtaining a inspection data queue of the request packets and the response packets by extraction, normalizing the inspection data queue, inputting the normalization result into the BP neural network, and judging whether the current communication is normal. According to the neural-network-based Modbus Tcp communication deep packet inspection method, the source port numbers and the function codes of the data packets are utilized as inspection bases, and the BP neural network is utilized as an inspection model, thereby implementing accurate inspection of problems which occur during bidirectional data interaction in Modbus Tcp communication.

Description

technical field [0001] The invention belongs to the technical field of industrial control information security, and more specifically relates to a neural network-based ModbusTcp communication depth packet detection method. Background technique [0002] Modbus protocol is a general communication protocol that has been widely used in today's industrial control field. Through this protocol, controllers can communicate with each other, or controllers can communicate with other devices via a network (such as Ethernet). The Modbus protocol uses master-slave communication technology, that is, the master device actively queries and operates the slave device. When the protocol is implemented based on the TCP / IP protocol, it is called ModbusTcp communication. [0003] At present, in the ModbusTcp communication network, in order to ensure the security of ModbusTcp communication, firewall detection technology is mostly used. The firewall detection technology mainly detects informatio...

AI Technical Summary

Problems solved by technology

The firewall detection technology mainly detects information such as source IP, destination IP, source port, destination port, and specific character strings, but it does not detect the data interaction process, and cannot perform security monitoring on the data interaction process

Images