A method and system for detecting abnormal communication of modbus TCP based on multiple groups

Abstract

The invention discloses a multi-group-based Modbus TCP abnormal communication detection method, comprising: obtaining connections from an industrial control network, each connection containing a plurality of Modbus TCP data packets, and dividing the data packet flow according to unit time to obtain multiple sequence of data packets. Analyze each Modbus TCP data packet in the data packet sequence, and extract multiple function codes, coil addresses, and data lengths. In a data packet sequence, each function code corresponds to multiple data packets, and the data packets with the same function code are classified into one category. For each type of data packet, the data length in the data packet is accumulated, summed and averaged. , each function code can correspond to the average data length of a data packet, and the tuple group C is obtained 1 ;Each function code corresponds to multiple coil addresses. The invention solves the technical problem that the prior art only extracts the two features of the Modbus TCP function code and the coil address, resulting in insufficient flow feature extraction and low detection accuracy.

Description

technical field [0001] The invention belongs to the field of industrial network information security, and more specifically relates to a multi-group-based ModbusTCP abnormal communication detection method and system. Background technique [0002] With the advent of the industrial Internet era, more and more industrial control networks are connected to public networks such as the Internet. It is inevitable to start thinking about how to have better security for the industrial control network, so as to resist the complex environment. Internet cyber attack. Moreover, the equipment in the industrial control network usually plays an important role, and users have extremely high requirements on the stability and reliability of the equipment. If the industrial network is attacked, it may affect the normal operation of the industrial control equipment, and even bring users Huge loss. The Modbus TCP protocol is widely used in the field of industrial control. Its security is of grea...

AI Technical Summary

Problems solved by technology

[0004] For the above defects or improvement needs of the prior art, the present invention provides a multi-group based ModbusTCP abnormal communication detection method and system, the purpose of which is to consider the function code and coil address and the function code and The relevance of the data length, extracting two sets of related tuples from the data packet, solving the technical problem of insufficient extraction of connection features existing in the existing PSO-SVM-based Modbus TCP communication anomaly detection method, and the existing decision-based The communication anomaly detection method of the tree does not consider the correlation between data packets and the combination characteristics of function codes, resulting in the technical problem of low detection results, and the existing single-class support vector machine algorithm is too complicated for data processing. Therefore, the technical problem of real-time communication is reduced

Images