Research On Anomaly Detection Of Modbus TCP/IP Protocol In SCADA Systems

The Supervisory Control And Data Acquisition(SCADA)is a production control system which is used in power,transportation,oil and other important industries.Being able to keep SCADA operating safely and stably is an important guarantee for the realization of national economic growth.With the continuous development of Internet of Things and embedded technology,the openness of the SCADA system has been gradually strengthened and the existing network security issues in the system have become increasingly prominent.Modbus TCP/IP,which is easy to cause security problem because of being attacked,is a typical communication protocol in SCADA.In order to discover the security threats of Modbus TCP/IP system in time,this thesis studies the anomaly detection problem in SCADA system which uses Modbus TCP/IP protocol.The main work includes the following three aspects:(1)In the data preprocessing phase of anomaly detection,the thesis takes Modbus TCP/IP as the research object,selects the function code and the starting address of the register as the characteristic.Then,the thesis converts the continuous Modbus TCP/IP traffic into the sequence of combination of function code and register starting address.The thesis proposes a frequency feature vector construction method which can transform a sequence of different numbers of function codes and the starting addresses of register into the same length,and describe the traffic characteristics of the Modbus TCP/IP communication sequence.(2)Aiming at the characteristics of most normal data and lacking of abnormal sample in SCADA system,this thesis designs an anomaly detection model which is based on single class support vector machine.By training the sequence with normal combination of function code and register starting address and establishing the contours of the normal communication behavior,thus the model can identify abnormal traffic that does not conform to the communication law.We acquire traffic by using Modbus Slave and Modbus Poll to simulate Modbus TCP/IP,and then we simulate and verify the modeLThe results show that compared the model with the traditional support vector machine,the standard RBF algorithm and the BP neural network algorithm,the accuracy of classification and recognition which is based on one class support vector machine is the highest and the rate of false positives in four algorithms is the lowest The model effectively reduces the intrusion detection false alarm rate.(3)The thesis selects the function code and the register address in the Modbus TCP/IP sequence as the combination features,and establishes the model by using the sliding window technique to construct frequency feature vector.The experimental results show that the sliding window length l=5 can accurately describe the Modbus traffic characteristics of TCP/IP communication After comparing with the anomaly detection model based on the function code sequence,the results show that the proposed model in this thesis is more accurate than the anomaly detection model established by the single feature of the function code.The model in the thesis can effectively identify the abnormal traffic of Modbus TCP/IP communication and aggressive behaviors with unknown characteristics.