| Along with the informationization advancement, openness of the industrial control system is more and more strong. Modbus TCP is a typical protocol in the industrial control system, but due to the vulnerability of the protocol itself, security protection for the Modbus protocol is particularly important.This paper analyzes the security flaw of the Modbus TCP protocol, use deep packet inspection technology to detect Modbus TCP protocol from the link layer to the application layer, and then design the deep packet filter model and anomaly detection method. The deep packet inspection model based on the white list model, provides the MAC address, IP address, port, protocol identifier, function code, equipment identifier,data address and data content and other rules options. The rules in the white list can be configured according to the user's requirements. Further depth detection using the method of anomaly detection, select function code and the starting address of the coil or register as a characteristic, summarize the Modbus communication traffic patterns, and then establish an anomaly detection model. This paper also proposes a deep packet detection method based on bidirectional access of the Modbus/TCP protocol, which only needs to detect two packets to realize the anomaly detection of Modbus/TCP function code.At the end of this paper, by extending the Netfliter/iptables firewall framework of Linux system, realize the deep packet detection and filtering of the Modbus TCP protocol. The implementation and verification of anomaly detection model are carried out to prove the effectiveness. |
PDF Full Text Request