Research On Industrial Control Network Intrusion Detection Based On Modbus TCP Protocol

Industrial control systems are widely used in key infrastructures such as petrochemicals,electric power and water conservancy,and transportation,which are related to national economy and people's livelihood.With the increase of industrial control security attacks in recent years,in order to ensure the safe operation of industrial control systems,research on the issue of industrial control network security is very necessary.Modbus TCP is widely used in industrial control networks,but it has obvious security defects.Intrusion detection technology is an effective method for network protection.In this paper,three aspects of intrusion detection technology are studied against Modbus TCP protocol.First,a whitelist protection method based on deep packet inspection is applied between the controller and the upper layer network.Deep packet inspection technology is used to deeply parse Modbus TCP packets to obtain network data and industrial control data.Configure whitelist rules to alarm packets that do not meet the rule.Secondly,in the industrial control network bypass,network-based anomaly detection was used to perform anomaly detection algorithm based on machine learning.First,data preprocessing was performed on the original data containing seven kinds of intrusion attacks,and then 18 kinds of characteristic attributes were selected,including various variables that the intrusion attack will cause.By comparing the classification results of 14 kinds of machine learning algorithms,a number of indicators were evaluated,and the C4.5 decision tree classification algorithm with the best performance was selected.Thirdly,this paper proposes an improved CUSUM anomaly detection method for the controlled object state.Firstly,the difference between the predicted value and the actual value of the object model is designed as a detection sequence.Then,an offset constant ? is designed according to the 3 ? principle,and the value of the threshold value ?is determined.The attack experiments were injected through malicious commands to verify the performance of the improved CUSUM anomaly detection method.Studies have shown that whitelist protection based on deep packet inspection can effectively alert against illegal packets.Using the optimal C4.5 decision tree in the industrial control bypass can effectively detect abnormal network characteristics.For the controlled object state,this paper proposes an improved CUSUM anomaly detection method that can detect the abnormality of the controlled object in a short time.Through three parts of intrusion detection technology,the intrusion behavior of industrial control network facing Modbus TCP protocol can be effectively detected.