Research And Implementation Of Anomaly Detection Algorithm Based On Modbus/TCP Protocol

With the development of automation control technology,the network environment of industrial control system become continuously open.As the main part of the industrial field,the industrial control system face a more severe security situation.Modbus/TCP protocol is one of the most important protocols in the industrial field.It is widely used in key infrastructure such as petroleum and power.Malicious attack on Modbus/TCP protocol may cause serious security accidents.This paper studies the anomaly detection algorithm based on Modbus/TCP protocol.The main work includes the following three aspects:(1)Since the feature selection of the Modbus/TCP protocol on anomaly detection technology is limited to the protocol network attributes or communication logic attributes,this paper studies machine learning anomaly detection algorithms based on mixed features.We first extract 22 kinds of feature data for principal component analysis,then compare the experimental results of 12 machine learning algorithms on different data sets.By evaluating the F-measure and the time required to build the model,the best REP decision tree classification algorithm is selected.(2)Anomaly detection technology based on timing analysis.Given that time is an essential characteristic in industrial traffic,we analyze the reasons for the stability of ICS network traffic,and study the anomaly detection technology based on STAMP algorithm and LSTM algorithm.Aiming at the STAMP algorithm,we propose a matrix distribution evaluation algorithm based on Top-k.Compared to the traditional threshold method,the algorithm can effectively reduce false positive events.The experimental results show that the timing analysis technology based on STAMP algorithm and LSTM algorithm has excellent performance in ICS network traffic anomaly detection.(3)A hybrid model based on majority voting strategy is proposed.Given the characteristics of less abnormal data and high security requirements in ICS network,we build a hybrid model based on majority voting strategy.The experimental results show that the hybrid model can effectively reduce false negative events compared with the candidate model,and is more suitable for abnormal detection in industrial environments.