Research On Modbus/TCP Anomaly Detection Approach Based On Behavior Characteristics

At present,Industrial Control Systems(ICSs)has been widely used in various key fields and industries of national production and development.However,with the high integration of industrialization and information technology,industrial control systems are faced with more and more targeted attacks and Advanced Persistent Threat(APT),which have the characteristics of time sustainability,comprehensive means and specific targets.And the traditional IT information security technology is not very good for industrial control system.Therefore,based on the uniqueness of the industrial control system,this paper takes the typical industrial Modbus/TCP control network as the research object,proposes the communication anomaly detection method based on the behavior characteristics,completes the feature extraction of the industrial communication behavior,and designs the corresponding anomaly detection engine,so as to realize the abnormal discrimination and detection of the industrial communication behavior.Firstly,this paper classifies the communication behaviors in Modbus/TCP industrial network,and extracts the characteristics of different communication behaviors: According to the characteristics of Modbus/TCP function control behavior,a method of feature extraction of function control behavior based on weighted correlation analysis was proposed by analyzing the distribution and correlation of each function code in the sequence;According to the characteristics of periodicity and time sequence of Modbus/TCP process data behavior,a method of process data behavior feature extraction based on pluralism analysis was proposed by analyzing the complexity of each process data sequence in different dimensions and different scales.Secondly,based on the two Modbus/TCP industrial communication behavior characteristics extracted above,this paper proposes a Support Vector Machine(SVM)anomaly detection method with improved parameter optimization.In this method,SVM was used as the anomaly detection classifier,and an improved Artificial Bee Colony(ABC)algorithm was designed to optimize the parameters,so as to realize a dynamically adjusted ABC-SVM anomaly detection engine based on double mutation.It can effectively detect abnormal behavior in Modbus/TCP industrial communication.Finally,the simulated experimental environment of Modbus/TCP industrial control network is built,and the behavior feature extraction method and anomaly detection engine proposed in this paper are verified and analyzed.A large number of experimental results show that,compared with different anomaly detection methods and different parameter optimization methods,the detection method proposed in this paper has higher classification accuracy and lower detection time both in the anomaly detection of functional control behavior and in the anomaly detection of process data behavior.