首页|工控网络Modbus TCP协议异常报文检测方法

工控网络Modbus TCP协议异常报文检测方法

扫码查看
工业控制网络系统包含Modbus报文传输数据、TCP/IP主机通信行为数据、工控协议数据等大量复杂数据,容易造成数据冗余,降低异常报文检测精度,增加检测时间,从而增加工控网络被攻击几率.为此,提出一种基于支持向量机(SVM)的工控网络Modbus TCP协议异常报文检测方法.利用SVM建立工控网络分层数据模型,在应用层中定义Modbus协议报文,使用核函数对非平稳的随机Modbus协议报文进行离散处理,减少工控网络数据冗余.结合m阶马尔科夫序列,在TCP/IP数据链路层中对离散Modbus协议报文进行异常特征提取,完成Modbus报文异常检测.仿真测试结果表明:所提方法可以有效降低数据冗余,工控网络重复数据存储率为0.39%;Modbus TCP协议异常报文检测精度为95.73%;Modbus TCP协议异常报文检测时间为0.5 ms,以期为工控网络安全提供技术支持.
Method for Detecting Abnormal Message of Modbus TCP Protocol in Industrial Control Network
The industrial control network system contains a large amount of complex data such as Modbus message transmission data,TCP/IP host communication behavior data,and industrial control protocol data,which is easy to cause data redundancy,reduce the detection accuracy of abnormal messages,increase detection time,thus,the probability of industrial control network attacks increases.To this end,this paper proposes an SVM-based method for detecting abnormal packets of industrial control network Modbus TCP protocol.SVM is used to establish a hierarchical data model of industrial control network,Modbus pro-tocol messages are defined in the application layer,and kernel functions are used to discretely process non-stationary random Modbus protocol messages to reduce data redundancy in industrial control networks.Combined with the m-order Markov se-quence,the abnormal feature extraction of discrete Modbus protocol messages is carried out in the TCP/IP data link layer,and the abnormal detection of Modbus messages is completed.The simulation test results show that the proposed method can effec-tively reduce the data redundancy,the repeated data storage rate of the industrial control network is 0.39%;the detection ac-curacy of the Modbus TCP protocol abnormal message is 95.73%;the Modbus TCP protocol abnormal message detection time is 0.5 ms.It provides technical support for industrial control network security.

industrial control networkModbus messageTCP/IPSVMm-order Markov sequence

张帆、高山

展开 >

中国地震灾害防御中心,北京 100029

工业控制网络 Modbus报文 TCP/IP SVM m阶马尔科夫序列

2024

微型电脑应用
上海市微型电脑应用学会

微型电脑应用

CSTPCD
影响因子:0.359
ISSN:1007-757X
年,卷(期):2024.40(8)