CN105743735B - ModbusTcp neural network based communicates deep packet inspection method - Google Patents

ModbusTcp neural network based communicates deep packet inspection method Download PDF

Info

Publication number
CN105743735B
CN105743735B CN201610055875.0A CN201610055875A CN105743735B CN 105743735 B CN105743735 B CN 105743735B CN 201610055875 A CN201610055875 A CN 201610055875A CN 105743735 B CN105743735 B CN 105743735B
Authority
CN
China
Prior art keywords
source port
packet
function code
neural network
port number
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201610055875.0A
Other languages
Chinese (zh)
Other versions
CN105743735A (en
Inventor
辛晓帅
单海超
邹见效
徐红兵
彭超
张健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
University of Electronic Science and Technology of China
Original Assignee
University of Electronic Science and Technology of China
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Electronic Science and Technology of China filed Critical University of Electronic Science and Technology of China
Priority to CN201610055875.0A priority Critical patent/CN105743735B/en
Publication of CN105743735A publication Critical patent/CN105743735A/en
Application granted granted Critical
Publication of CN105743735B publication Critical patent/CN105743735B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/12Network monitoring probes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Abstract

The invention discloses a kind of ModbusTcp neural network based to communicate deep packet inspection method, BP neural network is obtained using training sample training to be detected, the acquisition methods of training sample are as follows: extraction obtains N to data packet, to in data packet request packet and response bag extract source port number and function code respectively, two groups of source port numbers and function code are formed into sample data queue, the decision content of the sample data queue is obtained according to the value range of source port number and function code consistency, as the input of BP neural network after sample data queue is normalized, corresponding decision content is as output;When detecting, it extracts and obtains the detection data queue of request packet and response bag and input BP neural network after being normalized, judge whether Current communications are normal.The present invention, as detection foundation, using BP neural network as detection model, realizes the accurate detection of problem appeared in bidirectional data interaction when communicating to ModbusTcp using the source port number and function code of data packet.

Description

ModbusTcp neural network based communicates deep packet inspection method
Technical field
The invention belongs to industrial control information security technology areas, more specifically, are related to a kind of based on neural network ModbusTcp communicate deep packet inspection method.
Background technique
Modbus agreement is a kind of universal communication agreement for being widely used to current industrial control field.It is assisted by this View, controller is between each other or controller can be communicated via network (such as Ethernet) between other equipment.Modbus Agreement uses master-slave communication technology, i.e., by main equipment active inquiry and operation from equipment.When the agreement is assisted based on TCP/IP When view is realized, i.e., referred to as ModbusTcp communication.
At present in ModbusTcp communication network, in order to guarantee the safety of ModbusTcp communication, firewall is mostly used Detection technique.Firewall detection technique is mainly detection source IP, destination IP, source port, destination port and specific character string Etc. information, but the interactive process of data is not detected but, security monitoring can not be carried out to the interactive process of data.
Summary of the invention
It is logical that it is an object of the invention to overcome the deficiencies of the prior art and provide a kind of ModbusTcp neural network based Deep packet inspection method is interrogated, realizes the accurate detection of problem appeared in bidirectional data interaction when communicating to ModbusTcp.
For achieving the above object, the present invention is based on the ModbusTcp of neural network to communicate deep packet inspection method packet Include following steps:
S1: it is extracted from communication network according to the IP address of ModbusTcp communication two party equipment and obtains the number of both sides' communication According to packet, request packet and response bag are matched according to the information of data packet frame head, obtain N to data packet;
S2: according to data packet format, from N to extracted respectively in the request packet and response bag in data packet source port number and Two groups of source port numbers and function code are formed a sample data queue D by function coden={ Pn1,Cn1,Pn2,Cn2, wherein Pn1Table Show the source port number of request packet in n-th pair of data packet, Cn1Indicate the function code of request packet in n-th pair of data packet, Pn2Indicate n-th To the source port number of response bag in data packet, Cn2Indicate that the function code of response bag in n-th pair of data packet, the value range of n are n= 1,2,…,N;
S3: according to the function of the value range and request packet and response bag of request packet and the respective source port number of response bag Code consistency, determines each sample data queue DnWhether corresponding request packet and response bag be normal, if normally, setting pair The decision content V answeredn=1, otherwise Vn=0;
S4: the sample number after being normalized is normalized in source port number and function code to sample data queue According to queue dn={ pn1,cn1,pn2,cn2, normalize formula are as follows:
Wherein, PmaxPort numbers maximum value specified in presentation protocol, CmaxFunction code maximum value specified in presentation protocol;
S5: building BP neural network, input layer node quantity are 4, and output layer node quantity is 1, hidden layer node quantity K It determines as needed;By N number of sample data queue dn={ pn1,cn1,pn2,cn2Inputted as sample, corresponding decision content VnMake For output, training obtains BP neural network;
S6: when two equipment carry out ModbusTcp communication, extracted from request packet and response bag obtain source port number and Two groups of source port numbers and function code are formed a detection data queue D '={ P by function code1′,C1′,P2′,C2', wherein P1′ Indicate the source port number of request packet, C1The function code of ' expression request packet, P2The source port number of ' expression response bag, C2' indicate response The function code of packet;To detection data queue D '={ P1′,C1′,P2′,C2' be normalized, the testing number after being normalized According to queue d '={ p1′,c1′,p′2,c2′};
By input of the detection data queue d ' as trained BP neural network after normalization, corresponding output is obtained yoIf yo> T, T indicates that preset threshold value, value range are 0 < T < 1, then determines that Current communications are normal, otherwise abnormal.
The present invention is based on the ModbusTcp of neural network to communicate deep packet inspection method, is obtained using training sample training BP neural network is detected, the acquisition methods of training sample are as follows: extraction obtains N to data packet, to the request in data packet Packet and response bag extract source port number and function code respectively, and two groups of source port numbers and function code are formed sample data queue, The decision content that the sample data queue is obtained according to the value range of source port number and function code consistency, to sample data team Column are normalized, and using the sample data queue after normalization as the input of BP neural network, corresponding decision content is as BP mind Output through network;When detecting, it extracts and obtains the detection data queue of request packet and response bag and be normalized, by normalizing Detection data queue after change inputs BP neural network, judges whether Current communications are normal.The present invention uses the source of data packet Slogan and function code are realized two-way when communicating to ModbusTcp as detection foundation using BP neural network as detection model The accurate detection of problem appeared in data interaction.
Detailed description of the invention
Fig. 1 is that the present invention is based on the specific embodiment streams of the ModbusTcp of neural network communication deep packet inspection method Cheng Tu;
Fig. 2 is BP neural network model schematic.
Specific embodiment
A specific embodiment of the invention is described with reference to the accompanying drawing, preferably so as to those skilled in the art Understand the present invention.Requiring particular attention is that in the following description, when known function and the detailed description of design perhaps When can desalinate main contents of the invention, these descriptions will be ignored herein.
Embodiment
Fig. 1 is that the present invention is based on the specific embodiment streams of the ModbusTcp of neural network communication deep packet inspection method Cheng Tu.As shown in Figure 1, the present invention is based on the ModbusTcp of neural network communication deep packet inspection method the following steps are included:
S101: sample data packet is obtained:
Since ModbusTcp communication uses question and answer mechanism, either party sends a Modbus request packet to equipment, can all have One corresponding Modbus response bag returns, so the present invention detects bi-directional data, that is, needs to extract corresponding Request packet and response bag.Therefore the communication process of ModbusTcp communication two party equipment is monitored first, according to communication two party The IP address of equipment is extracted from communication network obtains the data packet of both sides' communication, according to the information of data packet frame head to request packet It is matched with response bag, obtains N to data packet.
S102: port numbers and function code are extracted:
According to data packet format, from N to extracting source port number and function respectively in the request packet and response bag in data packet Two groups of source port numbers and function code are formed a sample data queue D by energy coden={ Pn1,Cn1,Pn2,Cn2, wherein Pn1It indicates The source port number of request packet, C in n-th pair of data packetn1Indicate the function code of request packet in n-th pair of data packet, Pn2Indicate n-th pair The source port number of response bag, C in data packetn2Indicate that the function code of response bag in n-th pair of data packet, the value range of n are n=1, 2,…,N.In the MobusTcp data packet of existing protocol, source port number is 2 bytes, and function code is 1 byte.
S103: the decision content of data queue is determined:
In existing protocol, normal communication data sends the source of data packet (i.e. request packet) to having the following characteristics that Slogan is 1024~65535, and function code range is 0~127;The source port number range of received data packet (i.e. response bag) is 502, Function code range is 0~127, and function code is consistent with the function code of data packet is sent.It needs to send out when mistake occurs in communication two party When raw error reporting, function code range is 128-255.In actual MobusTcp communication system, source port number and function code Range can also be divided on the scope according to actual needs.It is possible thereby to determine each sample data queue DnInstitute Whether corresponding request packet and response bag are normal, if normally, corresponding decision content V is arrangedn=1, otherwise Vn=0.
As it can be seen that training sample data can be divided into four classes: source port number and the normal ModbusTcp data of function code, The data that source port number is normal, function code is inconsistent, source port number exception, the consistent data of function code and source port number, function It can the abnormal data of code.
S104: data normalization:
In view of the biggish feature of the numerical value difference of source port number and function code, if directly using source port number and function Input of the corresponding value of code as BP neural network can make influence of the source port number to output much larger than function code to output It influences, that is to say, that influence very little of the function code to output can be ignored for the influence of source port number, hold in this way It is easier that source port number is correct, but function code is inconsistent or function code is consistent but range is sentenced for the data between 128~255 It is set to correct data.And in real system, source port number and function code to determine the influence of data correctness be it is the same, Therefore it needs that the source port number and function code of sample data queue is normalized, normalizes formula are as follows:
Wherein, PmaxPort numbers maximum value specified in presentation protocol, CmaxFunction code maximum value specified in presentation protocol, P in existing protocolmax=65535, Cmax=255.Thus the sample data queue d after being normalizedn={ pn1,cn1,pn2, cn2}.For the corresponding input value of source port number and function code obtained in this way between 0~1, the influence to output is equal.
S105: training BP neural network:
BP (Back Propagation) neural network is constructed, input layer node quantity is 4, and output layer node quantity is 1, Hidden layer node quantity K is determined as needed, can be calculated by using the following formula: K=log2N.Sample in the present embodiment Quantity is 10000, then K=13 can be calculated, Fig. 2 is BP neural network model schematic.As shown in Fig. 2, xiIt indicates BP neural network input, i=1,2,3,4, ωihWeight of the expression input layer to hidden layer, h=1,2 ..., 13, ωh1Indicate hidden Weight containing layer to output layer, y1The output of expression system.
By N number of sample data queue dn={ pn1,cn1,pn2,cn2Inputted as sample, corresponding decision content VnAs defeated Out, training obtains BP neural network.The training of BP neural network is common technology, and details are not described herein for specific steps.
S106: data packet detection:
When two equipment carry out ModbusTcp communication, is extracted from request packet and response bag and obtain source port number and function Two groups of source port numbers and function code are formed a detection data queue D '={ P by energy code1′,C1′,P2′,C2', wherein P1' table Show the source port number of request packet, C1The function code of ' expression request packet, P2The source port number of ' expression response bag, C2' indicate response bag Function code.To detection data queue D '={ P1′,C1′,P2′,C2' be normalized, the detection data after being normalized Queue d '={ p1′,c1′,p′2,c2′}.Normalize formula are as follows:
By input of the detection data queue d ' as the trained BP neural network of step S105 after normalization, obtain pair The output y answeredoIf yoThe preset threshold value of > T, T expression, value range is 0 < T < 1, then determines that Current communications are normal, otherwise It is abnormal.Threshold value T can be used to control the sensitivity to error detection, general that threshold value T=0.5 is arranged.
In order to illustrate technical effect of the invention, simulating, verifying is carried out using a specific example.When capturing one section first The ModbusTcp data packet of interior two communication apparatus, matching obtain 10000 pairs of data packets.Table 1 is part number of training According to.
Source port number Function code Source port number Function code Decision content
2033 1 502 1 1
7044 2 502 2 1
3709 3 502 3 1
8993 1 502 2 0
10372 4 502 3 0
4755 1 7660 1 0
3855 3 3566 3 0
27083 5 12459 5 0
20547 1 1377 4 0
9004 4 8940 9 0
Table 1
Each sample data queue is normalized, using the sample data queue after normalization as BP nerve net The input of network, corresponding decision content obtain BP neural network as output, study.BP neural network hidden layer in the present embodiment Node quantity is 13, the error precision e=0.001 of BP neural network training, maximum study number M=100000.Table 2 is BP The part weight of neural network.
ωih ω11 ω12 ω13 ω14 ω15 ω16
-8.94 -0.59 -9.04 -0.91 -0.30 4.70
ωh1 ω11 ω21 ω31 ω41 ω51 ω61
10.24 0.96 10.95 1.91 1.02 -5.42
Table 2
When two equipment carry out ModbusTcp communication, 10 pairs of data packets are extracted, obtain detection data sequence, input instruction The BP neural network perfected, is exported.Threshold value T=0.5, when output valve is greater than 0.5, then it is assumed that data packet is normal, otherwise recognizes Mistake occurs for the data packet.Table 3 is the testing result of 10 pairs of data packets.
Source port number Function code Source port number Function code Reality output Judging result
2037 1 502 1 0.999521 Normally
2076 2 502 2 0.999298 Normally
2103 3 502 3 0.999068 Normally
3889 1 502 223 2.85E-09 Mistake
4702 4 502 222 8.65E-10 Mistake
2093 1 4904 1 6.07E-05 Mistake
2077 3 5807 3 4.35E-06 Mistake
2235 5 3731 5 8.69E-04 Mistake
4033 1 7042 252 1.15E-10 Mistake
4753 15 8902 193 9.61E-11 Mistake
Table 3
According to table 3, the judging result accuracy of 10 pairs of data packets of sampling is 100%, it is seen that the present invention is based on minds ModbusTcp through network communicates deep packet inspection method It is no normal.
Although the illustrative specific embodiment of the present invention is described above, in order to the technology of the art Personnel understand the present invention, it should be apparent that the present invention is not limited to the range of specific embodiment, to the common skill of the art For art personnel, if various change the attached claims limit and determine the spirit and scope of the present invention in, these Variation is it will be apparent that all utilize the innovation and creation of present inventive concept in the column of protection.

Claims (3)

1. a kind of ModbusTcp neural network based communicates deep packet inspection method, which comprises the following steps:
S1: extracting from communication network according to the IP address of ModbusTcp communication two party equipment and obtain the data packet of both sides' communication, Request packet and response bag are matched according to the information of data packet frame head, obtain N to data packet;
S2: according to data packet format, from N to extracting source port number and function respectively in the request packet and response bag in data packet Two groups of source port numbers and function code are formed a sample data queue D by coden={ Pn1,Cn1,Pn2,Cn2, wherein Pn1Indicate n-th To the source port number of request packet in data packet, Cn1Indicate the function code of request packet in n-th pair of data packet, Pn2Indicate n-th pair of data The source port number of response bag, C in packetn2Indicate that the function code of response bag in n-th pair of data packet, the value range of n are n=1, 2,…,N;
S3: according to the function code one of the value range and request packet of request packet and the respective source port number of response bag and response bag Cause property, determines each sample data queue DnWhether corresponding request packet and response bag be normal, if normally, be arranged corresponding Decision content Vn=1, otherwise Vn=0;
S4: the sample data team after being normalized is normalized in source port number and function code to sample data queue Arrange dn={ pn1,cn1,pn2,cn2, normalize formula are as follows:
Wherein, PmaxPort numbers maximum value specified in presentation protocol, CmaxFunction code maximum value specified in presentation protocol;
S5: building BP neural network, input layer node quantity be 4, output layer node quantity be 1, hidden layer node quantity K according to It needs to be determined that;By N number of sample data queue dn={ pn1,cn1,pn2,cn2Inputted as sample, corresponding decision content VnAs defeated Out, training obtains BP neural network;
S6: it when two equipment carry out ModbusTcp communication, is extracted from request packet and response bag and obtains source port number and function Two groups of source port numbers and function code are formed a detection data queue D '={ P ' by code1,C′1,P′2,C′2, wherein P '1It indicates The source port number of request packet, C '1Indicate the function code of request packet, P '2Indicate the source port number of response bag, C '2Indicate response bag Function code;To detection data queue D '={ P '1,C′1,P′2,C′2Be normalized, the detection data team after being normalized Arrange d '={ p '1,c′1,p′2,c′2};
By input of the detection data queue d ' as trained BP neural network after normalization, corresponding output y is obtainedo, such as Fruit yo> T, T indicates that preset threshold value, value range are 0 < T < 1, then determines that Current communications are normal, otherwise abnormal.
2. deep packet inspection method according to claim 1, which is characterized in that the calculating of the hidden layer node quantity K Formula are as follows: K=log2N。
3. deep packet inspection method according to claim 1, which is characterized in that the threshold value T=0.5.
CN201610055875.0A 2016-01-27 2016-01-27 ModbusTcp neural network based communicates deep packet inspection method Expired - Fee Related CN105743735B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610055875.0A CN105743735B (en) 2016-01-27 2016-01-27 ModbusTcp neural network based communicates deep packet inspection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610055875.0A CN105743735B (en) 2016-01-27 2016-01-27 ModbusTcp neural network based communicates deep packet inspection method

Publications (2)

Publication Number Publication Date
CN105743735A CN105743735A (en) 2016-07-06
CN105743735B true CN105743735B (en) 2018-12-18

Family

ID=56247649

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610055875.0A Expired - Fee Related CN105743735B (en) 2016-01-27 2016-01-27 ModbusTcp neural network based communicates deep packet inspection method

Country Status (1)

Country Link
CN (1) CN105743735B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method
CN109976709A (en) * 2017-12-28 2019-07-05 国民技术股份有限公司 Randomness detecting method, device, equipment and computer readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8527776B2 (en) * 1999-10-25 2013-09-03 Visa International Service Association Synthesis of anomalous data to create artificial feature sets and use of same in computer network intrusion detection systems
CN104702584A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Modbus communication access control method based on rule self-learning
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8527776B2 (en) * 1999-10-25 2013-09-03 Visa International Service Association Synthesis of anomalous data to create artificial feature sets and use of same in computer network intrusion detection systems
CN104702584A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Modbus communication access control method based on rule self-learning
CN104702460A (en) * 2013-12-10 2015-06-10 中国科学院沈阳自动化研究所 Method for detecting anomaly of Modbus TCP (transmission control protocol) communication on basis of SVM (support vector machine)

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
Industrial communication intrusion detection algorithm based on improved one-class SVM.;Wenli Shang et al,;《2015 World Congress on Industrial Control Systems Security (WCICSS)》;20151216;第21-25页 *
Intrusion detection in SCADA systems using machine learning techniques.;Leandros A. Maglaras,Jianmin Jiang.;《2014 Science and Information Conference》;20140829;第626-631页 *
基于BP神经网络的智能入侵检测研究.;刘晓.;《中国优秀硕士学位论文全文数据库信息科技辑2011年》;20110315(第3期);第I139-208页 *
基于PSO-SVM的Modbus TCP通讯的异常检测方法.;尚文利 等.;《电子学报》;20141130;第42卷(第11期);第2314-2320页 *

Also Published As

Publication number Publication date
CN105743735A (en) 2016-07-06

Similar Documents

Publication Publication Date Title
CN104811449B (en) Storehouse attack method and system are hit in detection
CN106921676A (en) A kind of intrusion detection method based on OPCClassic
CN105306463B (en) Modbus TCP intrusion detection methods based on support vector machines
CN109600363A (en) A kind of internet-of-things terminal network portrait and abnormal network access behavioral value method
CN105429963A (en) Invasion detection analysis method based on Modbus/Tcp
BR112014001691A2 (en) intrusion detection method and system
CN111866024B (en) Network encryption traffic identification method and device
CN101399710A (en) Detection method and system for protocol format exception
CN105743735B (en) ModbusTcp neural network based communicates deep packet inspection method
CN110868409A (en) Passive operating system identification method and system based on TCP/IP protocol stack fingerprint
CN109635564A (en) A kind of method, apparatus, medium and equipment detecting Brute Force behavior
CN107104960A (en) A kind of industrial control system intrusion detection method based on machine learning
US20120173712A1 (en) Method and device for identifying p2p application connections
CN103795723A (en) Distributed type internet-of-things safety situation awareness method
CN109768952A (en) A kind of industry control network anomaly detection method based on trust model
CN107104988B (en) IPv6 intrusion detection method based on probabilistic neural network
CN109547455A (en) Industrial Internet of Things anomaly detection method, readable storage medium storing program for executing and terminal
CN103067225A (en) Test system
CN106953854A (en) A kind of method for building up of the darknet flow identification model based on SVM machine learning
CN108055166B (en) Nested application layer protocol state machine extraction system and extraction method thereof
CN106125680B (en) Industrial stokehold data safety processing method based on industry internet and device
CN111181930A (en) DDoS attack detection method, device, computer equipment and storage medium
CN109688112A (en) Industrial Internet of Things unusual checking device
CN107612911A (en) Method based on the infected main frame of DNS flow detections and C&C servers
CN107145786A (en) The safety test system and method for test is injected based on database

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20181218

Termination date: 20220127