CN112968906A - Modbus TCP abnormal communication detection method and system based on multi-tuple - Google Patents

Modbus TCP abnormal communication detection method and system based on multi-tuple Download PDF

Info

Publication number
CN112968906A
CN112968906A CN202110316520.3A CN202110316520A CN112968906A CN 112968906 A CN112968906 A CN 112968906A CN 202110316520 A CN202110316520 A CN 202110316520A CN 112968906 A CN112968906 A CN 112968906A
Authority
CN
China
Prior art keywords
modbus tcp
data packet
tuple
data
itree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110316520.3A
Other languages
Chinese (zh)
Other versions
CN112968906B (en
Inventor
李肯立
李政
余思洋
周旭
刘楚波
段明星
李克勤
唐伟
黎东
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Kuangan Network Technology Co ltd
Original Assignee
Hunan Kuangan Network Technology Co ltd
Hunan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Kuangan Network Technology Co ltd, Hunan University filed Critical Hunan Kuangan Network Technology Co ltd
Priority to CN202110316520.3A priority Critical patent/CN112968906B/en
Publication of CN112968906A publication Critical patent/CN112968906A/en
Application granted granted Critical
Publication of CN112968906B publication Critical patent/CN112968906B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/142Network analysis or design using statistical or mathematical methods
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network

Abstract

The invention discloses a Modbus TCP abnormal communication detection method based on a multi-tuple, which comprises the following steps: and acquiring connections from an industrial control network, wherein each connection comprises a plurality of Modbus TCP data packets, and segmenting the data packet flow according to unit time to obtain a plurality of data packet sequences. And analyzing each Modbus TCP data packet in the data packet sequence, and extracting a plurality of function codes, coil addresses and data lengths in the data packet sequence. In a data packet sequence, each function code corresponds to a plurality of data packets, the data packets with the same function code are classified into one class, for each class of data packets, the data length in the data packets is taken for accumulation, summation and averaging, each function code can correspond to the average data length of one data packet, and a multi-tuple C is obtained1(ii) a Each function code corresponds to a plurality of coil addresses. The method solves the problem that the prior art only extracts two characteristics of the function code and the coil address of the Modbus TCP, which results in flow characteristicsInsufficient extraction and low detection precision.

Description

Modbus TCP abnormal communication detection method and system based on multi-tuple
Technical Field
The invention belongs to the field of industrial network information security, and particularly relates to a Modbus TCP abnormal communication detection method and system based on a multi-tuple.
Background
With the advent of the industrial internet era, more and more industrial control networks are connected to public networks such as the internet, and how the industrial control networks have better security is inevitably considered, so as to resist network attacks from the internet with complicated environment. Moreover, the devices in the industrial control network generally play an important role, and users have extremely high requirements on the stability and reliability of the devices, and if the industrial network is attacked, the normal operation of the industrial control devices may be affected, and even huge losses are brought to the users. The Modbus TCP protocol is widely applied to the field of industrial control, the safety of the Modbus TCP protocol has great significance to an industrial control network, and the characteristics of the Modbus TCP protocol allow the Modbus TCP protocol to be accessed to the Internet, so that the probability of network attack is higher.
For Modbus TCP communication abnormity detection, people no longer meet the requirement of using a traditional abnormity detection algorithm, and with the rapid development of machine learning, many people begin to apply the abnormity detection algorithm based on machine learning to Modbus TCP communication abnormity detection. Shanghai et al propose a Modbus TCP communication anomaly detection method based on a PSO-SVM, which considers the time sequence of function codes, but the detection of the function code sequence singly can lead to insufficient extraction of the characteristics of connection; chenxinlong et al adopts a communication anomaly detection method based on a decision tree, and utilizes the decision tree to detect the function codes and the coil addresses of the data packets in connection, so that the algorithm time complexity and the detection time delay are reduced, but the function codes and the coil addresses of the single data packets are only judged, and the relevance among the data packets and the combination characteristic of the function codes are not considered, so that the detection result is lower; li chao et al proposed a single-class support vector machine algorithm, which uses the combination of the function code and the coil address of the connection as the feature, and has a significant effect on detecting the communication abnormality of the connection, but the processing process of the data is too complex, and the real-time performance of the communication is reduced.
Disclosure of Invention
The invention provides a method and a system for detecting Modbus TCP abnormal communication based on multiple tuples, aiming at solving the technical problems that the existing method for detecting Modbus TCP abnormal communication based on PSO-SVM has insufficient feature extraction on connection, the existing method for detecting communication abnormality based on decision tree does not consider the relevance between data packets and the combination characteristic of function codes, so that the detection result is low, and the existing single-class support vector machine algorithm has too complex processing process on data, so that the communication real-time performance is reduced.
To achieve the above object, according to one aspect of the present invention, there is provided a method for detecting abnormal Modbus TCP communication based on multiple tuples, including the following steps:
(1) the method comprises the steps of obtaining Modbus TCP connection from the industrial internet, dividing the Modbus TCP data packets according to unit time to obtain a plurality of data packet sequences, and analyzing each Modbus TCP data packet in each data packet sequence to obtain a corresponding function code, a coil address and a data length.
(2) Processing the function code, the coil address and the data length of the Modbus TCP data packet obtained in the step (1) to obtain a multi-element group C corresponding to the Modbus TCP data packet1And C2
(3) Multiple unit C corresponding to Modbus TCP data packet1And C2Respectively inputting the trained abnormality detection model M1And M2To respectively obtain output results E (h)1(C1) Are) and E (h)2(C2) Obtain a connection anomaly probability value
Figure BDA0002991535410000021
And judging whether the connection is abnormal or not according to the connection probability value, wherein h1(C1) Is a multi-component group C1Traverse each iTree1nWhen, a multi-component group C1Number of edges, h, from the external node to the root node where it falls2(C2) Is a multi-component group C2Traverse each iTree2nWhen, a multi-component group C2The number of edges from the external node to the root node where it falls, E () represents the mean process, iTree1nModel M is detected for anomalies1Of (1), the nth orphan tree, iTree2nModel M is detected for anomalies2The nth orphan tree in (1).
Preferably, if the probability value Score of the connection abnormality is less than 0.25, the connection abnormality is determined, otherwise, the connection is normal.
Preferably, each data packet sequence contains a plurality of Modbus TCP data packets, the MBAP in each Modbus TCP data packet contains the data length of the data packet, and the PDU in each Modbus TCP data packet contains the function code field and the coil address of the data packet.
Preferably, step (2) comprises the sub-steps of:
(2-1) determining a multi-cell group C according to the total number of Modbus function codes actually used by the client1And C2The number of objects n;
(2-2) the multi-component group C determined according to the step (2-1)1N, generating a tuple C1,C1=(a1,a2,a3……an) Wherein a isiIs a multi-component group C1And has i e [1, n ]];
(2-3) determining the tuple C according to the step (2-1)2N, generating a tuple C2,C2=(b1,b2,b3……bn);
Preferably, the multi-component group C1Each element a in (1)iIs calculated by the following formula:
Figure BDA0002991535410000031
wherein g is1(i) Is a multi-component group C1The ith element aiAnd the corresponding function code, SUM (g)1(i) For all the current data packet sequence containing the same function code g1(i) The sum of the data lengths corresponding to the packets of (b), NUM (g)1(i) For all the current data packet sequence containing the same function code g1(i) The total number of data packets.
Preferably, the multi-component group C2Each element b ofiIs calculated by the following formula:
E=Addr(g2(i))
Figure BDA0002991535410000032
wherein g is2(i) Is a multi-component group C2The ith element biAddr (g) as a function of the mapping relation with the corresponding function code2(i) For all the current data packet sequence containing the same function code g2(i) The coil address set corresponding to the data packet of (2).
Preferably, the abnormality detection model M1And M2Are all iForest models, and an anomaly detection model M1And M2Is obtained by training the following steps:
(3-1) obtaining Modbus TCP connection from the industrial Internet, wherein the Modbus TCP connection comprises a plurality of Modbus TCP data packets, dividing the Modbus TCP data packets according to unit time to obtain a plurality of data packet sequences, converting each data packet sequence into a multi-tuple according to the method in the step (2-2), and combining all the obtained multi-tuple to obtain a training SET SET1={C11,C12,C13,C14… …, converting each data packet sequence into multi-tuple according to the method in step (2-3), and combining the multi-tuple to obtain the training SET SET2={C21,C22,C23,C24……};
(3-2) model M for anomaly detection1From the training SET SET1In the method, psi sample points are randomly selected as subsamples
Figure BDA0002991535410000041
Put into the first orphan tree iTree1Root node iNode1n(wherein iNode)1nIs the first orphan tree iTree1The child node generated by the nth iteration), for the anomaly detection model M2From the training SET SET2In the method, psi sample points are randomly selected as subsamples
Figure BDA0002991535410000042
Put in a second isolated tree iTree2Root node iNode2n(iNode2nIs the second orphan tree iTree2The nth iteration of (c) where the number of sample points ψ equals 256.
(3-3) model M for anomaly detection1From the child sample
Figure BDA0002991535410000043
Property set Q of1In randomly selecting an attribute q1(wherein the attribute set Q1Is a multi-component group C1Corresponding set of function codes) randomly generating a cut point p in the current node data1∈[lengthmin,lengthmax]Wherein lengthminIs ModbMinimum value of us TCP packet length, and lengthmin=6,lengthmaxIs the maximum value of the length of a Modbus TCP data packet, and lengthmax253. For anomaly detection model M2From the child sample
Figure BDA0002991535410000045
Property set Q of2In randomly selecting an attribute q2(wherein the attribute set Q2Is a multi-component group C2Corresponding set of function codes) randomly generating a cut point p in the current node data2∈[0X00 00,0XFF FF]。
(3-4) model M for anomaly detection1In other words, with a cutting point p1Sampling the subsamples
Figure BDA0002991535410000044
Dividing into left and right subtrees, and adding VAL (q) to its attribute value1) Is less than p1All tuples C of1xCurrent node iNode placed in left subtree1nLeft child node iNode1(n+1)Its attribute value VAL (q)1) Is greater than or equal to p1All tuples C of1xCurrent node iNode placed in right subtree1nRight child node iNode1(n+1). For anomaly detection model M2In other words, with a cutting point p2Sampling the subsamples
Figure BDA0002991535410000051
Dividing into left and right subtrees, and adding VAL (q) to its attribute value2) Is less than p2All tuples C of2xCurrent node iNode placed in left subtree2nLeft child node iNode2(n+1)Its attribute value VAL (q)2) Is greater than or equal to p2All tuples C of2xCurrent node iNode placed in right subtree2nRight child node iNode2(n+1)
(3-5) model M for anomaly detection1And M2Recurse steps (3-3) and (3-4) in the child nodes to generate new child nodes iteratively until there is only one number in the child nodesUntil the height of the tree reaches a limited height l;
(3-6) repeating the above steps (3-2) to (3-5) for 100 times to obtain a trained anomaly detection model M1And M2Wherein iForest1And iForest2Representing two isolated forests respectively.
According to another aspect of the present invention, there is provided a multi-tuple-based Modbus TCP abnormal communication detection system, including:
the first module is used for obtaining Modbus TCP connection from the industrial internet and comprises a plurality of Modbus TCP data packets, the Modbus TCP data packets are segmented according to unit time to obtain a plurality of data packet sequences, and each Modbus TCP data packet in each data packet sequence is analyzed to obtain a corresponding function code, a coil address and a data length.
The second module is used for processing the function codes, the coil addresses and the data lengths of the Modbus TCP data packets obtained by the first module to obtain the multi-element group C corresponding to the Modbus TCP data packets1And C2
A third module for corresponding multiple groups C of Modbus TCP data packets1And C2Respectively inputting the trained abnormality detection model M1And M2To respectively obtain output results E (h)1(C1) Are) and E (h)2(C2) Obtain a connection anomaly probability value
Figure BDA0002991535410000052
And judging whether the connection is abnormal or not according to the connection probability value, wherein h1(C1) Is a multi-component group C1Traverse each iTree1nWhen, a multi-component group C1Number of edges, h, from the external node to the root node where it falls2(C2) Is a multi-component group C2Traverse each iTree2nWhen, a multi-component group C2The number of edges from the external node to the root node where it falls, E () represents the mean process, iTree1nModel M is detected for anomalies1Of (1), the nth orphan tree, iTree2nModel M is detected for anomalies2OfAnd (6) erecting the tree.
In general, compared with the prior art, the above technical solution contemplated by the present invention can achieve the following beneficial effects:
(1) the method adopts the step (1), and fully considers the relevance of the function code and the coil address and the relevance of the function code and the data length in the Modbus TCP data packet, so that the technical problem of insufficient extraction of the Modbus TCP communication abnormity detection characteristics based on the function code and the coil address in the prior art can be solved.
(2) Because the invention adopts the step (2), the functional code and the average data length are mapped into the tuple, and the result of the XOR operation of the coil address corresponding to the functional code is mapped into the tuple, the technical problem that the combined characteristics of the data length characteristic and the coil address under different functional codes are not considered in the existing detection technology based on the functional code sequence can be solved.
(3) The method adopts the steps (3) and (4), uses the double iForest model to carry out real-time detection on abnormal communication, and is easy to deploy on a parallel computing platform, so that the technical problem of high time delay caused by detection by the existing detection technology based on a single detection model with high complexity can be solved.
Drawings
FIG. 1 is a flowchart of a Modbus TCP abnormal communication detection method based on multiple tuples.
FIG. 2 is a flow chart of a multi-tuple generating process of the Modbus TCP abnormal communication detection method based on multi-tuple.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. In addition, the technical features involved in the embodiments of the present invention described below may be combined with each other as long as they do not conflict with each other.
The basic idea of the invention is to extract the characteristics of the data packet sequence in the Modbus TCP connection, and consider the relevance of the function code and the coil address in the data packet and the relevance of the function code and the data length, so that the characteristics of different coil address combinations and different average data packet sizes under different function codes can be reflected. Therefore, the data packets in a single data packet sequence can be classified according to the function codes, and the two characteristics of the average data length corresponding to each function code and the XOR combination of the coil address binary bits can be obtained. The method and the device solve the technical problems that in the prior art, only two characteristics of a function code and a coil address in a Modbus TCP data packet sequence are extracted, so that the flow characteristic is not extracted sufficiently, and the detection precision is not high. A multi-tuple-based Modbus TCP abnormal communication detection method is provided.
As shown in fig. 1, the present invention provides a multi-tuple based Modbus TCP abnormal communication detection method, which includes the following steps:
(1) the method comprises the steps of obtaining Modbus TCP connection from the industrial internet, dividing the Modbus TCP data packets according to unit time to obtain a plurality of data packet sequences, and analyzing each Modbus TCP data packet in each data packet sequence to obtain a corresponding function code, a coil address and a data length.
Specifically, each Packet sequence includes a plurality of Modbus TCP packets, an application protocol header (MBAP) in each Modbus TCP Packet includes a data length of the Packet, and a Packet Data Unit (PDU) in each Modbus TCP Packet includes a function code field and a coil address of the Packet.
The step (1) has the advantages that the function code and the coil address of the data packet in the Modbus TCP connection are considered, the data length of the data packet is also considered, and the current connection state can be reflected better.
(2) Processing the function code, the coil address and the data length of the Modbus TCP data packet obtained in the step (1) to obtain a multi-element group C corresponding to the Modbus TCP data packet1And C2
As shown in fig. 2, this step includes the following substeps:
(2-1) determining a multi-cell group C according to the total number of Modbus function codes actually used by the client1And C2The number of objects n;
specifically, the Modbus standard defines 21 function codes (1-21), reserves 43 function codes (22-64) for the standby of the extended function, reserves 8 function codes (65-72) for the user function, reserves 47 illegal functions (73-119), reserves 8 internal functions (120-127), and reserves 128 abnormal responses (128-255).
For example, in Modbus TCP communication of a certain factory, if the function code used by the client is 0x 010 x 020 x 030 x 040 x 050 x 060 x 150 x16, the tuple C (a) is set as1,a2,a3......an) Wherein a is1Corresponding to 0x01, a2Corresponding to 0x02, …, and so on, where n is 8. Such as a1Corresponds to the first function code 0x01, and its value is determined by all the packets with function code 0x01 in the current packet sequence.
(2-2) the multi-component group C determined according to the step (2-1)1N, generating a tuple C1,C1=(a1,a2,a3......an) Wherein a isiIs a multi-component group C1And has i e [1, n ]];
More specifically, the multi-component group C1Each element a in (1)iIs calculated by the following formula:
Figure BDA0002991535410000081
wherein g is1(i) Is a multi-component group C1The ith element aiAnd the corresponding function code, SUM (g)1(i) For all the current data packet sequence containing the same function code g1(i) The sum of the data lengths corresponding to the packets of (b), NUM (g)1(i) For all the current data packet sequence containing the same function code g1(i) The total number of data packets.
(2-3) determining the tuple C according to the step (2-1)2N, generating a tuple C2
C2=(b1,b2,b3......bn);
More specifically, the multi-component group C2Each element b ofiIs calculated by the following formula:
E=Addr(g2(i))
Figure BDA0002991535410000091
wherein g is2(i) Is a multi-component group C2The ith element biAddr (g) as a function of the mapping relation with the corresponding function code2(i) For all the current data packet sequence containing the same function code g2(i) The coil address set corresponding to the data packet of (2).
If the current data packet sequence does not contain the function code g2(i) Addr () then returns 0x 0000, bi0x 0000, otherwise, biIs equal to the result of xoring the binary bits of all coil addresses in E.
This step (2) has the advantage that the function codes are implicitly placed under different objects of the tuple, i.e. the value of each object in the tuple is calculated based on a certain data packet containing a specific function code. The combined characteristics of data length characteristics and coil addresses under different function codes are fully reflected.
(3) Multiple unit C corresponding to Modbus TCP data packet1And C2Respectively inputting the trained abnormality detection model M1And M2To respectively obtain output results E (h)1(C1) And e (h)2(C2) Obtain a connection anomaly probability value
Figure BDA0002991535410000092
And judging whether the connection is abnormal or not according to the connection probability value, wherein h1(C1) Is a multi-component group C1Traverse each iTree1nWhen, a multi-component group C1Number of edges, h, from the external node to the root node where it falls2(C2) Is a multi-component group C2Traverse each iTree2nWhen, a multi-component group C2The number of edges from the external node to the root node where it falls, E () represents the mean process, iTree1nModel M is detected for anomalies1Of (1), the nth orphan tree, iTree2nModel M is detected for anomalies2The nth orphan tree in (1);
specifically, if Score is less than 0.25, it is determined that the connection is abnormal, otherwise, it indicates that the connection is normal.
Anomaly detection model M used in the present invention1And M2Are iForest models, and iForest is an unsupervised learning anomaly detection model, so that the training data set does not need to be marked manually. According to the relevant literature data, the data set only with normal samples is used for model training, the influence on the detection precision of the model is extremely small, the detection precision of the model can be improved by increasing the number of isolated trees, and the precision loss caused by no abnormal samples is made up.
Specifically, the abnormality detection model M of this step1And M2Is obtained by training the following steps:
(3-1) obtaining Modbus TCP connection from the industrial Internet, wherein the Modbus TCP connection comprises a plurality of Modbus TCP data packets, dividing the Modbus TCP data packets according to unit time to obtain a plurality of data packet sequences, converting each data packet sequence into a multi-tuple according to the method in the step (2-2), and combining all the obtained multi-tuple to obtain a training SET SET1={C11,C12,C13,C14.., converting each data packet sequence into a multi-tuple according to the method in the step (2-3), and combining the obtained multi-tuple to obtain a training SET SET2={C21,C22,C23,C24......};
(3-2) model M for anomaly detection1From the training SET SET1In the method, psi sample points are randomly selected as sub-pointsSample(s)
Figure BDA0002991535410000101
Put into the first orphan tree iTree1Root node iNode1n(wherein iNode)1nIs the first orphan tree iTree1The child node generated by the nth iteration), for the anomaly detection model M2From the training SET SET2In the method, psi sample points are randomly selected as subsamples
Figure BDA0002991535410000111
Put in a second isolated tree iTree2Root node iNode2n(iNode2NIs the second orphan tree iTree2The nth iteration of (c) where the number of sample points ψ equals 256.
Training SET SET1For training anomaly detection model M1Training SET SET2For training anomaly detection model M2. The initial parameters of the two models are consistent, and since the number of sample points ψ is 256, the defined height of each tree, l, is ceiling (log)2ψ) 8 and the number of orphan trees t 100.
(3-3) model M for anomaly detection1From the child sample
Figure BDA0002991535410000112
Property set Q of1In randomly selecting an attribute q1(wherein the attribute set Q1Is a multi-component group C1Corresponding set of function codes) randomly generating a cut point p in the current node data1∈[lengthmin,lengthmax]Wherein tengthminIs the minimum value of the length of a Modbus TCP data packet, and lengthmin=6,lengthmaxIs the maximum value of the length of a Modbus TCP data packet, and lengthmax253. For anomaly detection model M2From the child sample
Figure BDA0002991535410000113
Property set Q of2In randomly selecting an attribute q2(wherein the attribute set Q2Is a multi-component group C2Corresponding set of function codes) randomly generating a cut point p in the current node data2∈[0X00 00,0XFF FF]。
(3-4) model M for anomaly detection1In other words, with a cutting point p1Sampling the subsamples
Figure BDA0002991535410000114
Dividing into left and right subtrees, and adding VAL (q) to its attribute value1) Is less than p1All tuples C of1xCurrent node iNode placed in left subtree1nLeft child node iNode1(n+1)Its attribute value VAL (q)1) Is greater than or equal to p1All tuples C of1xCurrent node iNode placed in right subtree1nRight child node iNode1(n+1). For anomaly detection model M2In other words, with a cutting point p2Sampling the subsamples
Figure BDA0002991535410000121
Dividing into left and right subtrees, and adding VAL (q) to its attribute value2) Is less than p2All tuples C of2xCurrent node iNode placed in left subtree2nLeft child node iNode2(n+1)Its attribute value VAL (q)2) Is greater than or equal to p2All tuples C of2xCurrent node iNode placed in right subtree2nRight child node iNode2(n+1)
Specifically, the attribute value VAL (q) of the tuple1) Representing tuples C1xProperty q of1Corresponding value, attribute value VAL (q) of the tuple2) Representing tuples C2xProperty q of2The corresponding value. E.g. C1x=(a1,a2,a3......an),a3The corresponding function code is 0x12, q10x12, then VAL (q)1)=a3
(3-5) model M for anomaly detection1And M2Recurse steps (3-3) and (3-4) in the child nodes to generate new child nodes continuously and iteratively until only one of the child nodes is availableUntil the height of the data or tree reaches a defined height l;
(3-6) repeating the above steps (3-2) to (3-5) for 100 times for the model M1Has iTree1 1,iTree1 2,iTreei 3......iTree1 100∈iForeSt1For model M2Has iTree2 1,iTree2 2,iTree2 3…iTree2 100∈iForest2Thereby obtaining a trained abnormity detection model M1And M2Wherein iForest1And iForest2Representing two isolated forests respectively.
The step (3) has the advantages that two detection models based on isolated forests are used for carrying out abnormity detection on communication, the time complexity of detecting each multi-element group by a single model is low and is O (t log psi), and the detection models can be easily deployed on a parallel computing platform. Here, as mentioned above, t is the number of isolated trees.
It will be understood by those skilled in the art that the foregoing is only a preferred embodiment of the present invention, and is not intended to limit the invention, and that any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (8)

1. A Modbus TCP abnormal communication detection method based on a multi-tuple is characterized by comprising the following steps:
(1) the method comprises the steps of obtaining Modbus TCP connection from the industrial internet, dividing the Modbus TCP data packets according to unit time to obtain a plurality of data packet sequences, and analyzing each Modbus TCP data packet in each data packet sequence to obtain a corresponding function code, a coil address and a data length.
(2) Processing the function code, the coil address and the data length of the Modbus TCP data packet obtained in the step (1) to obtain a multi-element group C corresponding to the Modbus TCP data packet1And C2
(3) Multiple unit C corresponding to Modbus TCP data packet1And C2Respectively inputting the trained abnormality detection model M1And M2To respectively obtain output results E (h)1(C1) Are) and E (h)2(C2) Obtain a connection anomaly probability value
Figure FDA0002991535400000011
And judging whether the connection is abnormal or not according to the connection probability value, wherein h1(C1) Is a multi-component group C1Traverse each iTree1nWhen, a multi-component group C1Number of edges, h, from the external node to the root node where it falls2(C2) Is a multi-component group C2Traverse each iTree2nWhen, a multi-component group C2The number of edges from the external node to the root node where it falls, E () represents the mean process, iTree1nModel M is detected for anomalies1Of (1), the nth orphan tree, iTree2nModel M is detected for anomalies2The nth orphan tree in (1).
2. The Modbus TCP abnormal communication detection method based on multi-tuple as claimed in claim 1, wherein if the connection abnormality probability value Score is less than 0.25, the connection is determined to be abnormal, otherwise, the connection is determined to be normal.
3. The method for detecting the abnormal Modbus TCP communication based on the multi-tuple as claimed in claim 1 or 2, wherein each data packet sequence contains a plurality of Modbus TCP data packets, the MBAP in each Modbus TCP data packet contains the data length of the data packet, and the PDU in each Modbus TCP data packet contains the function code field and the coil address of the data packet.
4. The method for detecting Modbus TCP abnormal communication based on multi-cell according to any one of claims 1 to 3, wherein the step (2) comprises the following sub-steps:
(2-1) determining a multi-cell group C according to the total number of Modbus function codes actually used by the client1And C2The number of objects n;
(2-2) the multi-component group C determined according to the step (2-1)1N, generating a tuple C1,C1=(a1,a2,a3......an) Wherein a isiIs a multi-component group C1And has i e [1, n ]];
(2-3) determining the tuple C according to the step (2-1)2N, generating a tuple C2,C2=(b1,b2,b3......bn)。
5. The Modbus TCP abnormal communication detection method based on multi-tuple according to claim 4, wherein the multi-tuple C is1Each element a in (1)iIs calculated by the following formula:
Figure FDA0002991535400000021
wherein g is1(i) Is a multi-component group C1The ith element aiAnd the corresponding function code, SUM (g)1(i) For all the current data packet sequence containing the same function code g1(i) The sum of the data lengths corresponding to the packets of (b), NUM (g)1(i) For all the current data packet sequence containing the same function code g1(i) The total number of data packets.
6. The Modbus TCP abnormal communication detection method based on multi-tuple according to claim 5, wherein the multi-tuple C is2Each element b ofiIs calculated by the following formula:
E=Addr(g2(i))
Figure FDA0002991535400000022
wherein g is2(i) Is a multi-component group C2The ith element biAddr (g) as a function of the mapping relation with the corresponding function code2(i) For all the current data packet sequence containing the same function code g2(i) The coil address set corresponding to the data packet of (2).
7. The Modbus TCP abnormal communication detection method based on multiple groups according to any one of claims 4 to 6, characterized in that an abnormality detection model M1And M2Are all iForest models, and an anomaly detection model M1And M2Is obtained by training the following steps:
(3-1) obtaining Modbus TCP connection from the industrial Internet, wherein the Modbus TCP connection comprises a plurality of Modbus TCP data packets, dividing the Modbus TCP data packets according to unit time to obtain a plurality of data packet sequences, converting each data packet sequence into a multi-tuple according to the method in the step (2-2), and combining all the obtained multi-tuple to obtain a training SET SET1={C11,C12,C13,C14.., converting each data packet sequence into a multi-tuple according to the method in the step (2-3), and combining the obtained multi-tuple to obtain a training SET SET2={C21,C22,C23,C24......};
(3-2) model M for anomaly detection1From the training SET SET1In the method, psi sample points are randomly selected as subsamples
Figure FDA0002991535400000031
Put into the first orphan tree iTree1Root node iNode1n(wherein iNode)1nIs the first orphan tree iTree1The child node generated by the nth iteration), for the anomaly detection model M2From the training SET SET2In the method, psi sample points are randomly selected as subsamples
Figure FDA0002991535400000032
Put in a second isolated tree iTree2Root node iNode2n(iNode2nIs the second orphan tree iTree2The nth iteration of (c) where the number of sample points ψ equals 256.
(3-3) model M for anomaly detection1From the child sample
Figure FDA0002991535400000033
Property set Q of1In randomly selecting an attribute q1(wherein the attribute set Q1Is a multi-component group C1Corresponding set of function codes) randomly generating a cut point p in the current node data1∈[lengthmin,lengthmax]Wherein lengthminIs the minimum value of the length of a Modbus TCP data packet, and lengthmin=6,lengthmaxIs the maximum value of ModbusTCP packet length, and lengthmax253. For anomaly detection model M2From the child sample
Figure FDA0002991535400000034
Property set Q of2In randomly selecting an attribute q2(wherein the attribute set Q2Is a multi-component group C2Corresponding set of function codes) randomly generating a cut point p in the current node data2∈[0X00 00,OXFF FF]。
(3-4) model M for anomaly detection1In other words, with a cutting point p1Sampling the subsamples
Figure FDA0002991535400000035
Dividing into left and right subtrees, and adding VAL (q) to its attribute value1) Is less than p1All tuples C of1xCurrent node iNode placed in left subtree1nLeft child node iNode1(n+1)Its attribute value VAL (q)1) Is greater than or equal to p1All tuples C of1xCurrent node iNode placed in right subtree1nRight child node iNode1(n+1). For anomaly detection model M2In other words, with a cutting point p2Sampling the subsamples
Figure FDA0002991535400000036
Dividing into left and right subtrees, and adding VAL (q) to its attribute value2) Is less than p2All tuples C of2xCurrent node iNode placed in left subtree2nLeft child node iNode2(n+1)Its attribute value VAL (q)2) Is greater than or equal to p2All tuples C of2xCurrent node iNode placed in right subtree2nRight child node iNode2(n+1)
(3-5) model M for anomaly detection1And M2Recurse steps (3-3) and (3-4) in the child nodes to iteratively generate new child nodes until the height of only one of the child nodes, data or tree, reaches defined height 2;
(3-6) repeating the above steps (3-2) to (3-5) for 100 times to obtain a trained anomaly detection model M1And M2Wherein iForest1And iForest2Representing two isolated forests respectively.
8. The utility model provides a Modbus TCP abnormal communication detecting system based on tuple which characterized in that includes:
the first module is used for obtaining Modbus TCP connection from the industrial internet and comprises a plurality of Modbus TCP data packets, the Modbus TCP data packets are segmented according to unit time to obtain a plurality of data packet sequences, and each Modbus TCP data packet in each data packet sequence is analyzed to obtain a corresponding function code, a coil address and a data length.
The second module is used for processing the function codes, the coil addresses and the data lengths of the Modbus TCP data packets obtained by the first module to obtain the multi-element group C corresponding to the Modbus TCP data packets1And C2
A third module for corresponding multiple groups C of Modbus TCP data packets1And C2Respectively inputting the trained abnormality detection model M1And M2To respectively obtain output results E (h)1(C1) Are) and E (h)2(C2) Obtain a connection anomaly probability value
Figure FDA0002991535400000041
And judging whether the connection is abnormal or not according to the connection probability value, wherein h1(C1) Is a multi-component group C1Traverse each iTree1nWhen, a multi-component group C1Number of edges, h, from the external node to the root node where it falls2(C2) Is a multi-component group C2Traverse each iTree2nWhen, a multi-component group C2The number of edges from the external node to the root node where it falls, E () represents the mean process, iTree1nModel M is detected for anomalies1Of (1), the nth orphan tree, iTree2nModel M is detected for anomalies2The nth orphan tree in (1).
CN202110316520.3A 2021-03-25 2021-03-25 Modbus TCP abnormal communication detection method and system based on multi-tuple Active CN112968906B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110316520.3A CN112968906B (en) 2021-03-25 2021-03-25 Modbus TCP abnormal communication detection method and system based on multi-tuple

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110316520.3A CN112968906B (en) 2021-03-25 2021-03-25 Modbus TCP abnormal communication detection method and system based on multi-tuple

Publications (2)

Publication Number Publication Date
CN112968906A true CN112968906A (en) 2021-06-15
CN112968906B CN112968906B (en) 2022-02-18

Family

ID=76278387

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110316520.3A Active CN112968906B (en) 2021-03-25 2021-03-25 Modbus TCP abnormal communication detection method and system based on multi-tuple

Country Status (1)

Country Link
CN (1) CN112968906B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500267A (en) * 2022-01-14 2022-05-13 深圳市汇川技术股份有限公司 Mapping relation configuration method, device, system, equipment and readable storage medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1147677A (en) * 1995-10-06 1997-04-16 清华大学 Address code measuring system for reactor control bar position
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method
US20170329314A1 (en) * 2014-11-26 2017-11-16 Shenyang Institute Of Automation, Chinese Academy Of Sciences Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-outline model
CN108574694A (en) * 2018-04-20 2018-09-25 浙江中控技术股份有限公司 A kind of Modbus TCP safety protecting methods and device
US20190003304A1 (en) * 2015-08-25 2019-01-03 Taiyuan University Of Technology Method for realizing centralized control platform for large fully-mechanized coal mining face equipment
CN110266680A (en) * 2019-06-17 2019-09-20 辽宁大学 A kind of industrial communication method for detecting abnormality based on dual similarity measurement
CN110536258A (en) * 2019-08-09 2019-12-03 大连理工大学 Trust model based on isolated forest in a kind of UASNs
CN111294264A (en) * 2020-02-17 2020-06-16 北京和利时系统工程有限公司 Communication method and device based on Modbus TCP protocol
CN112350912A (en) * 2020-10-29 2021-02-09 山东八五信息技术有限公司 Data acquisition method, system and device based on Modbus protocol
CN112398819A (en) * 2020-11-02 2021-02-23 杭州海康威视数字技术股份有限公司 Method and device for recognizing abnormality

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1147677A (en) * 1995-10-06 1997-04-16 清华大学 Address code measuring system for reactor control bar position
US20170329314A1 (en) * 2014-11-26 2017-11-16 Shenyang Institute Of Automation, Chinese Academy Of Sciences Modbus tcp communication behaviour anomaly detection method based on ocsvm dual-outline model
US20190003304A1 (en) * 2015-08-25 2019-01-03 Taiyuan University Of Technology Method for realizing centralized control platform for large fully-mechanized coal mining face equipment
CN106209843A (en) * 2016-07-12 2016-12-07 工业和信息化部电子工业标准化研究院 A kind of data flow anomaly towards Modbus agreement analyzes method
CN108574694A (en) * 2018-04-20 2018-09-25 浙江中控技术股份有限公司 A kind of Modbus TCP safety protecting methods and device
CN110266680A (en) * 2019-06-17 2019-09-20 辽宁大学 A kind of industrial communication method for detecting abnormality based on dual similarity measurement
CN110536258A (en) * 2019-08-09 2019-12-03 大连理工大学 Trust model based on isolated forest in a kind of UASNs
CN111294264A (en) * 2020-02-17 2020-06-16 北京和利时系统工程有限公司 Communication method and device based on Modbus TCP protocol
CN112350912A (en) * 2020-10-29 2021-02-09 山东八五信息技术有限公司 Data acquisition method, system and device based on Modbus protocol
CN112398819A (en) * 2020-11-02 2021-02-23 杭州海康威视数字技术股份有限公司 Method and device for recognizing abnormality

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
KENLI LI,JING MEI,KEQIN LI: "A Fund-Constrained Investment Scheme for Profit Maximization in Cloud Computing", 《 IEEE TRANSACTIONS ON SERVICES COMPUTING》 *
万明,尚文利: "基于功能码深度检测的Modbus/TCP通信访问控制方法", 《信息与控制》 *
宋站威,周睿康: "基于行为模型的工控异常检测方法研究", 《计算机科学》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114500267A (en) * 2022-01-14 2022-05-13 深圳市汇川技术股份有限公司 Mapping relation configuration method, device, system, equipment and readable storage medium

Also Published As

Publication number Publication date
CN112968906B (en) 2022-02-18

Similar Documents

Publication Publication Date Title
CN109450842B (en) Network malicious behavior recognition method based on neural network
CN109063745B (en) Network equipment type identification method and system based on decision tree
CN110311829B (en) Network traffic classification method based on machine learning acceleration
CN109117634B (en) Malicious software detection method and system based on network traffic multi-view fusion
US8065722B2 (en) Semantically-aware network intrusion signature generator
CN109067586B (en) DDoS attack detection method and device
CN113364752B (en) Flow abnormity detection method, detection equipment and computer readable storage medium
CN109450721B (en) Network abnormal behavior identification method based on deep neural network
Sija et al. A survey of automatic protocol reverse engineering approaches, methods, and tools on the inputs and outputs view
CN113206860B (en) DRDoS attack detection method based on machine learning and feature selection
Alshammari et al. Investigating two different approaches for encrypted traffic classification
CN114157502B (en) Terminal identification method and device, electronic equipment and storage medium
CN114124482B (en) Access flow anomaly detection method and equipment based on LOF and isolated forest
US20170193098A1 (en) System and method for topic modeling using unstructured manufacturing data
CN110868404A (en) Industrial control equipment automatic identification method based on TCP/IP fingerprint
CN113271292B (en) Malicious domain name cluster detection method and device based on word vectors
CN111835763A (en) DNS tunnel traffic detection method and device and electronic equipment
CN111245784A (en) Method for multi-dimensional detection of malicious domain name
CN112800424A (en) Botnet malicious traffic monitoring method based on random forest
CN111935185B (en) Method and system for constructing large-scale trapping scene based on cloud computing
Xiao et al. Novel dynamic multiple classification system for network traffic
CN111835681A (en) Large-scale abnormal flow host detection method and device
Purnama et al. Features extraction on IoT intrusion detection system using principal components analysis (PCA)
CN112968906B (en) Modbus TCP abnormal communication detection method and system based on multi-tuple
CN111291078B (en) Domain name matching detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220713

Address after: 410000 No. 102, Heguang Road, Xianghu street, Furong district, Changsha City, Hunan Province

Patentee after: Hunan Kuangan Network Technology Co.,Ltd.

Address before: Yuelu District City, Hunan province 410082 Changsha Lushan Road No. 1

Patentee before: HUNAN University

Patentee before: Hunan Kuangan Network Technology Co.,Ltd.