Modbus TCP communication behaviour anomaly detection method based on OCSVM dual-outline model

Assignee

• SHENYANG INSTITUTE OF AUTOMATION, CHINESE ACADEMY OF SCIENCES · CN

Inventors

• Wenli SHANG · 东风镇, CN
• Jianming Zhao · 东风镇, CN
• Ming Wan · Sammamish, US
• Peng Zeng · 东风镇, CN
• Haibin Yu · 东风镇, CN

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L2012/40228
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

Proposed is an anomaly detection method for communication behaviors in an industrial control system based on an OCSVM algorithm. According to the present invention, a normal behavior profile model and an abnormal behavior profile model, i.e. a dual-outline model, of communication behaviors in an industrial control system are established, parameter optimization is performed by means of a particle swarm optimization (PSO) algorithm, an optimal intrusion detection model is obtained, and abnormal Modbus TCP communication traffic is identified. According to the present invention, the false alarm rate is reduced by means of cooperative discrimination of the dual-outline detection model, the efficiency and reliability of anomaly detection are improved, and the method is more applicable to practical applications.