Visible to the public Real-Time Intrusion Detection Method Based on Bidirectional Access of Modbus/TCP Protocol

TitleReal-Time Intrusion Detection Method Based on Bidirectional Access of Modbus/TCP Protocol
Publication TypeConference Paper
Year of Publication2017
AuthorsXin, Xiaoshuai, Liu, Cancheng, Wang, Bin
Conference NameProceedings of the 2017 International Conference on Cryptography, Security and Privacy
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4867-6
KeywordsBidirectional access, ICS Anomaly Detection, Modbus/TCP function code, pubcrawl, Real-time intrusion detection, resilience, Resiliency, Scalability
Abstract

The Modbus/TCP protocol is commonly used in the industrial control systems for communications between the human-machine interface and the industrial controllers. This paper proposes a real-time intrusion detection method based on bidirectional access of the Modbus/TCP protocol. The method doesnt require key observation that Modbus/TCP traffic to and from master device or slave device is periodic. Anomaly detection can be realized in time by the method after checking only two packets. And even though invader modifies the legal function code to another legal one in the packet from master device to slave device, the method can also figure it out. The test results show that the presented method has traits of timeliness, low false positive rate and low false negative rate.

URLhttp://doi.acm.org/10.1145/3058060.3058069
DOI10.1145/3058060.3058069
Citation Keyxin_real-time_2017