Abnormal traffic detection apparatus and method based on modbus communication pattern learning

US 9,699,204 B2
Filed: 04/29/2015
Issued: 07/04/2017
Est. Priority Date: 06/30/2014
Status: Active Grant

First Claim

Patent Images

1. An abnormal traffic detection apparatus, comprising:

a communication pattern classifier configured to monitor traffic generated in Modbus/TCP communication of a control system monitoring a remote resource during a predetermined period, and generate a Modbus communication pattern based on the monitored traffic; and

an abnormal behavior detector configured to detect abnormal traffic of the control system based on the generated Modbus communication pattern,wherein the abnormal behavior detector detects the abnormal traffic in the Modbus/TCP communication of the control system based on a Modbus request message received from a client of the control system and the generated Modbus communication pattern, anddetermines whether there is a value of a server IP identical to a value of a source IP (SIP) of the Modbus request message in a server table included in the Modbus communication pattern, and when there is the value of the server IP identical to the value of the SIP in the server table based on the determination result, determines that a server corresponding to the SIP is an abnormal server.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An abnormal traffic detection apparatus and method based on Modbus communication pattern learning is provided. The abnormal traffic detection apparatus based on the Modbus communication pattern learning previously detects and responds to abnormal traffic on a Modbus/TCP protocol. According to the present invention, a communication service between control systems can be stably provided by previously detecting the abnormal traffic capable of interfering with a stable operation of the control system. Particularly, since the effective abnormal traffic on the Modbus/TCP protocol can be previously detected, security of the control system can be increased by rapid detection and response with respect to security threats on the Intranet of the control system, and availability can be secured.

22 Citations

View as Search Results

16 Claims

1. An abnormal traffic detection apparatus, comprising:
- a communication pattern classifier configured to monitor traffic generated in Modbus/TCP communication of a control system monitoring a remote resource during a predetermined period, and generate a Modbus communication pattern based on the monitored traffic; and
  
  an abnormal behavior detector configured to detect abnormal traffic of the control system based on the generated Modbus communication pattern,wherein the abnormal behavior detector detects the abnormal traffic in the Modbus/TCP communication of the control system based on a Modbus request message received from a client of the control system and the generated Modbus communication pattern, anddetermines whether there is a value of a server IP identical to a value of a source IP (SIP) of the Modbus request message in a server table included in the Modbus communication pattern, and when there is the value of the server IP identical to the value of the SIP in the server table based on the determination result, determines that a server corresponding to the SIP is an abnormal server.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The abnormal traffic detection apparatus of claim 1, wherein the communication pattern classifier collects a Modbus request message generated by a client of the control system, and generates the Modbus communication pattern based on the Modbus request message.
  - 3. The abnormal traffic detection apparatus of claim 2, wherein the communication pattern classifier determines whether a value of a server IP identical to a value of a destination IP (DIP) of the Modbus request message is registered in a server table included in the Modbus communication pattern, and when the value of the server IP identical to the value of the DIP of the Modbus request message is not registered in the server table based on the determination result, registers the value of the DIP in the server table.
  - 4. The abnormal traffic detection apparatus of claim 2, wherein the communication pattern classifier determines whether information identical to information in which values of a source IP (SIP), a destination IP (DIP), a unit ID (UID), and a function code (FCode) of the Modbus request message are combined is registered in a command table included in the Modbus communication pattern, and when the information identical to the combined SIP/DIP/UID/FCode information is not registered in the command table based on the determination result, registers the combined SIP/DIP/UID/FCode information in the command table.
  - 5. The abnormal traffic detection apparatus of claim 1, wherein the communication pattern classifier collects a Modbus request message generated by a client of the control system, and generates entries of a server table and a command table as the Modbus communication pattern based on the collected Modbus request message.
  - 6. The abnormal traffic detection apparatus of claim 5, wherein the communication pattern classifier generates the entry of the server table including values of a server IP and a unit ID (UID), and the entry of the command table including a source IP (SIP), a destination IP (DIP), a unit ID (UID), and a function code (FCode).
  - 7. The abnormal traffic detection apparatus of claim 1, wherein the abnormal behavior detector determines whether there is the value of the server IP identical to a value of a destination IP (DIP) of the Modbus request message in the server table when there is not the value of the server IP identical to the value of the SIP of the Modbus request message in the server table based on the determination result, and when there is not the value of the server IP identical to the value of the DIP in the server table based on the determination result, determines that a server corresponding to the value of the DIP is an unknown server.
  - 8. The abnormal traffic detection apparatus of claim 7, wherein the abnormal behavior detector determines whether there is information identical to information in which values of a source IP (SIP), a destination IP (DIP), a unit ID (UID), and a function code (FCode) of the Modbus request message are combined in a command table included in the Modbus communication pattern when there is the value of the server IP identical to the value of the DIP in the server table, sets an abnormal command level according to the determination result, and generates a warning based on the set result.

9. An abnormal traffic detection method, comprising:
- monitoring traffic generated in Modbus/TCP communication of a control system monitoring a remote resource during a predetermined period, and generating a Modbus communication pattern based on the monitored traffic; and
  
  detecting abnormal traffic of the control system based on the generated Modbus communication pattern,wherein the detecting of the abnormal traffic of the control system comprises;
  
  detecting the abnormal traffic in Modbus/TCP communication of the control system based on a Modbus request message received from a client of the control system and the generated Modbus communication pattern, andwherein the detecting of the abnormal traffic in the Modbus/TCP communication comprises;
  
  determining whether there is a value of a server IP identical to a value of a source IP (SIP) of the Modbus request message in a server table included in the Modbus communication pattern; and
  
  determining that a server corresponding to the source IP is an abnormal server when there is the value of the server IP identical to the value of the SIP in the server table based on the determination result.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The abnormal traffic detection method of claim 9, wherein the generating of the Modbus communication pattern comprises:
    - collecting a Modbus request message generated by a client of the control system; and
      
      generating entries of a server table and a command table as the Modbus communication pattern based on the collected Modbus request message.
  - 11. The abnormal traffic detection method of claim 10, wherein the generating of the entries comprises:
    - registering a value of a destination IP (DIP) in the server table when a value of a server IP identical to the value of the DIP of the Modbus request message is not registered in the server table included in the Modbus communication pattern;
      
      determining whether there is information identical to information in which values of a source IP (SIP), a destination IP (DIP), a unit ID (UID), and a function code (FCode) of the Modbus request message are combined in the command table included in the Modbus communication pattern; and
      
      registering the combined SIP/DIP/UID/FCode information in the command table when there is not the information identical to the combined SIP/DIP/UID/FCode information of the Modbus request message in the command table based on the determination result.
  - 12. The abnormal traffic detection method of claim 9, wherein the detecting of the abnormal traffic in the Modbus/TCP communication further comprises:
    - determining whether there is the value of a server IP identical to a value of a destination IP (DIP) of the Modbus request message in the server table when there is not the value of the server IP identical to the value of the SIP in the server table based on the determination result; and
      
      determining that a server corresponding to the DIP is an unknown server when there is not the value of the server IP identical to the value of the DIP in the server table based on the determination result.
  - 13. The abnormal traffic detection method of claim 12, wherein the detecting of the abnormal traffic in the Modbus/TCP communication further comprises:
    - determining whether there is information identical to information in which values of a source IP (SIP), a destination IP (DIP), a unit ID (UID), and a function code (FCode) of the Modbus request message are combined in a command table included in the Modbus communication pattern when there is the value of the server IP identical to the value of the DIP in the server table; and
      
      setting an abnormal command level based on the determination result, and generating a warning based on the set result.
  - 14. The abnormal traffic detection method of claim 13, wherein the generating of the warning comprises:
    - determining whether there is information identical to information in which the values of the SIP and the FCode are combined in the command table when there is not the information identical to the combined SIP/DIP/UID/FCode information in the command table; and
      
      setting the abnormal command level as the minimum risk level when there is the information identical to the combined SIP/FCode information in the command table based on the determination result.
  - 15. The abnormal traffic detection method of claim 14, wherein the generating of the warning further comprises:
    - determining whether there is a function code (FCode) in the command table when there is not the information identical to the combined SIP/FCode information in the command table; and
      
      setting the abnormal command level as the maximum risk level when there is not the FCode in the command table based on the determination result.
  - 16. The abnormal traffic detection method of claim 15, wherein the generating of the warning further comprises:
    - setting the abnormal command level as a medium level between the minimum risk level and the maximum risk level when there is the FCode in the command table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Sohn, Seon Gyoung, Kim, Byoung Koo, Kang, Dong Ho, Na, Jung Chan, Heo, Young Jun
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Tran, Tongoc

Application Number

US14/699,449
Publication Number

US 20150381642A1
Time in Patent Office

797 Days
Field of Search
US Class Current
CPC Class Codes

H04L 12/40   Bus networks

H04L 2012/40228   Modbus

H04L 41/142   using statistical or mathem...

H04L 43/026   using flow identification

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 67/12   specially adapted for propr...

H04L 69/16   Implementation or adaptatio...

H04L 69/329   in the application layer [O...

Abnormal traffic detection apparatus and method based on modbus communication pattern learning

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Abnormal traffic detection apparatus and method based on modbus communication pattern learning

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others