Abnormal traffic detection apparatus and method based on modbus communication pattern learning
First Claim
1. An abnormal traffic detection apparatus, comprising:
- a communication pattern classifier configured to monitor traffic generated in Modbus/TCP communication of a control system monitoring a remote resource during a predetermined period, and generate a Modbus communication pattern based on the monitored traffic; and
an abnormal behavior detector configured to detect abnormal traffic of the control system based on the generated Modbus communication pattern,wherein the abnormal behavior detector detects the abnormal traffic in the Modbus/TCP communication of the control system based on a Modbus request message received from a client of the control system and the generated Modbus communication pattern, anddetermines whether there is a value of a server IP identical to a value of a source IP (SIP) of the Modbus request message in a server table included in the Modbus communication pattern, and when there is the value of the server IP identical to the value of the SIP in the server table based on the determination result, determines that a server corresponding to the SIP is an abnormal server.
1 Assignment
0 Petitions
Accused Products
Abstract
An abnormal traffic detection apparatus and method based on Modbus communication pattern learning is provided. The abnormal traffic detection apparatus based on the Modbus communication pattern learning previously detects and responds to abnormal traffic on a Modbus/TCP protocol. According to the present invention, a communication service between control systems can be stably provided by previously detecting the abnormal traffic capable of interfering with a stable operation of the control system. Particularly, since the effective abnormal traffic on the Modbus/TCP protocol can be previously detected, security of the control system can be increased by rapid detection and response with respect to security threats on the Intranet of the control system, and availability can be secured.
22 Citations
16 Claims
-
1. An abnormal traffic detection apparatus, comprising:
-
a communication pattern classifier configured to monitor traffic generated in Modbus/TCP communication of a control system monitoring a remote resource during a predetermined period, and generate a Modbus communication pattern based on the monitored traffic; and an abnormal behavior detector configured to detect abnormal traffic of the control system based on the generated Modbus communication pattern, wherein the abnormal behavior detector detects the abnormal traffic in the Modbus/TCP communication of the control system based on a Modbus request message received from a client of the control system and the generated Modbus communication pattern, and determines whether there is a value of a server IP identical to a value of a source IP (SIP) of the Modbus request message in a server table included in the Modbus communication pattern, and when there is the value of the server IP identical to the value of the SIP in the server table based on the determination result, determines that a server corresponding to the SIP is an abnormal server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An abnormal traffic detection method, comprising:
-
monitoring traffic generated in Modbus/TCP communication of a control system monitoring a remote resource during a predetermined period, and generating a Modbus communication pattern based on the monitored traffic; and detecting abnormal traffic of the control system based on the generated Modbus communication pattern, wherein the detecting of the abnormal traffic of the control system comprises; detecting the abnormal traffic in Modbus/TCP communication of the control system based on a Modbus request message received from a client of the control system and the generated Modbus communication pattern, and wherein the detecting of the abnormal traffic in the Modbus/TCP communication comprises; determining whether there is a value of a server IP identical to a value of a source IP (SIP) of the Modbus request message in a server table included in the Modbus communication pattern; and determining that a server corresponding to the source IP is an abnormal server when there is the value of the server IP identical to the value of the SIP in the server table based on the determination result. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification