Method for detecting abnormal traffic on control system protocol

摘要

A method for detecting an abnormal traffic on a control system protocol, includes: checking whether session information exists in a management table; adding a new entry to the management table; checking whether a transaction ID in a table entry is the same as that of the received MODBUS request message; and checking whether data and length thereof of the received MODBUS request message are the same as those in the table entry. Further, the method includes detecting an abnormal traffic; and updating the table entry with packet information of the MODBUS request message.

主权项

1. A method for detecting an abnormal traffic on a control system protocol, the method comprising:
checking whether session information exists in a management table when a received packet is a MODBUS request message; adding a new entry to the management table when the session information does not exist in the management table; checking whether a transaction ID in a table entry is the same as that of the received MODBUS request message when the session information exists in the management table; checking whether data and length thereof of the received MODBUS request message are the same as those in the table entry when the transaction ID of the table entry is not the same as that of the MODBUS request message; detecting an abnormal traffic when the transaction ID of the table entry is the same as that of the MODBUS request message, or the data of the table entry is the same as that of the MODBUS request message; and updating the table entry with packet information of the MODBUS request message when the data of the table entry is not the same as that of the MODBUS request message.