Anomaly detection system for Modbus data based on an open source tool

Abstract

This paper presents an anomaly detection system based on the Modbus TCP/IP protocol for industrial networks. The system has been developed using Zeek, an open-source tool for monitoring and analyzing network traffic. The data model is based on discrete-time Markov chains, extended with time parameters and observations of process parameters. The detection model defines ten types of anomalies, allowing for the recognition of specific deviations from normal network operations. To assess the quality of the model, a series of test scenarios have been developed to simulate potential anomalies in a control system, including a realistic real-time manipulation attack. These tests have been conducted in a simulated environment. The results confirm that the system is capable of real-time anomaly detection, accurately identifying most of the simulated attack scenarios without generating false positive alerts, thanks to customizable detection parameters.