Modeling Modbus TCP for intrusion detection.

DFAs (Deterministic Finite Automata) and DTMCs (Discrete Time Markov Chain) have been proposed for modeling Modbus/TCP for intrusion detection in SCADA (Supervisory Control and Data Acquisition) systems. While these models can be used to learn the behavior of the system, they require the designer to know the appropriate amount of training data for building the model, to retrain models when configuration changes, and to generate understandable alert messages. In this paper, we propose to complement these learned models with the specification approaches. To build a robust model, we need to consider configuration-level specifications in addition to protocol specification. As Modbus/TCP is a simple protocol with handful function code(s) or commands for each communication channel, designing a specification-based approach is suitable for monitoring this communication. We do a comparison of DFA and DTMC approaches in two datasets and illustrate how to use our inferred specification to complement these models.