Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems

Niv Goldenberg, Avishai Wool*

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review


The Modbus/TCP protocol is commonly used in SCADA systems for communications between a human-machine interface (HMI) and programmable logic controllers (PLCs). This paper presents a model-based intrusion detection system designed specifically for Modbus/TCP networks. The approach is based on the key observation that Modbus traffic to and from a specific PLC is highly periodic; as a result, each HMI-PLC channel can be modeled using its own unique deterministic finite automaton (DFA). An algorithm is presented that can automatically construct the DFA associated with an HMI-PLC channel based on about 100 captured messages. The resulting DFA-based intrusion detection system looks deep into Modbus/TCP packets and produces a very detailed traffic model. This approach is very sensitive and is able to flag anomalies such as a message appearing out of its position in the normal sequence or a message referring to a single unexpected bit. The intrusion detection approach is tested on a production Modbus system. Despite its high sensitivity, the system has a very low false positive rate-perfect matches of the model to the traffic were observed for five of the seven PLCs tested without a single false alarm over 111. h of operation. Furthermore, the intrusion detection system successfully flagged real anomalies that were caused by technicians who were troubleshooting the HMI system. The system also helped identify a PLC that was configured incorrectly.

Original languageEnglish
Pages (from-to)63-75
Number of pages13
JournalInternational Journal of Critical Infrastructure Protection
Issue number2
StatePublished - Jun 2013


  • Modbus/TCP
  • Network intrusion detection system
  • SCADA systems


Dive into the research topics of 'Accurate modeling of Modbus/TCP for intrusion detection in SCADA systems'. Together they form a unique fingerprint.

Cite this