<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE article  PUBLIC "-//NLM//DTD Journal Publishing DTD v3.0 20080202//EN" "http://dtd.nlm.nih.gov/publishing/3.0/journalpublishing3.dtd"><article xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink" dtd-version="3.0" xml:lang="en" article-type="research article"><front><journal-meta><journal-id journal-id-type="publisher-id">JCC</journal-id><journal-title-group><journal-title>Journal of Computer and Communications</journal-title></journal-title-group><issn pub-type="epub">2327-5219</issn><publisher><publisher-name>Scientific Research Publishing</publisher-name></publisher></journal-meta><article-meta><article-id pub-id-type="doi">10.4236/jcc.2021.97007</article-id><article-id pub-id-type="publisher-id">JCC-110979</article-id><article-categories><subj-group subj-group-type="heading"><subject>Articles</subject></subj-group><subj-group subj-group-type="Discipline-v2"><subject>Computer Science&amp;Communications</subject></subj-group></article-categories><title-group><article-title>
 
 
  Research on DoS Attack Detection Method of Modbus TCP in OpenPLC
 
</article-title></title-group><contrib-group><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Tongxin</surname><given-names>Li</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Yong</surname><given-names>Wang</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Cunming</surname><given-names>Zou</given-names></name><xref ref-type="aff" rid="aff2"><sup>2</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Yingjie</surname><given-names>Tian</given-names></name><xref ref-type="aff" rid="aff3"><sup>3</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Lin</surname><given-names>Zhou</given-names></name><xref ref-type="aff" rid="aff1"><sup>1</sup></xref></contrib><contrib contrib-type="author" xlink:type="simple"><name name-style="western"><surname>Yiwen</surname><given-names>Zhu</given-names></name><xref ref-type="aff" rid="aff4"><sup>4</sup></xref></contrib></contrib-group><aff id="aff2"><addr-line>National Quality Supervision and Testing Center of Security Products for Network and Information Systems, The Third Research Institute of Ministry of Public Security, Shanghai, China</addr-line></aff><aff id="aff1"><addr-line>College of Science, Shanghai University of Electric Power, Shanghai, China</addr-line></aff><aff id="aff3"><addr-line>Power Big Data Center, State Grid Shanghai Municipal Electric Power Company Electric Power Research Institute, Shanghai, China</addr-line></aff><aff id="aff4"><addr-line>Shanghai Cloud Sword Information Technology Co., Ltd., Shanghai, China</addr-line></aff><pub-date pub-type="epub"><day>02</day><month>07</month><year>2021</year></pub-date><volume>09</volume><issue>07</issue><fpage>73</fpage><lpage>90</lpage><history><date date-type="received"><day>25,</day>	<month>January</month>	<year>2021</year></date><date date-type="rev-recd"><day>27,</day>	<month>July</month>	<year>2021</year>	</date><date date-type="accepted"><day>30,</day>	<month>July</month>	<year>2021</year></date></history><permissions><copyright-statement>&#169; Copyright  2014 by authors and Scientific Research Publishing Inc. </copyright-statement><copyright-year>2014</copyright-year><license><license-p>This work is licensed under the Creative Commons Attribution International License (CC BY). http://creativecommons.org/licenses/by/4.0/</license-p></license></permissions><abstract><p>
 
 
  With the development of new information technologies such as cloud computing, Internet of Things, and mobile Internet of Things, Industry 4.0, Smart Manufacturing and Made in China 2025 have been proposed as the main content of the development of the next industrial revolution. In order to realize these projects with the common characteristics of intelligence, service, and green, a new manufacturing model, digital twin, is proposed, which combines the digital twin with industrial systems, that is, the industrial control virtualization system. However, due to the frequent occurrence of industrial control system security incidents in recent years, the industrial control virtualization system is vulnerable to attacks. The industrial control system is huge and cumbersome. Once attacked, it will cause consequences that affect the whole body. In response to this problem, this article carried out a research on DoS attack detection methods for Modbus TCP in OpenPLC, using OpenPLC as a tool for industrial control system virtualization, building a digital twin system with Raspberry Pi, and launching DoS attacks on the system, combined with Snort Intrusion detection is carried out, and the experimental results show that the built digital twin system can detect DoS attacks in OpenPLC.
 
</p></abstract><kwd-group><kwd>Digital Virtualization</kwd><kwd> Communication Protocol Vulnerability</kwd><kwd> OpenPLC</kwd><kwd> Snort</kwd></kwd-group></article-meta></front><body><sec id="s1"><title>1. Introduction</title><p>The concept of industrial control system virtualization is mainly derived from the term Digital Twins. With the development of new information technologies such as cloud computing, Internet of Things, and mobile Internet of Things, Industry 4.0, smart manufacturing and Made in China 2025 have been proposed as the main content of the next industrial revolution. In order to realize these projects with the common characteristics of intelligence, service and green, a new manufacturing model-digital twin is proposed. And digital virtualization is an important part of it. Virtualizing the industrial control system can turn the complex into “simplicity”.</p><p>With the rapid development of technology, the industry needs to adjust quickly, and improve product efficiency, increase output and reduce costs. Due to the high cost of purchasing machines and procedures when developing Industry 2.0 and Industry 3.0, most small and medium-sized enterprises are developing toward Industry 4.0. Development planning must be carried out before actual development. Different forms of production line planning are also different. The digital twin system can be applied to this, not only can display real data on the production line in real time, but also display the status of the production line, and predict the situation that will occur, helping small and medium-sized companies to transform existing production into full automation. In addition, digital twins can be used to create and plan tools compatible with the system, so as to easily directly connect the production line system with customer needs, and gradually develop an automated system for future use.</p><p>Gartner, one of the most authoritative IT and consulting companies in the world, has listed digital twins as one of the top ten strategic technology development trends from 2017 to 2020 [<xref ref-type="bibr" rid="scirp.110979-ref1">1</xref>] [<xref ref-type="bibr" rid="scirp.110979-ref2">2</xref>] [<xref ref-type="bibr" rid="scirp.110979-ref3">3</xref>] [<xref ref-type="bibr" rid="scirp.110979-ref4">4</xref>]. They believe that with the integration of technology and people, there will be many opportunities to create digital versions of physical systems, which will represent different objects in the real world. Digital twins are mainly used in the field of industrial manufacturing. More and more well-known domestic and foreign companies have begun to study the application fields of digital twin technology, such as product design, manufacturing and services [<xref ref-type="bibr" rid="scirp.110979-ref5">5</xref>]. The digital virtualization system also has the characteristics of a digital twin. The key of the digital twin is to connect the physical world and the digital virtual world together and realize the two-way dynamic interaction of information flow. On the contrary, there is a term called Digital Shadow, which means that there is only one-way data flow between the state of the physical object and the digital object. The digital twin can be used to perform tasks, but the control information must be fed back into the system. Virtualizing the industrial control system can predict the failures that will occur in the system, prepare emergency plans in advance, optimize the system, and increase the service life.</p><p>The industrial control system is digitally virtualized to completely and truly produce the entire industrial control system. However, with the frequent occurrence of industrial control system security incidents in recent years, industrial control virtualization systems are vulnerable to attacks. The industrial control system is huge and cumbersome. Once attacked, it will cause consequences that affect the whole body. In order to improve the security of industrial control virtualization system, there are mainly the following problems [<xref ref-type="bibr" rid="scirp.110979-ref6">6</xref>]:</p><p>1) There are many types of industrial control virtualization systems, but they lack security measures;</p><p>2) Some physical environments of the industrial control system are set up in places where they cannot be operated, such as in the wild, and cannot be maintained immediately after being attacked, and the maintenance is difficult.</p><p>Aiming at the above problems, this article uses the cloud server as the communication host, the Raspberry Pi as the communication slave, uses the Modbus communication protocol for communication, and is equipped with OpenPLC to simulate a small industrial control system, build a digital virtualization system, and conduct attack tests on the system. Use the Pfsense firewall to add snort as a plug-in for detection, thereby improving the security of the industrial control system.</p></sec><sec id="s2"><title>2. Related Research</title><p>The concept of digital twins was first proposed by Micheal Grieves of the University of Michigan in 2003, but it was not clearly valued. With the cooperation between the US Air Force Research Laboratory and NASA in 2011, the concept of digital twins for aircraft was proposed, brings a clear definition to the digital twin. With the continuous introduction of technology and development strategies such as Industry 4.0 and smart manufacturing, digital twins have begun to receive attention from all walks of life. Many products and research based on digital twins have also emerged.</p><p>In order to promote the improvement of laboratory equipment management methods, the Chinese Academy of Sciences established the SAMP platform, but there was a problem that facility failures could not be actively predicted. Ma Yue et al. [<xref ref-type="bibr" rid="scirp.110979-ref7">7</xref>] used digital twin technology to build a virtual laboratory platform and its digital twin experiment the laboratory model mainly includes four or five points of physical laboratory, virtual laboratory, laboratory twin data, and digital twin laboratory service platform. It can predict, maintain and improve the system while ensuring the normal operation of the laboratory physical platform, and promote the experiment Digital construction of the laboratory platform. In order to adapt to the new development trend, the Beihang digital twin technology research team proposed a digital twin five-dimensional model [<xref ref-type="bibr" rid="scirp.110979-ref8">8</xref>]. In the original three-dimensional model, that is, physical entities, virtual entities and the connection between the two, services and twin data are added. Tao Fei and others also designed a digital twin workshop [<xref ref-type="bibr" rid="scirp.110979-ref9">9</xref>], whose main features are virtual and real integration, data-driven, full elements, full processes, full business integration and integration, iterative operation and optimization, etc. The key technology lies in the physical workshop “human-Machine-things-environment” interconnection and inclusive technology, virtual workshop construction, operation and verification technology, and workshop twin data construction and management technology. Based on the feature description of the workpiece digital model, Chen Moran et al. [<xref ref-type="bibr" rid="scirp.110979-ref10">10</xref>] established a digital twin model, optimized the nearest neighbor feature matching algorithm, combined with the Hough voting mechanism, and improved the accuracy of finding the location of the landmark in the twin model. Based on digital twin technology, Liu Zhifeng et al. [<xref ref-type="bibr" rid="scirp.110979-ref11">11</xref>] proposed a new method to solve the scheduling problem of parts intelligent manufacturing workshop, and called it a scheduling cloud platform, which uses real-time monitoring data and big data analysis to predict workshop production And diagnosis, and put the proposed model on the ground for verification. Wang Shilong et al. [<xref ref-type="bibr" rid="scirp.110979-ref12">12</xref>] proposed a new paradigm based on hierarchical digital twin industrial Internet manufacturing-fog manufacturing, and gave the definition of fog manufacturing, and analyzed the difference between fog manufacturing and traditional industrial Internet and cloud manufacturing. In the above, a digital twin-based man-machine-object fusion drive control system is proposed, and a typical machining application is used as a case to verify the feasibility and effectiveness of the proposed fog manufacturing model.</p><p>Attack detection is a gradually developing research. Fuzzing is a technique that attempts to discover security vulnerabilities by sending random input to an application or device. Therefore, it is widely used to test input validation and security vulnerabilities in application logic. In 2015, Qi Xiong [<xref ref-type="bibr" rid="scirp.110979-ref13">13</xref>] and others proposed an intelligent fuzzing technology for Modbus-TCP, described in detail the architecture of the technology, and proposed an adaptive test case generation algorithm and test process workflow. Test cases can be generated intelligently based on target feedback.</p><p>Building a real-time test bed is also one of the research methods. In 2015, Bo Chen et al. [<xref ref-type="bibr" rid="scirp.110979-ref14">14</xref>] proposed a real-time physics framework test bed that integrates real-time power system simulators and communication system simulators to study the vulnerability of networks and physical systems in smart grids. The paper uses Opnet’s semi-physical simulation system (SITL) and open source Linux tools and server implementation, and discusses the results of two network attacks on Modbus/TCP protocol, and improves the protocol attack detection.</p></sec><sec id="s3"><title>3. Problem Analysis</title><sec id="s3_1"><title>3.1. OpenPLC Communication Process</title><p>OpenPLC is an open source PLC control platform [<xref ref-type="bibr" rid="scirp.110979-ref6">6</xref>], which is created based on the actual programmable logic controller architecture on the market. It is a modular system with extended functions. OpenPLC can currently run on a variety of devices such as Raspberry Pi. <xref ref-type="fig" rid="fig1">Figure 1</xref> shows the communication topology of OpenPLC, and you can also see its system structure and the modules it contains: network server, MatIEC compiler, network layer, hardware layer, etc.</p><p>OpenPLC is a real-time program, which allows uploading and compiling PLC programs. It always runs on port 8080 and can be opened in most web browsers. The network layer is responsible for communicating with SCADA. Currently,</p><p>OpenPLC supports Modbus/TCP and DNP3. By default, Modbus is used on port 502 and DNP3 is used on port 20,000.</p><p>After OpenPLC is installed on the Raspberry Pi, it will automatically run as the Raspberry Pi starts. Open the Raspberry Pi operation page on the web and you can add the corresponding communication protocol and connected slave stations. After starting OpenPLC, you can see the operation of the protocol in its log.</p></sec><sec id="s3_2"><title>3.2. Digital Twin System</title><p>Digital virtualization, that is, digital twins, has been widely used, but there are few mentions about the network security of digital twins. Once an attacker attacks the virtualized system, the virtual system’s monitoring of the physical system will fall short, and the physical system will be in a situation of being “exiled” and unable to obtain its state synchronously. This is for the use of digital twins. In terms of factories and companies, it is very dangerous.</p><p>The communication protocols generally used in industrial control systems include Modbus/TCP, Ethernet/IP, DNP3, etc. These protocols were originally used in a closed and trusted network, so safety issues were not considered. The industrial control virtualization system also has the same defects as follows [<xref ref-type="bibr" rid="scirp.110979-ref15">15</xref>]:</p><p>1) The intelligent system faces systemic risks. The digital twin system is the connection between the physical system and the virtual system. On the one hand, the basic equipment and control system of intelligent manufacturing will face unknown network risks; on the other hand, the intelligent manufacturing system may face data security risks.</p><p>2) The development of digital twin cities cannot be ignored. Critical information infrastructure risks exist. Secondly, a large number of new technologies and applications bring unknown risks, and the corresponding new services and security management mechanisms are also lagging to varying degrees.</p><p>Therefore, in combination with the current situation and the problems faced, this solution is proposed, and on the basis of the digital twin system, safety prevention and control measures are built in order to effectively solve the current problems.</p></sec><sec id="s3_3"><title>3.3. Attack Detection Method</title><p>This article first built a small industrial control system, and then connected, completed the communication of the system. Secondly, build the digital twin system. After the system is built, perform corresponding port scanning, data capture, data control, and data analysis. The main process is shown in <xref ref-type="fig" rid="fig2">Figure 2</xref>.</p><p>To realize the digital twin, OpenPLC is installed on the server. OpenPLC can virtualize an industrial control system. By adding slaves, different terminals can be added to the monitoring range to achieve the purpose of monitoring the entire industrial control system. This article uses Raspberry Pi and PC as the terminal to communicate with the server by modbus. It is designed for learning computer programming education, and its system is based on Linux. In order to achieve the connection between the external network and the internal network, install peanut shells on the internal network host to perform internal network penetration, and assign a public network IP and port to the Raspberry Pi to connect to the server. The server configured with OpenPLC can pass RunTime software, to program, monitor, defend and deploy PLCs such as Raspberry Pi.</p><p>In the industrial environment where the digital twin system is built, the pfsense firewall configured with snort is deployed in a wide area network (WAN) environment. In the industrial control system environment, devices in the same network environment are protected by the pfsense firewall. Install the snort plug-in in pfsense, configure the interception rules, detect the WAN interface, and take defensive measures. Then, when an attacker conducts a DoS attack, it can be caught by snort and issued an early warning to prevent it. It can detect external attacks, and can block other irrelevant devices including attackers. Effectively guarantee the communication security of the industrial control system under the WAN environment. Such a network topology diagram is shown in <xref ref-type="fig" rid="fig3">Figure 3</xref>.</p><p>3) Accept the problem of discontinuous serial numbers: There are three message formats in the IEC 104 protocol, namely I format for effective data transmission, the S format for number confirmation, and the U format for connection maintenance. I frame is divided into two parts, APCI and ASDU, collectively referred to as APDU [<xref ref-type="bibr" rid="scirp.110979-ref13">13</xref>], while S frame and U message have only APCI part.</p><p>When receiving an I format data frame, compare the sending sequence number with the local receiving sequence number, if they are the same, then receive it, otherwise decide whether to discard it according to the situation. This guarantees data to a certain extent However, when the network delay is large, the application layer data packets may arrive out of order. When a data packet is discarded due to out of order, subsequent messages will be out of order. The way to solve the problem of serial number discontinuity is to adopt the window receiving method, as shown in <xref ref-type="fig" rid="fig3">Figure 3</xref>.</p><p>In order to enhance the confidentiality, integrity, availability and controllability of the communication data under the digital twin, an attack detection algorithm based on this system is proposed for typical DoS attacks, which successfully defends against DoS attacks and provides more security for the industrial control system.</p><p>The attack detection algorithm uses the blacklist function of the pfsense firewall and snort rule matching to achieve attack detection. The detailed steps are as follows:</p><p>1) Unknown visitors access/attack the system;</p><p>2) Pfsense firewall activates the black list function;</p><p>3) Compare the IP in the blacklist, if the visitor’s IP is in the blacklist, then restrict its access and end this process; if the visitor’s IP is not in the blacklist, then enter the next process;</p><p>4) Match with snort rules, if the set rules cannot be matched, then let go and end the process; if the set rules are matched, the IP will be blocked (blocked);</p><p>The attack detection algorithm flow is shown in <xref ref-type="fig" rid="fig4">Figure 4</xref>.</p><p>The Algorithm 1 is described as follows, where the unknown visitor is represented by A, and whether the data packet meets the blacklist is represented by B.</p><p>Algorithm 1. Attack detection algorithm.</p></sec></sec><sec id="s4"><title>4. Safety Analysis</title><sec id="s4_1"><title>4.1. Experimental Environment</title><p>The experiment consists of a cloud server, a Raspberry Pi 3B+ with Debian installed, a router, and a terminal computer. The physical connection of the hardware devices is shown in <xref ref-type="fig" rid="fig5">Figure 5</xref>.</p><p>The snort version is 2.9, the OpenPLC version is OpenPLC_v3, and the HMI version is ScadaBR. The host IP is 192.168.0.123, and the attacker’s IP is 192.168.0.1. <xref ref-type="table" rid="table1">Table 1</xref> describes the environmental configuration involved in the experiment.</p><p>After completing the physical connection, the cloud server acts as the Modbus master and the Raspberry Pi acts as the Modbus slave, communicating through the modbus TCP protocol.</p><p>Deploy OpenPLC on the server and use the OpenPLC editor to write programs to completely restore the physical system, thereby realizing the monitoring of the industrial control system. The ladder diagram settings involved in the experiment are shown in <xref ref-type="table" rid="table2">Table 2</xref>. Two variables are set, namely control and lamp. Both variables are of BOOL type and set their initial value to FALSE. The position information indicates that the pin positions on the Raspberry Pi are %IX1.5 and %IX1.6 respectively.</p><table-wrap id="table1" ><label><xref ref-type="table" rid="table1">Table 1</xref></label><caption><title> Equipment configuration table</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Equipment</th><th align="center" valign="middle" >System/Software</th><th align="center" valign="middle" >IP, MAC address</th></tr></thead><tr><td align="center" valign="middle" >Server system</td><td align="center" valign="middle" >Linux aarch64</td><td align="center" valign="middle" >4.15.0-70-generic</td></tr><tr><td align="center" valign="middle" >Raspberry Pi System</td><td align="center" valign="middle" >Raspbian GNU/Linux 10</td><td align="center" valign="middle" >Raspberry3+</td></tr><tr><td align="center" valign="middle" >Virtual machine 1 (Linux system)</td><td align="center" valign="middle" >Ubuntu 14.04.4</td><td align="center" valign="middle" >processor: 1 RAM: 2GB</td></tr><tr><td align="center" valign="middle" >Virtual machine 2 (Linux system)</td><td align="center" valign="middle" >Linux kali 4.19.0</td><td align="center" valign="middle" >processor: 1 RAM: 2GB</td></tr><tr><td align="center" valign="middle" >Virtual machine software</td><td align="center" valign="middle" >VMware&#174; Workstation 15 Pro</td><td align="center" valign="middle" >15.0.2 build-10952284</td></tr><tr><td align="center" valign="middle" >Pfsense</td><td align="center" valign="middle" ></td><td align="center" valign="middle" >2.4.5</td></tr></tbody></table></table-wrap><table-wrap id="table2" ><label><xref ref-type="table" rid="table2">Table 2</xref></label><caption><title> System ladder diagram settings</title></caption><table><tbody><thead><tr><th align="center" valign="middle" >Variable Name</th><th align="center" valign="middle" >Type</th><th align="center" valign="middle" >Position</th></tr></thead><tr><td align="center" valign="middle" >control</td><td align="center" valign="middle" >BOOL</td><td align="center" valign="middle" >%IX1.5</td></tr><tr><td align="center" valign="middle" >lamp</td><td align="center" valign="middle" >BOOL</td><td align="center" valign="middle" >%IX1.6</td></tr></tbody></table></table-wrap><p><xref ref-type="fig" rid="fig6">Figure 6</xref> is the corresponding ladder diagram of the experimental system, by converting the system into a ladder diagram.</p><p>Import the .st file generated by the OpenPLC editor into OpenPLC to monitor the status of the control in real time. As shown in <xref ref-type="fig" rid="fig7">Figure 7</xref>, Monitoring is a function of OpenPLC, and the refresh time is set to 100 milliseconds.</p><p>Use Python to write programs to achieve Modbus communication. The server serves as the host and the Raspberry Pi serves as the slave. Use WireShark to capture Modbus communication data. The captured data is shown in <xref ref-type="fig" rid="fig8">Figure 8</xref>.</p></sec><sec id="s4_2"><title>4.2. DoS Attacks on the System</title><p>The system attack experiment uses Kali Linux, which is a Debian-based Linux system distribution, mainly used for digital forensics, penetration testing, and hacker defense. In Kali, we attacked the Raspberry Pi system. The attack code is as follows:</p><p>Root@kali: ~#fping-asg 192.168.0.0/24;</p><p>Root@kali: ~#hping3-q-n-a 1.1.1.1--icmp-d 200--flood 192.168.1.119;</p><p>After Kali executes a denial of service attack, Snort will detect it, and it will send an alert when it detects an attack.</p></sec><sec id="s4_3"><title>4.3. DoS Attack on Modbus Protocol</title><p>Attacks on Modbus use the SMOD framework, which is an open source industrial control system Modbus communication attack framework. Using this framework, any system that uses Modbus communication can be attacked. The attack methods of the SMOD framework include obtaining device function codes, ARP attacks on devices, and DoS attacks on devices.</p><p>As shown in <xref ref-type="fig" rid="fig9">Figure 9</xref>, using SMOD to obtain the UID, RHOTS, and PORT of the device, the device can be attacked.</p></sec><sec id="s4_4"><title>4.4. Attack Detection</title><p>Pfsense is based on FreesBSD and can be installed on a computer as a firewall and router in the network. This experiment mainly uses its firewall function.</p><p>Snort is an open source network intrusion detection system. It can not only be used for rule matching, but also can detect anomalies, cross-packet attacks, and protocol non-standard attacks.</p><p>One advantage of Pfsense is that it can add a variety of plug-ins. After adding the Snort plug-in, it has the function of intrusion prevention system. Pfsense can monitor LAN and WAN. This implementation uses its monitoring of WAN and combines snort rules to alert on attacks, making the virtual chemical control system based on OpenPLC more secure.</p><p>Based on the Snort engine, design rules for matching, that is, the rule language. The rules used to detect DoS in this experiment are as follows:</p><p>{alert icmp any any -&gt; $HOME_NET any (msg:”ICMP test”; sid:10000001; rev:001;}</p><p>In this rule, alert means that an alarm will be issued if the entry rule is triggered, icmp means protocol type, any means any source/destination IP address, any/80 means port number, -&gt; means direction operator, msg means in alarm And the message issued in the package log, sid represents the ID of the Snort rule, and rev is used to identify the version of the rule modification.</p><p>In addition, it also includes rules for specific communication protocols such as Modbus communication protocol. The rules used to detect Modbus TCP function code scanning attacks in this experiment are as follows:</p><p>{</p><p>alert tcp $192.168.0.1 502 -&gt; $192.168.1.107 any</p><p>(flow: established;</p><p>content: “|00 00|”; offset:2;</p><p>depth:2; byte_test: 1, &gt;=, 0x80, 7;</p><p>content: “|01|”offset:8; depth:1;</p><p>msg: “SCADA_IDS: Modbus TCP-Function Code Scan”;</p><p>threshold: type threshold, track by_src, count 3, seconds 60;</p><p>classtype: attempted-recon; sid:1111014; rev:2; priority:2;)</p><p>}</p><p>In this rule, content means searching for the specified pattern in the payload of the data packet, offset means the offset of the match, and depth means the depth of the match. The above constitutes the Snort rules for exclusive Modbus communication.</p><p>The intrusion detection test needs to be processed by the Snort engine. Through the analysis of the data packet, it matches with the data packet signature. If it succeeds, an early warning is generated.</p></sec></sec><sec id="s5"><title>5. Result Analysis</title><sec id="s5_1"><title>5.1. Result and Analysis of DoS Attacks on the System</title><p>After OpenPLC is successfully deployed in the system and started, a successful connection message will be reported in the log. It can be seen from the log information that OpenPLC will try to connect to the added slave station, and execute the start_Modbus command on port 502, and monitor port 502 (<xref ref-type="fig" rid="fig1">Figure 1</xref>0).</p><p>After using Kali to attack, you can obviously feel that the running speed of Raspberry Pi is slowing down, and Snort will send out an alarm. Snort detection results are shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>1.</p><p>It can be seen from <xref ref-type="fig" rid="fig1">Figure 1</xref>1 that this attack uses the ICMP protocol, using the ping command to perform a denial of service attack on the Raspberry Pi’s IP address 192.168.0.123. It can be concluded from the experimental results that snort can detect attacks well.</p><p>After the Raspberry Pi is subjected to a denial of service attack, the remote desktop connection will be disconnected. As shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>2, the OpenPLC log will also report an error.</p></sec><sec id="s5_2"><title>5.2. Result and Analysis of Modbus Attack Experiment</title><p>The attack destination IP is 192.168.1.105, so first use the SMOD framework to obtain the UID of the attacker for subsequent attacks. The process of obtaining UID is as follows:</p><p>SMOD modbus(uid) &gt; set RHOSTS 192.168.1.105</p><p>SMOD modbus(uid) &gt; exploit</p><p>[+] Module Brute Force UID Start</p><p>[+] Start Brute Force UID on: 192.168.1.105</p><p>[+] UID on 192.168.1.105 is: 1</p><p>It can be seen from the above operations that the UID of the device is 1, and then the SMOD framework can be used to further attack the device. The process is as follows:</p><p>SMOD modbus(writeSingleRegister) &gt; set RHOSTS 192.168.1.105</p><p>SMOD modbus(writeSingleRegister) &gt; set RegisterValue 0x0000</p><p>SMOD modbus(writeSingleRegister) &gt; set RegisterAddr 0x0000</p><p>SMOD modbus(writeSingleRegister) &gt; set UID 1</p><p>SMOD modbus(writeSingleRegister) &gt; exploit</p><p>By using the write to a single register in the SMOD attack, set the IP of the attacker RHOTS, set the value of the register to be written to 0x0000, set the address of the register to be written to 0x0000, and set the UID to 1. The result is as follows:</p><p>[+] Module Write Single Register Start</p><p>[+] Connecting to 192.168.1.105</p><p>[+] Response is:</p><p>###[ModbusADU]###</p><p>transId = 0x7</p><p>protoId = 0x0</p><p>len = 0x6</p><p>unitId = 0x1</p><p>###[Write Single Register Answer]###</p><p>funcCode = 0x6</p><p>registerAddr = 0x0</p><p>registerValue = 0x1</p><p>Use wireshark to capture this attack process, and you can find this packet with</p><p>function code 06. The captured data packet is shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>3, which is the attack process of SMOD writing a single register.</p><p>By attacking a single register, the value of the register can be changed. From the attack process, it can be known that the value of the register whose address is 0x0000 is changed from 0x0001 to 0x0000. In this experiment, the address is the register on 0x0000 It controls the on and off of the LED light, 0x0001 is high level, that is, the LED light is on, and becomes low level 0x0000 after being attacked, that is, the LED light is off. In the digital virtualization system built, it can be seen that before the attack, Value is TRUE, and after the attack, Value is FALSE, thus realizing the monitoring of the industrial control system by the digital virtualization system (<xref ref-type="fig" rid="fig1">Figure 1</xref>4).</p><p>Through the pfsense firewall, the flow of the attack process can be observed. Set the WAN interface monitored by pfsense and display it through the IP address. You can see the traffic changes detected by pfsense under different attack methods, as shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>5.</p><p>In <xref ref-type="fig" rid="fig1">Figure 1</xref>5(a) is the flow of the client and server under normal traffic conditions, and only a few fluctuations can be seen; <xref ref-type="fig" rid="fig1">Figure 1</xref>5(b) is a DoS attack on the system that writes a single register, and the fluctuations can be seen The amplitude is large and dense, with the maximum speed reaching 250 k Bits/sec or more; <xref ref-type="fig" rid="fig1">Figure 1</xref>5(c) is the attack of writing a single register. It can be seen that the traffic reaches 5 k Bits/sec, which shows a short flow change; <xref ref-type="fig" rid="fig1">Figure 1</xref>5(d) is writing For the DoS attacks on all registers, because the registers are written into the attack one by one, it can be seen that the traffic fluctuates. It is obvious that the interval between before and after the attack has reached a maximum speed of 200 k Bits/sec.</p><p><xref ref-type="fig" rid="fig1">Figure 1</xref>6 is a system monitoring diagram, and its parameters are user utilization (user util.), priority utilization (nice util.), system utilization (system util.), interrupt (interrupt) and processes (processes). As can be seen from the figure, when the system is subjected to a DoS attack, the system utilization rate (system util.) increases significantly, with the highest value reaching 90.21%, which means that a large amount of system resources will be consumed during the DoS attack, resulting in a high system utilization rate.</p><p>After completing this attack process, visit the snort homepage in pfsense and view the alert interface to view the alert information of this attack.</p><p>As shown in <xref ref-type="fig" rid="fig1">Figure 1</xref>7, after being attacked, the words “Someone abnormally connected to the modbus device” will be displayed, and information about the attack event, protocol used, source IP, target IP, and attacked port will be displayed.</p><p>After attacking the Raspberry Pi slave side, snort will issue an alarm and block the destination IP and source IP. You can see snort’s blocking information from <xref ref-type="fig" rid="fig1">Figure 1</xref>8. It can be found that the attack initiated by the attacker was successfully detected and prevented.</p></sec></sec><sec id="s6"><title>6. Conclusions</title><p>The industrial control virtualization system is at risk of being attacked. After being attacked, the industrial control system will be disconnected from the control, and the main console cannot detect the operating status of the system, or the data has been tampered with, resulting in wrong operations, and thus cannot be timely Maintenance will cause a lot of losses.</p><p>In view of the continuous expansion of industrial control systems and the gradual emergence of network security issues, this paper proposes a digital virtual industrial control system, builds a virtual industrial control system based on OpenPLC, and attacks on this system, using Snort intrusion detection The pfsense firewall of the system detects Dos attacks. The construction of a virtual industrial control system can monitor and predict the actual industrial control system, simulate possible attacks, and design a plan to deal with the attack. Therefore, the attack detection security scheme proposed in this paper is useful for the future development and security of industrial control systems. It has practical significance. In addition, this method also has limitations, that is, there is no smarter method to improve system security, and so in-depth research will be conducted in this area in the future.</p></sec><sec id="s7"><title>Conflicts of Interest</title><p>The authors declare no conflicts of interest regarding the publication of this paper.</p></sec><sec id="s8"><title>Cite this paper</title><p>Li, T.X., Wang, Y., Zou, C.M., Tian, Y.J., Zhou, L. and Zhu, Y.W. (2021) Research on DoS Attack Detection Method of Modbus TCP in OpenPLC. Journal of Computer and Communications, 9, 73-90. https://doi.org/10.4236/jcc.2021.97007</p></sec></body><back><ref-list><title>References</title><ref id="scirp.110979-ref1"><label>1</label><mixed-citation publication-type="other" xlink:type="simple">Gartner (2017) Gartner’s Top 10 Strategic Technology Trends for 2017[EB/OL]. https://www.forbes.com/sites/peterhigh/2016/10/18/gartner-top-10-strategic-technology-trends-for-2017/</mixed-citation></ref><ref id="scirp.110979-ref2"><label>2</label><mixed-citation publication-type="other" xlink:type="simple">Panetta, K. (2018) 5 Trends Emerge in the Gartner Hype Cycle for Emerging Technologies, 2018. https://www.gartner.com/smarterwithgartner/5-trends-emerge-in-gartner-hype-cycle-for-emerging-technologies-2018/</mixed-citation></ref><ref id="scirp.110979-ref3"><label>3</label><mixed-citation publication-type="other" xlink:type="simple">Panetta, K. (2019) 5 Trends Appear on the Gartner Hype Cycle for Emerging Technologies, 2019. https://www.gartner.com/smarterwithgartner/5-trends-appear-on-the-gartner-hype-cycle-for-emerging-technologies-2019/</mixed-citation></ref><ref id="scirp.110979-ref4"><label>4</label><mixed-citation publication-type="other" xlink:type="simple">Panetta, K. (2020) 5 Trends Drive the Gartner Hype Cycle for Emerging Technologies, 2020. https://www.gartner.com/smarterwithgartner/5-trends-drive-the-gartner-hype-cycle-for-emerging-technologies-2020/</mixed-citation></ref><ref id="scirp.110979-ref5"><label>5</label><mixed-citation publication-type="other" xlink:type="simple">Tao, F., Liu W., Liu J.H., et al. (2018) Digital Twin and Its Potential Application Exploration. Computer Intergrated Manufacturing Systems, 24, 1-18.</mixed-citation></ref><ref id="scirp.110979-ref6"><label>6</label><mixed-citation publication-type="other" xlink:type="simple">Alves, T.R., Buratto, M., de Souza, F.M., et al. (2014) OpenPLC: An Open Source Alternative to Automation. IEEE Global Humanitarian Technology Conference (GHTC 2014), San Jose, CA, USA, 10-13 October 2014, 585-589. https://doi.org/10.1109/GHTC.2014.6970342</mixed-citation></ref><ref id="scirp.110979-ref7"><label>7</label><mixed-citation publication-type="other" xlink:type="simple">Ma, Y., Wang C.-X., Yin Z.-Y., et al. (2019) Design and Construction of Digital Twin Laboratory Model Based on SAMP of Chinese Academy of Science. Computer Intergrated Manufacturing Systems, 40, 2343-2347.</mixed-citation></ref><ref id="scirp.110979-ref8"><label>8</label><mixed-citation publication-type="other" xlink:type="simple">Tao, F., Liu, W.R., Zhang, M., et al. (2019) Five-Dimension Digital Twin Model and Its Ten Applications. Computer Intergrated Manufacturing Systems, 25, 1-18.</mixed-citation></ref><ref id="scirp.110979-ref9"><label>9</label><mixed-citation publication-type="other" xlink:type="simple">Tao, F., Zhang, M. and Cheng, J.F. (2017) Digital Twin Workshop: A New Paradigm for Future Workshop. Computer Intergrated Manufacturing Systems, 23: 1-9.</mixed-citation></ref><ref id="scirp.110979-ref10"><label>10</label><mixed-citation publication-type="other" xlink:type="simple">Chen, M., Deng, C.-Y., Zhang, J. and Guo, R.-F. (2020) Research on 3D Detection and Interaction Algorithm of Production Line Based on Digital Twin. Journal of Chinese Computer Systems, 41, 979-984.</mixed-citation></ref><ref id="scirp.110979-ref11"><label>11</label><mixed-citation publication-type="other" xlink:type="simple">Liu, Z.F., Chen, W., Yang, C.B., Cheng, Q. and Zhao, Y.S. (2019) Intelligent Manufacturing Workshop Dispatching Cloud Platform Based on Digital Twins. Computer Intergrated Manufacturing Systems, 25, 1444-1453.</mixed-citation></ref><ref id="scirp.110979-ref12"><label>12</label><mixed-citation publication-type="other" xlink:type="simple">Wang, S.L., Wang, Y.K., Yang, B. and Wang, S.B. (2019) Fog Manufacturing: New Paradigm of Industrial Internet Manufacturing Based on Hierarchical Digital Twin. Computer Intergrated Manufacturing Systems, 25, 3070-3080.</mixed-citation></ref><ref id="scirp.110979-ref13"><label>13</label><mixed-citation publication-type="other" xlink:type="simple">Xiong, Q., Liu, H., Xu, Y., et al. (2015) A Vulnerability Detecting Method for Modbus-TCP Based on Smart Fuzzing Mechanism. 2015 IEEE International Conference on Electro/Information Technology (EIT), Dekalb, IL, USA, 21-23 May 2015, 404-409. https://doi.org/10.1109/EIT.2015.7293376</mixed-citation></ref><ref id="scirp.110979-ref14"><label>14</label><mixed-citation publication-type="other" xlink:type="simple">Chen, B., Pattanaik, N., Goulart, A., et al. (2015) Implementing Attacks for Modbus/TCP Protocol in a Real-Time Cyber Physical System Test Bed. 2015 IEEE International Workshop Technical Committee on Communications Quality and Reliability (CQR), Charleston, SC, USA, 11-14 May 2015, 1-6. https://doi.org/10.1109/CQR.2015.7129084</mixed-citation></ref><ref id="scirp.110979-ref15"><label>15</label><mixed-citation publication-type="other" xlink:type="simple">Li, X., Liu, X. and Wan, X.X. (2019) Overview of Digital Twins Application and Safe Development. Journal of System Simulation, 31, 385-392.</mixed-citation></ref></ref-list></back></article>