Abnormality detecting method based on industrial control system network traffic

The invention relates to an abnormality detecting method based on industrial control system network traffic and belongs to the field of information security. The industrial control system network traffic is collected, by analyzing the traffic features, the fact that normal traffic and abnormal traffic samples are evidently different in terms of power spectral density is discovered when a digital signal processing method is used to convert traffic signals from a time domain to a frequency domain, a low-frequency power sum critical value is found by analyzing the difference features in a large amount of historical data, if the low-frequency power of a to-be-detected sample is larger than the critical value, the sample traffic is taken as the abnormal traffic. The method includes a data preprocessing module, a traffic modeling module and an abnormality detecting module, wherein the data preprocessing module is used for processing early data traffic, the traffic modeling module is used for building normal models and abnormal models according toe low-frequency power and distribution of normal traffic and abnormal traffic, and the low-frequency power sum critical valve can be calculated. The abnormality detecting module is used for detecting abnormality. The false alarm rate of the method is 6.1% and the alarm missing rate of the method is 9.3%.