Abstract: In order to solve the problem of virus and Trojan attacking the application layer network protocol of industrial control system, we analyze the rule of Modbus/TCP communication protocol and propose a semi-supervised clustering strategy based on clustering and support vector machine. This strategy combines unsupervised fuzzy C-Means (FCM) and supervised support vector machine (SVM) to realize the semi-supervised machine learning of industrial anomaly detection. Firstly, we extract the communication flow data of the Modbus/TCP protocol of the industrial control system, and preprocess the data. Then we obtain the clustering center by fuzzy C-means clustering. We calculate the distance between the communication data and the clustering center. Partial data satisfying the threshold condition are further classified by support vector machines optimized by genetic algorithms. The experimental results show that compared with the traditional intrusion detection method, this method can combine the unsupervised learning and supervised learning, and can reduce the training time and improve the classification accuracy without knowing the category tag in advance.