Abstract: Intrusion detection in industrial control systems is a challenging problem in industrial networks and is usually characterized by low speed, high cost, and poor scalability. We use the one-class support vector machine (OCSVM) algorithm in a communication model of learning normal behavior from normal Modbus/TCP date sets. As the new sample continues to increase, the current training sample set is reduced from the near-class interval and Karush-Kuhn-Tucker (KKT) conditions to improve the learning speed, and the reduced training sample set is used in the OCSVM incremental training. Our experimental data analysis shows that this method has higher classification accuracy and improves the learning speed of the intrusion detection system.