Abstract: In order to discover the application layer attacks in the industrial control network that do not change the connection configuration, but tamper with the instructions and parameters in the application payload, and improve the interpretability of anomaly detection, a model based on the behavior relationship and state understanding of the main scenarios is proposed. The model comprehended the operation state by industrial scenarios division, defining the change behavior of process parameters and discovering the correlation between them. By predicting the behavior status of parameters and time series modules that were related to the current process parameters, abnormal behavior states that did not conform to normal operating conditions were discovered. Experiments in various actual industrial control network scenarios verify that the proposed method has a high accuracy of anomaly detection.