In industrial control systems (ICSs), the PROFIBUS-DP (decentralized peripherals) protocol is widely used for communication between devices. Because PROFIBUS-DP is an unencrypted and insecure bus protocol, attackers can connect to the PROFIBUS-DP system and arbitrarily manipulate I/O process values, which may interrupt the normal operation of industrial equipment, or have more serious consequences. However, due to the complex structures of bus networks and the large number of attack areas, the existing scheme does not monitor all the messages in the industrial head office network and cannot effectively detect semantic attacks. To solve this problem, we propose a novel attack detection system DpGuard. DpGuard automatically builds a finite-state machine model of normal ICS behavior through a large number of historical ICS traffic data. The model includes state events, state transitions, state transition probability, and other normal behavior information. In addition, DpGuard records the execution status of the context data package, uses the real-time captured data package as the input of the model, and judges whether the state event and state transition probability conform to the constraints of the finite-state machine model, so as to identify the legitimate normal behavior of the ICS. Our proposal was evaluated using two Siemens PLCs (programmable logic controllers) deployed on the PROFIBUS-DP system. The experimental results demonstrated that the scheme could accurately detect fault injection and semantic attacks. Compared with other detection models, our scheme presented an improved detection performance, with a detection accuracy of 99.80%.