Binary Image-Based Intrusion Detection for Operational Technology Networks: Extending the SPHBI Methodology from IoT to Modbus TCP

TL;DR

This paper adapts the SPHBI intrusion detection method from IoT to Modbus TCP, demonstrating high accuracy with minimal parameters on a large dataset, but struggles with replay attacks.

Contribution

It extends the SPHBI methodology to Modbus TCP, achieving high accuracy with fewer parameters and evaluating its effectiveness on a comprehensive dataset.

Findings

TCP/IP headers alone yield 51.8% accuracy

Adding application-layer info raises accuracy to 98.1%

Best approach achieves 94.4% multiclass accuracy with 56,873 parameters

Abstract

This paper extends the Single Packet Header Binary Image (SPHBI) intrusion detection methodology from IoT to Modbus TCP, evaluating five approaches spanning a gradient of protocol depth on the CIC Modbus 2023 dataset (11.4 million packets, eight detectable attack types). TCP/IP headers alone achieve only 51.8% binary accuracy, confirming that header-level heterogeneity exploited in IoT traffic is absent in uniform SCADA environments. Adding eight bytes of application-layer information improves binary accuracy to 98.1% with just 63 parameters, directly relevant to per-packet classification on resource-constrained OT edge devices. The best-performing approach achieves 94.4% +/- 2.2pp multiclass accuracy across nine classes (95% CI [92.9%, 95.9%], 10 seeds) with 56,873 parameters, roughly 430 times fewer than comparable ResNet50-based approaches. Per-class recall analysis shows seven of eight detectable attack types identified with recall above 94%, while replay attacks remain structurally undetectable by any single-packet method.