Characterizing AI-Assisted Bot Traffic in Darknet Data: Implications for ICS and IIoT Security

TL;DR

This study analyzes a large darknet dataset to understand evolving AI-assisted bot traffic patterns, revealing increased targeting of industrial protocols and evasion techniques that challenge traditional intrusion detection systems.

Contribution

It introduces a modular analysis pipeline for characterizing bot traffic and demonstrates how modern botnets evade detection, exposing gaps in current IDS approaches.

Findings

Bot traffic targeting ICS ports nearly doubled from 0.82% to 1.51%.

Modern botnets use micro-pacing to evade detection, with delays from 1ms to 100ms.

Standard volumetric thresholds detect only 2.53% of bot traffic, with high false positives when sensitivity is increased.

Abstract

The rise of automated scanning tools and AI assisted reconnaissance agents has significantly altered internet background traffic patterns, threatening the baseline assumptions underlying intrusion detection systems (IDS) deployed in critical infrastructure networks. This paper characterizes the evolution of automated bot traffic by analyzing a longitudinal dataset of 192 million passive darknet packets captured across 2021 and 2025 from the Merit ORION Network Telescope. A modular analysis pipeline was developed to compute metrics including average packet rate, global Shannon entropy, inter-arrival time (IAT) burstiness, geographic attribution, and destination port targeting across key industrial protocols. Results reveal a highly distributed yet focused reconnaissance landscape, with traffic targeting ICS-relevant ports nearly doubling from 0.82% to 1.51% over the four-year period. Furthermore, burstiness analysis exposes intentional micro-pacing behaviors (1ms to 100ms delays) that allow modern botnets to artificially smooth their overall volume. Our simulated anomaly-based IDS demonstrates that these evasion techniques enable 97.47% of modern bot traffic to bypass standard volumetric thresholds undetected. Compensatory sensitivity tuning triggers a 68.10% false-positive rate, highlighting fundamental visibility and alerting gaps in operational technology (OT) environments.