Binary Image-Based Intrusion Detection for Operational Technology Networks: Extending the SPHBI Methodology from IoT to Modbus TCP

This paper extends the Single Packet Header Binary Image (SPHBI) methodology to Modbus TCP networks, demonstrating that incorporating just eight bytes of application-layer data enables a lightweight model to achieve 98.1% binary accuracy and 94.4% multiclass accuracy with significantly fewer parameters than deep learning alternatives, while highlighting the inherent limitation of single-packet methods in detecting replay attacks.

The Gist

Imagine a busy industrial factory where machines talk to each other using a very strict, repetitive language called Modbus TCP. This language is the "heartbeat" of critical infrastructure like power grids and water treatment plants. For a long time, these systems were isolated, but now they are connected to the internet, making them vulnerable to hackers.

This paper is about building a tiny, super-smart security guard that stands at the door of this factory, looking at every single message (packet) that passes through to spot trouble.

Here is the story of how they built it, using simple analogies:

1. The Old Idea vs. The New Reality

Previously, researchers tried to use a method called SPHBI (Single Packet Header Binary Image) to catch hackers in IoT (smart home devices like thermostats and cameras).

• The IoT Analogy: Imagine a crowd of people at a busy airport. Everyone is wearing different clothes, carrying different bags, and walking at different speeds. If you take a photo of their "ID cards" (the packet headers), it's easy to spot the suspicious person because they look different from everyone else. The old method worked great here because the "ID cards" were all unique.
• The OT Reality: Now, imagine a factory floor where every worker wears the exact same uniform, carries the exact same toolbox, and walks at the exact same pace. If you take a photo of their ID cards, they all look identical.
• The Problem: When the researchers tried the old method on the factory network (Modbus), it failed miserably. It only got 51.8% accuracy (basically guessing). The "uniforms" were too perfect; the hackers were hiding in plain sight because the standard ID cards didn't show any differences between a good worker and a bad one.

2. The Solution: Looking Deeper into the Toolbox

The researchers realized that to catch the bad guys in the factory, they couldn't just look at the ID card (the network header). They had to peek inside the toolbox (the application data) the workers were carrying.

They tested five different "depths" of looking at the data:

1. Just the ID Card: Failed (51.8%).
2. ID Card + Toolbox Handle: Much better (98.1%).
3. ID Card + Toolbox Handle + The Tools Inside: The best performer (94.4% accuracy for spotting specific attack types).

The Analogy: It's like a security guard who used to just check if you had a badge. But since everyone has the same badge, the guard starts checking what is in your pocket. Even if the bad guy has the same badge as the good guy, he might be holding a wrench instead of a screwdriver, or holding it upside down. That tiny difference is what the new system spots.

3. The "Tiny Brain" (The Model)

Most modern security systems use massive, heavy computer brains (like ResNet50) that require huge servers to run. They are like a supercomputer trying to solve a Sudoku puzzle.

• This Paper's Approach: They built a tiny, lightweight brain (a neural network with only about 57,000 parameters).
• The Metaphor: Instead of a supercomputer, imagine a pocket calculator. It's incredibly small and efficient. It can run on the tiny, low-power chips found inside the factory machines themselves (edge devices). It's roughly 430 times smaller than the giant models used by others, making it perfect for the factory floor where space and power are limited.

4. What It Caught (and What It Missed)

The system was tested against 11.4 million packets of traffic, including 8 different types of cyber-attacks.

• The Successes: It became a master detective for 7 out of 8 attack types. It caught hackers trying to brute-force passwords, flood the system with questions, or inject fake data with over 94% success. It was so good at spotting "Payload Injection" (slipping a fake tool into the toolbox) that it caught it 100% of the time.
• The Limitations:
  • The "Replay" Attack: Imagine a bad guy recording a video of a good worker walking through the door and playing it back to the guard. Since the video looks exactly like the real thing, the guard can't tell the difference. The paper admits this system cannot catch "Replay Attacks" because it only looks at one snapshot in time. It needs a system that watches the sequence of events over time to catch this.
  • The "Delay" Attack: If a bad guy just slows down the worker's walk, a single snapshot can't see that either.

5. The Trade-off: False Alarms vs. Missed Attacks

The researchers made a conscious choice: It is better to be safe than sorry.

• The Strategy: They tuned the system to catch every possible attack, even if it means occasionally flagging a harmless worker as suspicious.
• The Result: About 5.9% of normal traffic was flagged as suspicious. In a real factory, this means the security team might have to investigate a few "false alarms."
• Why? In a power plant, missing a real attack could cause an explosion or a blackout. Investigating a false alarm is just a bit of paperwork. The system is designed to prioritize safety over convenience.

Summary

This paper proves that you can build a highly effective, tiny security guard for industrial networks by looking slightly deeper into the data packets than just the standard headers. While it can't catch every type of trick (like playing back old videos), it is incredibly efficient, small enough to fit on a microchip, and catches almost every other type of attack with high reliability. It shifts the focus from "heavy, expensive servers" to "light, smart, local guards."

Technical Summary

Technical Summary: Binary Image-Based Intrusion Detection for Operational Technology Networks

Problem Statement
Operational Technology (OT) networks, which control critical infrastructure, are increasingly interconnected with IT systems, expanding their attack surface. While machine learning-based Intrusion Detection Systems (IDS) exist for OT, they often rely on flow-level aggregation or handcrafted feature engineering, introducing latency and limiting portability. Furthermore, existing image-based classification methods, such as the Single Packet Header Binary Image (SPHBI) methodology, have demonstrated high success on heterogeneous IoT traffic but remain untested on the highly uniform traffic of OT protocols like Modbus TCP. The core challenge is determining whether binary image representations derived from uniform OT headers contain sufficient discriminative information for per-packet classification, and if not, which protocol layers must be included to restore detectability.

Methodology
This study extends the SPHBI methodology to Modbus TCP traffic using the CIC Modbus 2023 dataset (11.4 million packets). The research employs a systematic, five-approach gradient of protocol depth to evaluate the discriminative power of different byte subsets:

1. TCP/IP Headers Only: 18 bytes (12×12 binary image).
2. TCP/IP + MBAP + Function Code (FC): 26 bytes (16×13 binary image).
3. TCP/IP + MBAP + FC + PDU Operands: 30 bytes (16×15 binary image).
4. Application Layer Only: 8 bytes (8×8 binary image).
5. Application Layer + PDU: 12 bytes (12×8 binary image).

Raw packet bytes were reconstructed from decoded tshark outputs to ensure accurate binary image generation. The classification models utilize lightweight Convolutional Neural Networks (CNNs). Binary classifiers consist of two convolutional layers with a single filter each (35–73 parameters), while multiclass classifiers use two layers with 32 filters (up to 56,873 parameters), significantly smaller than ResNet50-based alternatives.

A critical component of the methodology is a transparent, reproducible labelling strategy. Since 94% of traffic during attack scenarios consists of benign polling, the authors developed hybrid per-attack-type rules combining attack log time windows with protocol-level signatures (e.g., specific function codes or byte counts) to identify malicious packets. This process yielded 10.7 million normal packets and 642,331 attack packets across nine classes.

Key Results
The experiments, conducted with 10 random seeds and stratified sampling, yielded the following findings:

• Protocol Depth Dependency: TCP/IP headers alone (Approach 1) achieved only 51.8% binary accuracy, confirming that the header-level heterogeneity exploited in IoT is absent in Modbus SCADA traffic.
• Application Layer Necessity: Adding just eight bytes of application-layer information (Approach 2) restored binary accuracy to 98.1%.
• Multiclass Performance: The best-performing approach (2b: TCP/IP + MBAP + FC + PDU) achieved 94.4% ± 2.2pp multiclass accuracy with 56,873 parameters. This is roughly 430 times fewer parameters than comparable ResNet50-based approaches.
• Attack Detectability: Seven of eight detectable attack types (Brute Force, Frame Stacking, FDI, Reconnaissance, Query Flooding, Payload Injection, and Normal traffic) achieved recall above 94%.
• Structural Limits: Replay attacks (7.9% recall) and Length Manipulation (3.3% recall) remained largely undetectable. The paper attributes this to the single-packet paradigm: replayed packets are identical to legitimate traffic, and length manipulation attacks lacked sufficient samples for training.
• Parameter Efficiency: Binary classifiers required only 38 to 73 parameters. The inclusion of PDU operands significantly improved multiclass performance (e.g., enabling 100% recall for FDI detection), whereas TCP/IP headers provided no statistically significant improvement over application-layer-only data when sufficient training data was available.

Significance and Claims
The paper claims four primary contributions:

1. First Application to OT: It presents the first application of single-packet binary image-based deep learning to Modbus TCP traffic, demonstrating that effective detection is achievable with a fraction of the computational cost of existing deep learning models.
2. Quantification of Protocol Depth: It systematically quantifies the discriminative contribution of protocol layers, proving that while TCP/IP headers are insufficient for OT, a minimal set of application-layer bytes (8 bytes) is necessary and sufficient for high-accuracy binary classification.
3. Reproducible Labelling: It provides a transparent methodology for labelling the CIC Modbus 2023 dataset, addressing the lack of packet-level labels in this public benchmark.
4. Detection Boundaries: It explicitly defines the limits of single-packet detection, identifying that replay and delay-response attacks are structurally undetectable without temporal or sequence-based analysis.

The authors position this work as a step toward resource-constrained edge deployment, where lightweight models can perform per-packet screening at the network boundary between SCADA masters and field devices. They note that while the approach is highly effective for specific attack signatures, a comprehensive OT IDS would require combining this per-packet classification with complementary temporal methods to address the inherent limitations of single-packet analysis.