Search papers, labs, and topics across Lattice.
This paper adapts the Single Packet Header Binary Image (SPHBI) intrusion detection method, previously used for IoT, to Modbus TCP networks. By converting packet headers and application-layer data into binary images, the method achieves high binary and multiclass accuracy in detecting intrusions within SCADA environments. The key finding is that incorporating even a small amount of application-layer data significantly boosts detection accuracy, enabling effective per-packet classification with a lightweight model suitable for resource-constrained OT devices.
Forget heavyweight deep learning: a simple binary image-based approach, leveraging just 8 bytes of application-layer data, rivals ResNet50 in detecting OT network intrusions, but with 430x fewer parameters.
This paper extends the Single Packet Header Binary Image (SPHBI) intrusion detection methodology from IoT to Modbus TCP, evaluating five approaches spanning a gradient of protocol depth on the CIC Modbus 2023 dataset (11.4 million packets, eight detectable attack types). TCP/IP headers alone achieve only 51.8% binary accuracy, confirming that header-level heterogeneity exploited in IoT traffic is absent in uniform SCADA environments. Adding eight bytes of application-layer information improves binary accuracy to 98.1% with just 63 parameters, directly relevant to per-packet classification on resource-constrained OT edge devices. The best-performing approach achieves 94.4% +/- 2.2pp multiclass accuracy across nine classes (95% CI [92.9%, 95.9%], 10 seeds) with 56,873 parameters, roughly 430 times fewer than comparable ResNet50-based approaches. Per-class recall analysis shows seven of eight detectable attack types identified with recall above 94%, while replay attacks remain structurally undetectable by any single-packet method.
