NORMA eResearch @NCI Library

Can an AI-Based Behavioural Scanner Improve the Detection of Protocol-Level Misconfigurations and Anomalies in Industrial IoT Environments

Lacey, Conor Sean (2025) Can an AI-Based Behavioural Scanner Improve the Detection of Protocol-Level Misconfigurations and Anomalies in Industrial IoT Environments. Masters thesis, Dublin, National College of Ireland.

[thumbnail of Master of Science]
Preview
PDF (Master of Science)
Download (787kB) | Preview
[thumbnail of Configuration Manual]
Preview
PDF (Configuration Manual)
Download (916kB) | Preview

Abstract

Industrial Internet of Things systems are being increasingly deployed in smart manufacturing, enabling automation and efficiency under Industry 4.0. However, many protocols such as Modbus were never designed with security in mind, leaving them vulnerable to misconfigurations and misuse. Current vulnerability scanners, such as OpenVAS rely on Common Vulnerabilities and Exposures and therefore struggle to detect behavioural anomalies and protocol-level threats.

This research presents the development of a prototype AI-based behavioural scanner for Modbus traffic, designed to detect protocol misuse and anomalies that current CVE-driven scanners overlook. Using Conpot, a honeypot, to emulate a Modbus-enabled SCADA system, a custom Python logger was built to generate both benign and malicious traffic, producing a labelled dataset of 15,500 records. Two machine learning models were then evaluated, using Random Forest for supervised and Isolation Forest for unsupervised.

The results show that the Random Forest achieved a high accuracy (97% overall and a recall of 0.87 for malicious traffic) while the Isolation Forest flagged the anomalies without labels, although with a reduced recall. In contrast, OpenVAS scans detected only generic vulnerabilities while failing to detect any Modbus misuse.

The key contribution of this work is a reproducible dataset pipeline and demonstration that feature-level behavioural analysis can complement signature-based scanners. The findings highlight both the potential and limitations of AI-driven scanners in anomaly detection in IIoT and suggest a pathway for future research using real-world datasets, protocol expansion and scalable deployment.

Item Type: Thesis (Masters)
Supervisors:
Name
Email
Spelman, Ross
UNSPECIFIED
Subjects: Q Science > QH Natural history > QH301 Biology > Methods of research. Technique. Experimental biology > Data processing. Bioinformatics > Artificial intelligence
Q Science > Q Science (General) > Self-organizing systems. Conscious automata > Artificial intelligence
Q Science > QA Mathematics > Computer software > Computer Security
T Technology > T Technology (General) > Information Technology > Computer software > Computer Security
T Technology > TK Electrical engineering. Electronics. Nuclear engineering > Telecommunications > Computer networks > Internet of things
H Social Sciences > HD Industries. Land use. Labor > Specific Industries > Manufacturing Industry
Divisions: School of Computing > Master of Science in Cyber Security
Depositing User: Ciara O'Brien
Date Deposited: 04 Jul 2026 14:20
Last Modified: 04 Jul 2026 14:20
URI: https://norma.ncirl.ie/id/eprint/9476

Actions (login required)

View Item View Item