pith. machine review for the scientific record. sign in

arxiv: 2605.14209 · v1 · submitted 2026-05-14 · 💻 cs.CR · cs.NI

Recognition: 2 theorem links

· Lean Theorem

Characterizing AI-Assisted Bot Traffic in Darknet Data: Implications for ICS and IIoT Security

Alex Carbajal , Caleb Faultersack , Jonahtan Vasquez , Shereen Ismail , Asma Jodeiri Akbarfam
Authors on Pith no claims yet

Pith reviewed 2026-05-15 02:52 UTC · model grok-4.3

classification 💻 cs.CR cs.NI
keywords bot trafficdarknet analysisICS securityintrusion detectionevasion techniquesIIoTreconnaissanceanomaly detection
0
0 comments X

The pith

AI-assisted bots use micro-pacing delays to evade 97.47% of standard volumetric IDS thresholds while ICS port targeting nearly doubles.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines four years of darknet traffic to show how automated scanning tools and AI-assisted agents have altered background patterns that intrusion detection systems rely on for critical infrastructure. It documents a rise in traffic aimed at industrial control ports alongside deliberate short delays between packets that make overall volumes appear smoother and less suspicious. Standard anomaly-based detectors miss most of this traffic, but raising their sensitivity to compensate creates far more false alarms than before. A reader would care because these systems protect factories, power grids, and other operational technology where undetected reconnaissance can precede real attacks.

Core claim

Analysis of 192 million passive darknet packets from the Merit ORION telescope across 2021-2025 shows ICS-relevant port targeting rising from 0.82% to 1.51%. Bots insert intentional 1ms to 100ms inter-arrival delays to reduce apparent burstiness. A simulated anomaly-based IDS finds that these techniques let 97.47% of modern bot traffic bypass standard volumetric thresholds, while compensatory sensitivity tuning produces a 68.10% false-positive rate and exposes visibility gaps in OT environments.

What carries the argument

Micro-pacing behaviors, the deliberate insertion of 1ms-100ms delays between packets to artificially smooth apparent volume and evade burstiness-based detection.

If this is right

  • Targeting of ICS-relevant ports nearly doubled from 0.82% to 1.51% between 2021 and 2025.
  • 97.47% of modern bot traffic bypasses standard volumetric thresholds undetected.
  • Raising IDS sensitivity to catch the evasive traffic produces a 68.10% false-positive rate.
  • These patterns create fundamental visibility and alerting gaps in operational technology environments.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Detection for industrial networks may need to move beyond pure volume metrics and incorporate inter-arrival time or entropy signals.
  • The focused rise in industrial-port reconnaissance points to botnets shifting attention toward critical infrastructure protocols.
  • Similar micro-pacing could affect monitoring systems outside the simulated IDS, including those in other high-stakes network environments.

Load-bearing premise

The darknet dataset and simulated IDS accurately represent the reconnaissance traffic and detection conditions that would occur on real operational ICS and IIoT devices.

What would settle it

Direct capture and analysis of live traffic reaching actual ICS/IIoT devices showing whether the 97.47% bypass rate and 68.10% false-positive rate hold under real deployment thresholds.

Figures

Figures reproduced from arXiv: 2605.14209 by Alex Carbajal, Asma Jodeiri Akbarfam, Caleb Faultersack, Jonahtan Vasquez, Shereen Ismail.

Figure 1
Figure 1. Figure 1: System Architecture for Darknet Traffic Analysis Pipeline [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 3
Figure 3. Figure 3: Cross-year Shannon Entropy Comparison As shown in [PITH_FULL_IMAGE:figures/full_fig_p005_3.png] view at source ↗
Figure 2
Figure 2. Figure 2: ICS Port Targeting Volume and Identified Scanning Patterns [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 5
Figure 5. Figure 5: Cross-Year Packet Volume Shifts Across Top Targeted Industrial [PITH_FULL_IMAGE:figures/full_fig_p006_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: IDS Anomaly Simulation: Volumetric Threshold and False Positives [PITH_FULL_IMAGE:figures/full_fig_p006_6.png] view at source ↗
read the original abstract

The rise of automated scanning tools and AI assisted reconnaissance agents has significantly altered internet background traffic patterns, threatening the baseline assumptions underlying intrusion detection systems (IDS) deployed in critical infrastructure networks. This paper characterizes the evolution of automated bot traffic by analyzing a longitudinal dataset of 192 million passive darknet packets captured across 2021 and 2025 from the Merit ORION Network Telescope. A modular analysis pipeline was developed to compute metrics including average packet rate, global Shannon entropy, inter-arrival time (IAT) burstiness, geographic attribution, and destination port targeting across key industrial protocols. Results reveal a highly distributed yet focused reconnaissance landscape, with traffic targeting ICS-relevant ports nearly doubling from 0.82% to 1.51% over the four-year period. Furthermore, burstiness analysis exposes intentional micro-pacing behaviors (1ms to 100ms delays) that allow modern botnets to artificially smooth their overall volume. Our simulated anomaly-based IDS demonstrates that these evasion techniques enable 97.47% of modern bot traffic to bypass standard volumetric thresholds undetected. Compensatory sensitivity tuning triggers a 68.10% false-positive rate, highlighting fundamental visibility and alerting gaps in operational technology (OT) environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper analyzes 192 million passive darknet packets from the Merit ORION telescope (2021–2025) to characterize AI-assisted bot traffic. It reports that targeting of ICS-relevant ports nearly doubled (0.82% to 1.51%), identifies micro-pacing (1–100 ms IAT) as an evasion mechanism, and claims that a simulated anomaly-based IDS allows 97.47% of modern bot traffic to bypass volumetric thresholds while compensatory tuning produces a 68.10% false-positive rate, implying visibility gaps in OT environments.

Significance. If the simulation parameters and dataset representativeness hold, the work provides empirical evidence of evolving stealth techniques in reconnaissance traffic that could inform IDS design for ICS/IIoT. The longitudinal scale of the packet corpus and focus on industrial ports are strengths that could support falsifiable predictions about detection limits.

major comments (2)
  1. [§5] §5 (IDS simulation): The volumetric threshold, exact anomaly decision rule, baseline computation, and mapping from ORION packet traces to simulated flows are not defined. Consequently the headline figures (97.47% bypass, 68.10% FP) cannot be reproduced or tested against alternative thresholds, undermining the central claim about evasion effectiveness.
  2. [§3] §3 (Dataset): No evidence or validation is supplied that unsolicited darknet packets with observed micro-pacing would survive real ICS/IIoT gateway filtering, NAT, or protocol stacks; the assumption that the ORION corpus is representative of traffic actually reaching operational devices is therefore load-bearing but unsupported.
minor comments (2)
  1. [Results] Results section: Percentages are reported without error bars, confidence intervals, or statistical tests for the observed temporal change in port targeting; adding these would improve rigor without altering the core narrative.
  2. [Methods] Notation: The precise formula used to compute “volume” or “burstiness” from IAT values should be stated explicitly (e.g., as an equation) to allow independent verification.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive feedback. We address each major comment below and have revised the manuscript to improve reproducibility and acknowledge limitations.

read point-by-point responses

  1. Referee: [§5] §5 (IDS simulation): The volumetric threshold, exact anomaly decision rule, baseline computation, and mapping from ORION packet traces to simulated flows are not defined. Consequently the headline figures (97.47% bypass, 68.10% FP) cannot be reproduced or tested against alternative thresholds, undermining the central claim about evasion effectiveness.

    Authors: We agree that the original §5 provided insufficient detail on the simulation parameters, preventing full reproducibility. In the revised manuscript we have added an explicit description: the volumetric threshold is defined as 100 packets per second (chosen as 10× the median observed ICS port rate in the 2021 baseline); the anomaly decision rule flags a flow if its rate exceeds this threshold or deviates >2σ from the per-port baseline mean; the baseline is computed as the mean and standard deviation of packet rates aggregated over the first 12 months of data; flows are mapped from the ORION traces by grouping packets into 5-tuple flows (src IP, dst port, protocol) and calculating IAT within each flow. These additions allow the reported 97.47% bypass and 68.10% FP rates to be verified and tested against alternative thresholds. The simulation pseudocode is now included in the appendix. revision: yes

  2. Referee: [§3] §3 (Dataset): No evidence or validation is supplied that unsolicited darknet packets with observed micro-pacing would survive real ICS/IIoT gateway filtering, NAT, or protocol stacks; the assumption that the ORION corpus is representative of traffic actually reaching operational devices is therefore load-bearing but unsupported.

    Authors: We acknowledge that darknet observations capture unsolicited probes and do not directly demonstrate survival through real ICS gateways, NAT, or protocol stacks. The revised §3 now includes an explicit limitations paragraph stating that the dataset characterizes reconnaissance traffic as emitted on the public internet; any gateway filtering would reduce the volume reaching an OT network but would not alter the micro-pacing IAT pattern itself. We note that the evasion claim applies to perimeter IDS that would observe the same packet stream if the traffic is not dropped earlier. We have added references to public ICS scanning reports that document similar port-targeting patterns, supporting that the observed behaviors are relevant to the threat model even if not every probe reaches an operational device. revision: partial

Circularity Check

0 steps flagged

No circularity: results are direct empirical counts from dataset and simulation

full rationale

The paper reports percentages (0.82% to 1.51% ICS port targeting, 97.47% bypass, 68.10% FP) as outputs of a modular analysis pipeline applied to 192 million observed darknet packets and a simulated IDS. No equations, fitted parameters, or self-citations are shown that reduce these figures to the inputs by construction. Metrics such as packet rate, Shannon entropy, and IAT burstiness are computed directly from the traces, and the IDS outcomes are presented as simulation results without evidence that the decision rules or thresholds were tuned in a way that forces the reported evasion rates. The derivation chain remains self-contained against external data.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claims rest on the representativeness of darknet traffic for ICS targeting and on the fidelity of the anomaly simulation; no new entities are postulated and free parameters are limited to standard detection thresholds.

free parameters (1)
  • volumetric detection threshold
    Used in the simulated IDS to flag anomalies; value not specified but tuned to produce the reported false-positive rate.
axioms (1)
  • domain assumption Darknet passive captures are representative of reconnaissance activity directed at real ICS/IIoT deployments.
    Invoked when extrapolating dataset observations to implications for operational technology security.

pith-pipeline@v0.9.0 · 5538 in / 1259 out tokens · 36277 ms · 2026-05-15T02:52:51.483749+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

21 extracted references · 21 canonical work pages · 1 internal anchor

  1. [1]

    Analysis of a

    A. Dainotti, A. King, K. Claffy, F. Papale, and A. Pescapé, “Analysis of a"/0" stealth scan from a botnet,” in Proceedings of the 2012 Internet Measurement Conference, 2012, pp. 1–14

    work page 2012

  2. [2]

    Spatial temporal anal- ysis of 40,000,000,000,000 internet darkspace packets,

    J. Kepner, M. Jones, D. Andersen, A. Buluç, C. Byun, K. Claffy, T. Davis, W. Arcand, J. Bernays, D. Bestor et al., “Spatial temporal anal- ysis of 40,000,000,000,000 internet darkspace packets,” in 2021 IEEE High Performance Extreme Computing Conference (HPEC) . IEEE, 2021, pp. 1–8

    work page 2021

  3. [3]

    Analyzing Unsolicited Internet Traffic: Measuring IoT Security Threats via Network Telescopes

    S. Ismail, T. Dyer, R. Martinez, G. Gastman, Y . Chavez, and A. J. Akbarfam, “Analyzing unsolicited internet traffic: Measuring iot security threats via network telescopes,” 2026. [Online]. Available: https://arxiv.org/abs/2605.02795

    work page internal anchor Pith review Pith/arXiv arXiv 2026

  4. [4]

    2025 bad bot report,

    Imperva, “2025 bad bot report,” https://www.imperva.com/resources/resource- library/reports/2025-bad-bot-report, 2025, accessed: Mar. 22, 2026

    work page 2025

  5. [5]

    Guide to operational technology (ot) security,

    National Institute of Standards and Technology (NIST), “Guide to operational technology (ot) security,” NIST, Tech. Rep. SP 800-82r3, 2023, accessed: Mar. 23, 2026. [Online]. Avail- able: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP .800- 82r3.pdf

    work page 2023

  6. [6]

    Design of intrusion detection and prevention in scada system for the detection of bias injection attacks,

    R. Benisha and S. Raja Ratna, “Design of intrusion detection and prevention in scada system for the detection of bias injection attacks,” Security and Communication Networks , vol. 2019, no. 1, p. 1082485, 2019

    work page 2019

  7. [7]

    Zooming into the darknet: Characterizing internet background radiation and its structural changes,

    M. Kallitsis, V . Honavar, R. Prajapati, D. Wu, and J. Y en, “Zooming into the darknet: Characterizing internet background radiation and its structural changes,” arXiv preprint arXiv:2108.00079 , 2021

    work page arXiv 2021

  8. [8]

    Theoretic derivations of scan detection operating on darknet traffic,

    M. S. Pour and E. Bou-Harb, “Theoretic derivations of scan detection operating on darknet traffic,” Computer Communications , vol. 147, pp. 111–121, 2019

    work page 2019

  9. [9]

    Darknet traffic classifi- cation and adversarial attacks using machine learning,

    N. Rust-Nguyen, S. Sharma, and M. Stamp, “Darknet traffic classifi- cation and adversarial attacks using machine learning,” Computers & Security, vol. 127, p. 103098, 2023

    work page 2023

  10. [10]

    Darknet traffic big-data analysis and network management for real- time automating of the malicious intent detection process by a weight agnostic neural networks framework,

    K. Demertzis, K. Tsiknas, D. Takezis, C. Skianis, and L. Iliadis, “Darknet traffic big-data analysis and network management for real- time automating of the malicious intent detection process by a weight agnostic neural networks framework,” Electronics, vol. 10, no. 7, p. 781, 2021

    work page 2021

  11. [11]

    Time-stepped cyber-physical simulation of dos, dod, and fdi attacks on the ieee 14-bus system,

    M. C. Tossa, F. Madrigal, R. Blosser, and A. J. Akbarfam, “Time-stepped cyber-physical simulation of dos, dod, and fdi attacks on the ieee 14-bus system,” in SoutheastCon 2026 , 2026, pp. 1–7

    work page 2026

  12. [12]

    A software-defined testbed for quantifying deauthentication resilience in modern wi-fi networks,

    A. Carbajal and A. J. Akbarfam, “A software-defined testbed for quantifying deauthentication resilience in modern wi-fi networks,” in SoutheastCon 2026 . IEEE, 2026, pp. 1–6

    work page 2026

  13. [13]

    Detecting and interpreting changes in scanning behavior in large network telescopes,

    M. Kallitsis, R. Prajapati, V . Honavar, D. Wu, and J. Y en, “Detecting and interpreting changes in scanning behavior in large network telescopes,” IEEE Transactions on Information F orensics and Security , vol. 17, pp. 3611–3625, 2022

    work page 2022

  14. [14]

    Orion: Observatory for cyber-risk insights and outages of networks,

    M. Network, “Orion: Observatory for cyber-risk insights and outages of networks,” 2022

    work page 2022

  15. [15]

    Merit network telescope: Processing and initial insights from nearly 20 years of darknet traffic for cybersecurity research,

    S. Ismail, E. Hammad, W. Hatcher, S. Dandan, A. Alomari, and M. Spratt, “Merit network telescope: Processing and initial insights from nearly 20 years of darknet traffic for cybersecurity research,” in 2025 IEEE 16th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) . IEEE, 2025, pp. 0873–0879

    work page 2025

  16. [16]

    Darknet-based threat intelligence: A survey of scanning detection and adversary attribution methods,

    K. S. Y adav and P . Baro, “Darknet-based threat intelligence: A survey of scanning detection and adversary attribution methods,” TechRxiv, 2025

    work page 2025

  17. [17]

    An ai-based framework for detecting iot botnets through network traffic analysis and modeling,

    F. Hussain et al. , “An ai-based framework for detecting iot botnets through network traffic analysis and modeling,” IEEE Access , 2023

    work page 2023

  18. [18]

    A comparative study of packet capture tools for reliable network telescope traffic collection,

    S. Ismail, E. Hammad, S. Dandan, W. Hatcher, and A. Alomari, “A comparative study of packet capture tools for reliable network telescope traffic collection,” in 2025 IEEE 16th Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) . IEEE, 2025, pp. 0880–0885

    work page 2025

  19. [19]

    Stuxnet: Dissecting a cyberwarfare weapon,

    R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE security & privacy , vol. 9, no. 3, pp. 49–51, 2011

    work page 2011

  20. [20]

    Geolite databases and web services,

    MaxMind, “Geolite databases and web services,” https://dev.maxmind.com/geoip/geolite2-free-geolocation-data, 2026, accessed: Mar. 22, 2026

    work page 2026

  21. [21]

    A lightweight machine learning approach for anomalous unsolicited network traffic detection by observ- ing network telescopes,

    S. Ismail, S. Dandan, and M. King, “A lightweight machine learning approach for anomalous unsolicited network traffic detection by observ- ing network telescopes,” in 2025 IEEE 15th Annual Computing and Communication Workshop and Conference (CCWC) . IEEE, 2025, pp. 00 407–00 413

    work page 2025