Longitudinal Behavioural Analysis of Industrial IoT Network Traffic Using Passive Monitoring

1. Introduction

Cybersecurity has become a critical concern for modern industrial production systems, particularly as the rapid evolution toward the Industry 4.0 paradigm continues [1]. This transformation is characterised by the widespread adoption of advanced digital technologies, including the Internet of Things (IoT), which enables the interconnection of machinery, sensors, and control systems within industrial production lines (also known as Industrial IoT, or IIoT). As a result, organisations can collect and process large volumes of real-time operational data, leading to increased automation, improved efficiency, and more informed decision-making processes. However, this increased connectivity also introduces significant cybersecurity risks [2].

Traditionally, Information Technology (IT) and Operational Technology (OT) environments have been designed and managed with distinct objectives. While IT systems prioritise confidentiality and data integrity, OT systems primarily focus on availability and the safe operation of physical processes [3]. Historically, these environments were often isolated, sometimes described as “air-gapped” systems. However, the convergence between IT and OT, driven by the integration of IIoT devices, cloud-based services, and AI technologies, is progressively dissolving these boundaries. This convergence, combined with increasing system complexity and expanding attack surfaces, creates new security challenges that traditional approaches are not fully equipped to address [4,5,6].

In this context, ensuring the security and resilience of industrial networks is particularly critical, as cyber incidents may lead not only to data breaches but also to production disruptions and potential safety hazards for human operators. Despite the existence of various security controls, many industrial environments still exhibit limited cybersecurity maturity and awareness, especially within OT domains. This reinforces the need for effective monitoring and detection mechanisms capable of operating under the specific constraints of industrial systems [7,8].

Intrusion Detection Systems (IDS) play a key role in monitoring and analysing network activity to identify potential security incidents [9]. These systems are generally classified into signature-based and anomaly-based approaches. Signature-based systems are effective in detecting known threats but are inherently limited when facing novel or previously unseen attacks. In contrast, anomaly-based systems aim to identify deviations from established normal behaviour, making them particularly suitable for detecting unknown attacks [10,11]. However, their practical adoption is often hindered by high FP rates, which can reduce operational trust and increase the burden on security analysts.

A fundamental challenge in designing effective anomaly-based detection systems for industrial environments lies in the lack of empirical knowledge about the normal behaviour of real-world production networks. Most existing studies rely on laboratory setups, short-term captures, or datasets with artificially injected attacks, which may not accurately reflect the characteristics of operational industrial systems. In contrast, production environments—especially highly automated IIoT-based lines—are expected to exhibit stable and deterministic communication patterns over time [12,13,14].

To address this gap, this paper presents a longitudinal study of network behaviour in a real IIoT production environment. A passive monitoring approach was adopted using the network security monitor Zeek, deployed in a non-intrusive manner to collect detailed network telemetry over a three-month period. The objective is to characterise baseline communication patterns, identify behavioural invariants, and analyse observed deviations in an operational setting without interfering with production processes.

The main contributions of this work are threefold: (i) an empirical characterisation of a real-world IIoT network based on long-term passive monitoring; (ii) a methodology for extracting behavioural baselines from flow-level and application-level telemetry; and (iii) an analysis of observed deviations and their implications for anomaly-based intrusion detection in industrial environments.

2. Background and Related Work

Intrusion detection is commonly defined as the process of monitoring events in a computer system or network and analysing them to identify signs of security policy violations or malicious activity [9]. Intrusion Detection Systems (IDS) automate this process by continuously observing system behaviour and generating alerts when suspicious patterns are detected. Such systems play a critical role in modern cybersecurity architectures, particularly in environments where prevention mechanisms alone are insufficient[15].

IDS can be broadly classified according to the source of information they analyse. Host-based IDS (HIDS) monitor events occurring within individual systems, while Network-based IDS (NIDS) analyse network traffic to detect potentially malicious activity [16,17,18]. In industrial environments, where many devices are embedded and lack traditional host-level visibility, NIDS approaches are particularly relevant.

From a detection perspective, IDS techniques are typically divided into signature-based and anomaly-based approaches. Signature-based systems rely on predefined patterns of known attacks and are generally effective in detecting previously identified attacks with low False Positive (FP) rates. However, their effectiveness is inherently limited when facing novel or evolving attacks [16,17]. Additionally, the increasing prevalence of encrypted traffic further constrains payload-based detection mechanisms.

In contrast, anomaly-based IDS aim to identify deviations from established normal behaviour profiles. These systems typically involve a training phase, during which baseline models are constructed, followed by a detection phase where current observations are compared against the learned baseline behaviour [10]. This approach is particularly attractive for industrial environments, where processes are often highly structured and repetitive. However, anomaly-based systems are known to suffer from high FP rates and require accurate and representative baseline models, which remain challenging to obtain in real-world settings.

Several research efforts have explored anomaly detection in industrial control systems (ICS) through behavioural modelling of network traffic and system dynamics. One possible approach is presented in [19], where the authors propose a method based on abstracting network traffic into higher-level representations to improve anomaly detection accuracy. Their work demonstrates that reducing data complexity while preserving behavioural characteristics can enhance detection performance. However, such approaches are typically evaluated in controlled environments and may not fully capture the variability and constraints of real industrial deployments. Similarly, early work by Krügel and Vigna explored anomaly detection at the application layer, particularly in HTTP traffic [20]; but as highlighted by Robin Sommer and Paxson, purely data-driven approaches face limitations due to the semantic complexity of network traffic [21].

Other approaches have focused on machine learning techniques applied to ICS datasets, often leveraging supervised or semi-supervised models trained on labelled data. For instance, studies using datasets from testbeds such as those developed by Mississippi State University or Idaho National Laboratory have demonstrated the feasibility of detecting cyber-attacks through statistical and learning-based methods [22]. However, these approaches frequently rely on controlled environments with injected attack scenarios, which may not accurately reflect the behaviour of real production systems. Moreover, the availability of labelled datasets remains a significant limitation, particularly in industrial contexts where collecting ground truth data is challenging [23].

Despite these advances, there remains a lack of empirical studies based on long-term passive monitoring of real industrial environments operating under normal conditions. In contrast to existing work, which predominantly relies on simulated environments or short-term captures, this study adopts a longitudinal observational approach in a real IIoT production setting. Rather than focusing on attack detection performance, the objective is to characterise baseline behaviour and assess the stability and predictability of network communication over time. This perspective is essential for supporting the design of robust anomaly-based detection mechanisms tailored to operational environments, where FP and deployment constraints are critical considerations.

2.1. Network-Based Intrusion Detection in Industrial Environments

NIDS monitor network traffic either passively, by observing mirrored traffic, or actively, by being placed inline with network flows [9]. Passive deployments are especially suited for industrial contexts, as they avoid introducing latency or operational risk into production systems.. By operating in promiscuous mode, NIDS sensors can capture all traffic traversing a network segment without interfering with normal operations.

Despite their advantages, NIDS also present limitations. These include reduced visibility into encrypted communications, scalability challenges in high-throughput environments, and the potential for FP and False Negatives (FN) [9,24]. Nevertheless, in IIoT settings—where communication patterns tend to be stable and predictable—these limitations can be partially mitigated through behavioural modelling approaches that leverage the inherent regularity of industrial communication patterns [25].

2.2. Behavioural Network Monitoring and Metrics

Behavioural analysis in NIDS relies on the extraction and interpretation of network traffic metrics. Metrics are quantifiable indicators derived from raw measurements that characterise system behaviour and support decision-making processes [26]. In the context of network monitoring, these metrics typically include flow-level attributes (e.g., duration, packet counts, byte volumes), temporal characteristics (e.g., inter-arrival times), and protocol-specific features [27].

Rather than attempting to define exhaustive metric taxonomies, practical approaches focus on selecting metrics that are aligned with specific security objectives and observable system behaviour [28]. In highly automated industrial environments, such metrics can capture the inherent regularity of communication patterns, enabling the construction of behavioural baselines against which deviations can be identified.

2.3. Behavioural NIDS Technologies

Several mature open-source NIDS platforms are widely used in both research and operational settings, including Snort, Suricata, and Zeek. While Snort and Suricata are primarily oriented toward signature-based detection, Zeek adopts a fundamentally different approach centred on network visibility and behavioural analysis.

Zeek operates as a passive network security monitor that captures and processes network traffic, transforming packet-level data into structured, high-level logs across multiple protocols, such as HTTP, DNS, and connection flows. Its architecture is composed of an event-driven engine that extracts protocol semantics from network traffic and a policy scripting layer that enables flexible analysis and detection logic [29]. This design allows the definition of custom metrics and behavioural models tailored to specific environments.

Due to its extensibility and focus on rich telemetry generation, Zeek is particularly well suited for longitudinal behavioural analysis of network traffic. Instead of relying solely on predefined attack signatures, it enables the extraction of detailed observations that can support anomaly detection, traffic characterisation, and forensic analysis. For these reasons, Zeek was selected as the monitoring platform for this study.

Zeek’s architecture can be modelled as shown in Figure 1. At a very high level, it is composed of two major components. The Event Engine, which listens on a specific network interface and dissects the incoming packets into a higher level series of variables (measurements) [29]. Semantics about what was observed is derived by the Policy Script Interpreter component, which handles the events forwarded by the Event engine through the usage of scripts written in Zeek’s native scripting language [29], expressing the result as metrics allowing it to track the evolution of the traffic and to generate real-time, alerts or call external programs.

This combination of passive monitoring, rich telemetry extraction, and behavioural modelling forms the basis of the methodological approach adopted in this work.

3. Industrial Scenario and Methodology

3.1. Industrial Context

This research was conducted within the scope of the Fishy project [30], which aims to provide cybersecurity monitoring and risk management capabilities for complex supply-chain systems. The project integrates multiple security tools, including vulnerability analysis platforms, signature-based intrusion detection systems, host-based monitoring solutions, and risk assessment components.

One of the industrial use cases considered in this project (hereafter referred to as IndA) consists of an IIoT-based production line, where interconnected devices and sensors support fully automated manufacturing processes. In this environment, the availability of the production line is a primary security objective, as disruptions may directly impact operational continuity. Many of the devices involved do not run traditional operating systems, limiting the applicability of host-based security solutions. This constraint highlights the need for network-level monitoring capable of capturing and analysing communication behaviour across the production infrastructure.

3.2. Preliminary Traffic Characterisation

To understand the communication patterns within the IndA network, an initial exploratory analysis was performed using packet capture tools (e.g., tcpdump) and protocol analysis with Wireshark. This preliminary step aimed to identify dominant protocols and assess the overall structure of network traffic prior to deploying a dedicated monitoring solution.

The results (see Figure 2) showed that approximately 99.9% of the observed traffic corresponded to IPv4, with the remaining 0.1% consisting of ARP traffic. Within IP traffic, around 95% was TCP and 5% ICMP. Further inspection revealed that nearly all TCP traffic was associated with HTTP communications. Specifically, a central server periodically issued HTTP GET requests to individual IIoT devices, which responded with JSON-formatted status information.

Given the fully automated nature of the production line—with minimal human interaction outside scheduled maintenance periods – the observed communication patterns exhibited a high degree of regularity and predictability. This characteristic suggested that behavioural monitoring approaches could be effectively applied to model baseline network activity.

3.3. Monitoring Architecture

Based on the preliminary analysis, a passive monitoring approach was adopted using the network security monitor Zeek. The monitoring probe was deployed in a containerised environment and configured to operate in promiscuous mode, ensuring full visibility of network traffic without interfering with production processes.

The probe was connected to the network through a mirrored port, receiving a copy of all network traffic between the central server and IIoT devices. To meet operational safety requirements, the monitoring system was isolated from the production environment and did not perform any active interaction with network components. This deployment strategy ensured that the monitoring infrastructure remained transparent to the production system while providing adequate visibility into network activity. Figure 3 shows the deployed architecture.

3.4. Data Collection and Processing

Network traffic was continuously monitored over a period of approximately three months. Instead of storing raw packet captures, structured logs were generated using Zeek’s logging framework, enabling efficient storage while preserving semantically rich information about network activity.

The primary data sources considered in this study were:

• conn.log: providing connection-level information such as duration, packet counts, byte volumes, and connection states;
• http.log: containing application-layer details, including HTTP methods, response codes, requested endpoints, and payload sizes.

From these logs, a set of features was extracted and grouped into three main categories:

• Temporal features: timestamps and inter-arrival times;
• Flow-level features: connection duration, packet counts, and byte volumes;
• Application-layer features: HTTP methods, response codes, and payload sizes.

To support longitudinal analysis, the extracted features were aggregated over fixed time windows, enabling the identification of trends, periodic patterns, and deviations over time.

3.5. Baseline Modelling

Baseline behaviour was characterised using statistical analysis of the extracted features over the observation period. Given the deterministic nature of the production environment, network communication was expected to follow stable and repetitive patterns.

Descriptive statistics, including measures of central tendency and dispersion, were used to define expected ranges of normal behaviour. Deviations were identified by detecting observations that significantly diverged from these baseline profiles in terms of timing, volume, or protocol characteristics.

Each detected deviation was analysed in context, considering possible operational explanations such as maintenance activities, network fluctuations, or device-specific behaviour. This approach allows for a realistic interpretation of anomalies in the absence of labelled attack data, aligning with the objective of understanding real-world industrial network dynamics.

To analyse the collected data, the Zeek logs were processed and aggregated into time-series representations over the full observation period. All log entries were consolidated and resampled into hourly intervals, enabling a consistent temporal view of network activity over the three-month monitoring window. Hourly aggregation was selected as a trade-off between temporal resolution and noise reduction.

This aggregation allowed the construction of time-series representations of key metrics, including the number of connection sessions (Figure 4), the total number of packets (Figure 5), and the average size of HTTP responses (Figure 6). These visualisations provide insight into the temporal dynamics of the network and support the identification of recurring patterns and potential deviations.

The resulting time-series exhibit a high degree of regularity, reflecting the automated and deterministic nature of the production environment. This regularity facilitates the identification of baseline behaviour and highlights the suitability of the dataset for behavioural modelling approaches.

In addition to the overall stability of the observed metrics, certain irregular patterns can be identified in the time-series representations. Specifically, periods of reduced or absent traffic are visible in mid-July (Figure 4, Figure 5) and at the end of August (Figure 4, Figure 5, Figure 6).

Following validation with the industrial partner (IndA), these intervals were attributed to planned production stoppages, during which a significant portion of the IIoT devices was intentionally powered down. As a result, network activity was temporarily reduced or interrupted.

Additionally, short-lived spikes observed in metrics such as total packet counts (Figure 5) and average HTTP response size (Figure 6) can be explained by the abrupt termination and subsequent re-establishment of network sessions associated with these stoppages. These observations highlight the importance of contextual information when interpreting deviations from baseline behaviour, as not all anomalies correspond to security-relevant events.

3.6. Statistical Thresholding Using Z-Score

To quantify deviations from baseline behaviour, a statistical approach based on the z-score was adopted. The z-score expresses how many standard deviations an observation deviates from the mean, allowing the identification of statistically significant anomalies:

$$z={\displaystyle \frac{x-\mu }{\sigma }}$$

(1)

where $\mu$ and $\sigma$ represent the mean and standard deviation estimated from the baseline data.

This approach assumes relatively stable statistical properties over time, which is consistent with the observed behaviour of the monitored IIoT environment.

4. Analysis Results

After selecting the metrics, the next step was to prepare some Zeek scripts, load them and test them to see if they could generate alerts when abnormal activity was observed. Custom detection scripts were developed using Zeek’s SumStats framework, enabling the aggregation of high-volume event streams into compact statistical summaries over configurable time windows. This approach allows real-time monitoring of selected metrics while maintaining computational efficiency. Alert generation requires the definition of appropriate thresholds and aggregation intervals. Threshold selection was based on the statistical framework introduced in the previous section, using z-score normalisation to quantify deviations from baseline behaviour.

4.1. Quantitative Characterisation of Baseline Behaviour

To support the definition of anomaly detection thresholds, a quantitative analysis of the observed network behaviour was performed over the three-month monitoring period. The objective was to assess the stability and variability of key metrics and validate the assumption of a well-defined baseline.

During normal operation (i.e., excluding identified production stoppage periods), the analysed metrics exhibited low variability and consistent temporal patterns. For instance, the number of connection sessions and total packet counts showed relatively stable averages with limited dispersion, indicating a highly deterministic communication model. The coefficient of variation (CV) for these metrics remained low throughout steady-state periods, reinforcing the predictability of the traffic.

In contrast, transition periods – such as production shutdowns and restarts – introduced significant deviations. These were characterised by:

• Sharp reductions in flow counts and packet volumes;
• Increased variance in short time intervals;
• Transient spikes associated with connection termination and re-establishment.

Similarly, application-layer metrics such as HTTP response size demonstrated tight clustering around a narrow range during normal operation (approximately 131–134 bytes), with occasional spikes exceeding 140 bytes during transitional phases. These deviations, although statistically significant, were validated as operational artefacts rather than indicators of malicious activity.

Overall, these observations suggest that the network operates as a set of discrete behavioural regimes corresponding to distinct operational states (e.g., normal operation, shutdown, restart). This strong regularity supports the use of statistical methods, such as z-score thresholding, for anomaly detection in this environment.

4.2. Threshold Selection and Experimental Validation

Based on the observed baseline behaviour, detection thresholds were defined and experimentally validated using controlled traffic scenarios. A threshold of $z\ge 3$ was adopted, corresponding to a confidence interval of approximately 99.7% under the assumption of normally distributed behaviour. While strict normality cannot be guaranteed, the low variability and stable behaviour observed in the dataset support the practical applicability of z-score-based thresholding in this context. This choice reflects a balance between sensitivity to deviations and robustness against FP, particularly in highly regular environments such as the one under study.

Since the Zeek script is similar for all metrics, only changing the parameters, we developed a simple utility1 to generate the scripts automatically through the use of meta-programming. This tool implements a simple GUI (see Figure 7) where the user can specify the relevant parameters. Then, a Zeek script is automatically generated to track the metric and generate an alert in case the threshold is exceeded. For the case illustrated in Figure 7, the generated script will track the number of connection sessions created in a five-minutes window. If it surpasses the 6500 connections threshold, an alert should be generated in the notice.log Zeek file.

To test the scripts generated, we created a virtual interface to make sure no external traffic could interfere with our tests. We then loaded the generated scripts into Zeek and made sure it was listening on the correct interface. Then we used tcpreplay2, a utility for editing and replaying previously captured network traffic, to inject traffic into the virtual interface. We injected both a pre-recorded pcap file with normal activity and a pcap file with abnormal activity – for testing purposes, two common attacks in this scenario were selected: Port Scan, and DOS SYN flood.

It should be noted that these attack scenarios represent synthetic injections and are primarily intended to validate metric sensitivity, rather than to replicate fully realistic adversarial behaviour in industrial environments.

For a Port Scan attack, we used nmap3, a utility for network discovery and security auditing. After running the tests, we observed that the script tracking the number of sessions detected an anomaly and generated an alert in the notice.log file, as shown in Figure 8. Concerning the DOS SYN flood attack we used hping34, a network tool able to send custom ICMP/UDP/TCP packets. After running the tests, like in the previous one, we observed that the script also detected an anomaly and generated the corresponding alert in the notice.log file, as shown in Figure 9.

The results obtained from controlled attack injection demonstrate that the selected metrics are sensitive to abnormal traffic patterns and can effectively trigger alerts when significant deviations occur. Notably, both port scanning and SYN flood scenarios produced measurable changes in connection-level statistics, validating the suitability of flow-based metrics for anomaly detection.

However, when contrasted with the real-world dataset, these synthetic anomalies differ significantly from the deviations observed during normal operation. While operational events (e.g., production stoppages) also produce statistically significant deviations, their temporal structure and contextual characteristics differ from those induced by malicious activity. This distinction highlights the importance of incorporating contextual and temporal analysis to reduce FP in practical deployments.

5. Conclusions

This work presented a longitudinal empirical study of network behaviour in a real IIoT production environment using passive monitoring with Zeek. The results demonstrate that such environments exhibit highly deterministic and stable communication patterns, enabling the effective construction of behavioural baselines. The use of statistical thresholding, particularly z-score-based approaches, proved suitable for detecting significant deviations while maintaining robustness against normal operational variability.

Importantly, the analysis highlights that not all statistically significant deviations correspond to security incidents, reinforcing the need for contextual awareness in anomaly detection systems. Future work will focus on refining threshold selection, incorporating contextual and temporal correlation mechanisms, and expanding the evaluation with additional attack scenarios aligned with industrial availability requirements.

Finally, these findings reinforce the suitability of behavioural NIDS approaches for highly automated industrial environments.