Defending industrial internet of things against Modbus/TCP threats: A combined AI-based detection and SDN-based mitigation solution

Industrial Internet of Things (IIoT) environments are ushering in new avenues for connectivity and intelligent control, yet their integration with legacy systems poses substantial security challenges. Present cybersecurity frameworks are insufficient for safeguarding protocols like Modbus/TCP, widely employed in critical infrastructures such as smart grids and healthcare. This protocol’s inherent vulnerabilities-specifically, the lack of robust authentication and authorisation mechanisms-render industrial networks susceptible to a spectrum of cyberattacks with potentially cascading effects. The research motivation stems from the urgent need for an adaptive, robust security solution that bridges this gap. To address these issues, we propose an integrated approach that combines advanced threat modeling with state-of-the-art detection and mitigation techniques. First, we develop a comprehensive Modbus/TCP threat model by integrating STRIDE-per-element analysis, Attack Defence Trees (ADT), and risk assessment frameworks (CVSS and OWASP-RR) to quantitatively and qualitatively evaluate 14 distinct cyber threats. Next, we introduce a novel Intrusion Detection and Prevention System (IDPS) that leverages an Active ResNet50-based Convolutional Neural Network enhanced with Transfer Learning and Active Learning. This enables automated detection and classification of cyberattacks through continuous re-training based on human verification. Finally, our system employs a Software Defined Networking (SDN)-based mitigation strategy, using Thompson Sampling for adaptive, cost-effective decision-making. Experimental evaluation on a custom Modbus/TCP dataset demonstrates improved accuracy, higher True Positive Rates, and reduced False Positive Rates compared to conventional methods. These outcomes substantiate that integrating AI-driven detection with SDN-based mitigation offers a viable and robust framework to minimize cyberattack impacts on critical IIoT infrastructures.