This study addresses the growing challenge posed by AI-driven automated scanning tools that undermine foundational assumptions of intrusion detection systems in industrial control systems (ICS) and Industrial Internet of Things (IIoT) environments. Leveraging a modular analytical pipeline applied to 192 million darknet packets captured between 2021 and 2025, this work reveals for the first time that modern botnets employ microsecond-scale artificial delays to smooth traffic and evade conventional threshold-based anomaly detection. Multidimensional evaluation—including average packet rate, Shannon entropy, inter-arrival time burstiness, geolocation provenance, and port distribution—demonstrates that ICS-targeted scan traffic nearly doubled over four years. Alarmingly, 97.47% of botnet traffic successfully bypasses standard detection mechanisms, while increasing detector sensitivity incurs an unacceptably high false positive rate of 68.10%.

The rise of automated scanning tools and AI assisted reconnaissance agents has significantly altered internet background traffic patterns, threatening the baseline assumptions underlying intrusion detection systems (IDS) deployed in critical infrastructure networks. This paper characterizes the evolution of automated bot traffic by analyzing a longitudinal dataset of 192 million passive darknet packets captured across 2021 and 2025 from the Merit ORION Network Telescope. A modular analysis pipeline was developed to compute metrics including average packet rate, global Shannon entropy, inter-arrival time (IAT) burstiness, geographic attribution, and destination port targeting across key industrial protocols. Results reveal a highly distributed yet focused reconnaissance landscape, with traffic targeting ICS-relevant ports nearly doubling from 0.82% to 1.51% over the four-year period. Furthermore, burstiness analysis exposes intentional micro-pacing behaviors (1ms to 100ms delays) that allow modern botnets to artificially smooth their overall volume. Our simulated anomaly-based IDS demonstrates that these evasion techniques enable 97.47% of modern bot traffic to bypass standard volumetric thresholds undetected. Compensatory sensitivity tuning triggers a 68.10% false-positive rate, highlighting fundamental visibility and alerting gaps in operational technology (OT) environments.