Current fuzzing techniques for industrial control protocols (ICPs) encounter notable challenges, including model training instability, limited sample diversity, and the inability to manage complex state dependencies in protocol interactions. To address these issues, this paper presents SD-Fuzz, a state-aware fuzzing framework that integrates a discrete denoising diffusion probabilistic model (DDPM) with an online Hidden Markov Model (HMM). The discrete DDPM is designed to generate syntactically valid and diverse protocol messages using cosine noise scheduling and Denoising Diffusion Implicit Model (DDIM) sampling, while the HMM performs unsupervised learning of state transitions from real traffic to guide the creation of logically consistent multi-step interaction sequences. The framework is evaluated on three representative Modbus/TCP slave implementations. Evaluations based on 5 h benchmark campaigns across multiple independent runs indicate that SD-Fuzz achieves a mean test case recognition rate (TCRR) of 91.3% and an HMM-inferred state transition coverage of 50.1%, exhibiting statistically significant improvements over the evaluated baselines. Furthermore, an extended 8 h vulnerability mining campaign demonstrates its capability to trigger deep-seated exceptions, including buffer overflows and protocol state violations, which are typically challenging to access using traditional stateless approaches. This work illustrates the feasibility of combining diffusion-based generation with lightweight state inference for automated vulnerability discovery in industrial control systems. Directions for future work include validation on physical programmable logic controller (PLC) hardware to acquire internal code coverage feedback.
Tang et al. (Sun,) studied this question.