Defense model to detect cyberattacks in critical infrastructures: Machine Learning And Cyber Threat Intelligence Approach
Critical Infrastructures (CIs), including energy, water, and industrial control systems, are foundational to the functioning of modern society. However, the evolving sophistication of cyber threats poses significant risks to these essential services, with traditional security frameworks often fallin...
- Autores:
-
Pinto Rojas, Yuri Andrea
- Tipo de recurso:
- Doctoral thesis
- Fecha de publicación:
- 2024
- Institución:
- Universidad de los Andes
- Repositorio:
- Séneca: repositorio Uniandes
- Idioma:
- eng
- OAI Identifier:
- oai:repositorio.uniandes.edu.co:1992/75272
- Acceso en línea:
- https://hdl.handle.net/1992/75272
- Palabra clave:
- Cybersecurity
Critical Infrastructures
Artificial Intelligence
Cyber Threat Intelligence
Ingeniería
- Rights
- openAccess
- License
- Attribution-NonCommercial-NoDerivatives 4.0 International
| Summary: | Critical Infrastructures (CIs), including energy, water, and industrial control systems, are foundational to the functioning of modern society. However, the evolving sophistication of cyber threats poses significant risks to these essential services, with traditional security frameworks often falling short in addressing the complexities inherent to CIs. The increasing integration of Industrial Internet of Things (IIoT) devices and operational technologies further complicates the security landscape, creating a critical need for adaptive and holistic cybersecurity solutions that can protect against both network and physical disruptions. This doctoral thesis presents the Integrated Hybrid Cybersecurity Framework (IHCF)—a novel, adaptive approach designed to address these challenges. By integrating Adversarial Autoencoders (AAE) with Graph Convolutional Networks with Long Short-Term Memory (GCN-LSTM) and leveraging Cyber Threat Intelligence (CTI), the IHCF aims to bridge the gap between physical anomaly detection and network-based threat classification. The framework offers a comprehensive, context-aware defense mechanism capable of handling both known and emerging threats across physical and network domains in CI environments. The research follows an iterative Design Science Research Methodology (DSRM), starting with problem identification, moving through solution design, development, and rigorous evaluation, and concluding with effective communication of findings. Through an extensive systematic literature review, key limitations in existing cybersecurity frameworks were identified—primarily their inability to effectively integrate network traffic analysis with physical anomaly detection and contextual threat intelligence. The IHCF was developed to overcome these limitations, using a hybrid approach to integrate physical sensor data, network traffic data, and threat intelligence into a cohesive security framework. The IHCF was evaluated using the SWAT dataset—a scaled-down industrial testbed providing both physical sensor and network data, with attack scenarios targeting physical components and network communications. The evaluation results demonstrate that the IHCF successfully detected and classified all 26 attack scenarios aimed for detection, achieving robust performance across both network and physical domains. The Adversarial Autoencoder (AAE) successfully identified 24 out of 26 scenarios, while the GCN-LSTM component achieved an accuracy of 99.04% and a macro F1-score of 0.9151, reflecting strong classification capabilities across diverse classes. This hybrid approach ensures that all anomalies are detected, providing a comprehensive detection mechanism that captures both temporal and spatial anomalies. The inclusion of MITRE ATT&CK within the GCN-LSTM further enriched the framework's situational awareness, mapping detected threats to known adversary tactics, techniques, and procedures, and thereby providing valuable context to guide response actions. This feature empowers analysts with actionable insights, facilitating targeted and efficient incident responses that enhance the resilience of CI systems. While the IHCF demonstrated strong results, several limitations were identified, including reliance on a single dataset for evaluation and challenges related to generalizing the findings to other CI environments. Expanding the scope of datasets, enhancing adaptability, and ensuring scalability will be essential steps for future research to address these limitations. Overall, this thesis contributes significantly to the academic and practical domains of cybersecurity, presenting an adaptive, robust, and context-aware solution for protecting critical infrastructure systems. The IHCF provides a pathway to significantly improve the cybersecurity posture of CIs by integrating AI-driven anomaly detection with threat intelligence, and these findings will be disseminated through peer-reviewed publications and academic conference presentations to advance knowledge in the field. |
|---|