Graph neural network‐based attack prediction for communication‐based train control systems

Abstract

AbstractThe Advanced Persistent Threats (APTs) have emerged as one of the key security challenges to industrial control systems. APTs are complex multi‐step attacks, and they are naturally diverse and complex. Therefore, it is important to comprehend the behaviour of APT attackers and anticipate the upcoming attack actions. GNN‐AP is proposed, a framework utilising an alert log to predict potential attack targets. Firstly, GNN‐AP uses causality to eliminate confounding elements from the alert dataset and then uses an encoder‐decoder model to reconstruct an attack scenario graph. Based on the chronological characteristics of APT attacks, GNN‐AP identifies APT attack sequences from attack scenario graphs and integrates these attack sequences with communication‐based train control (CBTC) devices topology information to construct an Attack‐Target Graph. Based on the attack‐target graph, a graph neural network approach is used to identify the attack intent and transforms the attack prediction problem into a link prediction problem that predicts the connected edges of the attack and target nodes. The simulation results obtained using DARPA data show that the proposed method can improve the comparison methods by 4% of accuracy in terms of prediction. Furthermore, the method was applied to the CBTC system dataset with a prediction accuracy of 88%, demonstrating the efficacy of the proposed method for industrial control systems.