A CTI-Enriched GCN-LSTM Architecture for Multiclass Cyberattack Classification in Critical Infrastructure
Date
Authors
Pinto, Andrea
Herrera, Luis-Carlos
Donoso, Yezid
Gutierrez, Jairo
Supervisor
Item type
Journal Article
Degree name
Journal Title
Journal ISSN
Volume Title
Publisher
MDPI AG
Abstract
Critical infrastructures (CI) are essential to modern society, providing vital services such as energy, water, and transportation. However, these systems are increasingly targeted by sophisticated cyberattacks, exploiting vulnerabilities in both IT (Information Technology) and OT (Operational Technology) environments, posing significant risks to safety, economic stability, and national security. Despite advancements, current anomaly detection models for CI often cannot effectively integrate diverse data sources or provide detailed attack classifications. To address these challenges, we propose a novel Graph Convolutional Network (GCN) model integrated with Long Short-Term Memory (LSTM) layers for effective anomaly detection and attack classification in CI. The model leverages Cyber Threat Intelligence (CTI) and MITRE ATT&CK techniques, integrating network traffic and physical device data to enhance detection of sophisticated threats. Unlike approaches using binary classification, our model performs multiclass classification to recognize specific attack types, bridging the gap in understanding complex attack patterns within CI. By incorporating Indicators of Compromise (IoCs) from MISP (Malware Information Sharing Platform) with the SWAT (Secure Water Treatment) dataset, we developed a graph-based data structure where nodes represent entities like SCADA tags and IP addresses. The model processes this dynamic graph using convolutional layers for spatial feature extraction and LSTM layers for temporal dependencies. Results indicate a significant improvement over existing solutions, achieving a test accuracy of 99.04% and a macro F1-score of 0.9151. The integration of multiple data sources enhances the model’s capacity to handle evolving cyber threats, making it well-suited for protecting CI.Description
Keywords
cyber threat intelligence, cybersecurity, critical infrastructures, graph neural networks, MITRE ATT&CK framework
Source
Applied Sciences, ISSN: 2076-3417 (Online), MDPI AG, 16(11), 5585-5585. doi: 10.3390/app16115585
Publisher's version
Rights statement
© 2026 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license.