A CTI-Enriched GCN-LSTM Architecture for Multiclass Cyberattack Classification in Critical Infrastructure

Abstract

<jats:p>Critical infrastructures (CI) are essential to modern society, providing vital services such as energy, water, and transportation. However, these systems are increasingly targeted by sophisticated cyberattacks, exploiting vulnerabilities in both IT (Information Technology) and OT (Operational Technology) environments, posing significant risks to safety, economic stability, and national security. Despite advancements, current anomaly detection models for CI often cannot effectively integrate diverse data sources or provide detailed attack classifications. To address these challenges, we propose a novel Graph Convolutional Network (GCN) model integrated with Long Short-Term Memory (LSTM) layers for effective anomaly detection and attack classification in CI. The model leverages Cyber Threat Intelligence (CTI) and MITRE ATT&amp;CK techniques, integrating network traffic and physical device data to enhance detection of sophisticated threats. Unlike approaches using binary classification, our model performs multiclass classification to recognize specific attack types, bridging the gap in understanding complex attack patterns within CI. By incorporating Indicators of Compromise (IoCs) from MISP (Malware Information Sharing Platform) with the SWAT (Secure Water Treatment) dataset, we developed a graph-based data structure where nodes represent entities like SCADA tags and IP addresses. The model processes this dynamic graph using convolutional layers for spatial feature extraction and LSTM layers for temporal dependencies. Results indicate a significant improvement over existing solutions, achieving a test accuracy of 99.04% and a macro F1-score of 0.9151. The integration of multiple data sources enhances the model’s capacity to handle evolving cyber threats, making it well-suited for protecting CI.</jats:p>