The rapid growth of cyberattacks targeting Industrial Control Systems (ICS) presents significant challenges to the security of critical infrastructure, with a reported 668% increase in incidents over the past three years. To mitigate this growing threat, security analysts have incorporated active threat intelligence techniques into their workflows, such as the ICS section of the MITRE ATT&CK framework, to comprehend, attribute, and mitigate ICS-specific advanced persistent threats (APTs) observed within their networks. This work is composed of an evaluation of utilizing the Gradient Boosted Decision Tree (GBDT) machine learning model, trained on the real-world ICS ATT&CK framework datasets and supplemented with synthetically defined attack chain data, to assess whether an integrated model can assist cybersecurity analysts in classifying known threat actors and predicting their potential behaviors within the attack chain, based on early indicators of compromise. In this paper, we have demonstrated the effectiveness of our model through a series of developed visualizations, such as confusion matrices and feature importance charts. The visualizations highlighting the overlaps between group data and the unique ICS Tactics, Techniques, and Procedures (TTPs) that were identified as key discriminators. While GBDTs are effective for classifying highly documented APTs, limitations include reduced confidence when APTs rapidly evolve between campaigns, and a notable reliance on synthetic data, which may decrease with the addition of classifiers within a broader dataset. This work highlights the potential of GBDT’s to support analysts in APT identification, thereby enhancing ICS security through predictive attribution. Future directions will focus on integrating multi-source data and contextual factors.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Evaluation of GBDTs in APT Identification Tasks within ICS Networks

  • Keith Alan Crabb,
  • Emery Johnson,
  • John A. Hamilton

摘要

The rapid growth of cyberattacks targeting Industrial Control Systems (ICS) presents significant challenges to the security of critical infrastructure, with a reported 668% increase in incidents over the past three years. To mitigate this growing threat, security analysts have incorporated active threat intelligence techniques into their workflows, such as the ICS section of the MITRE ATT&CK framework, to comprehend, attribute, and mitigate ICS-specific advanced persistent threats (APTs) observed within their networks. This work is composed of an evaluation of utilizing the Gradient Boosted Decision Tree (GBDT) machine learning model, trained on the real-world ICS ATT&CK framework datasets and supplemented with synthetically defined attack chain data, to assess whether an integrated model can assist cybersecurity analysts in classifying known threat actors and predicting their potential behaviors within the attack chain, based on early indicators of compromise. In this paper, we have demonstrated the effectiveness of our model through a series of developed visualizations, such as confusion matrices and feature importance charts. The visualizations highlighting the overlaps between group data and the unique ICS Tactics, Techniques, and Procedures (TTPs) that were identified as key discriminators. While GBDTs are effective for classifying highly documented APTs, limitations include reduced confidence when APTs rapidly evolve between campaigns, and a notable reliance on synthetic data, which may decrease with the addition of classifiers within a broader dataset. This work highlights the potential of GBDT’s to support analysts in APT identification, thereby enhancing ICS security through predictive attribution. Future directions will focus on integrating multi-source data and contextual factors.