HYBRID NEURAL NETWORK MODEL FOR DETECTING AND QUANTIFYING THE TARGETED ATTACKS RISK ON SCADA/ICS SYSTEMS OF CRITICAL INFRASTRUCTURE FACILITIES
DOI:
https://doi.org/10.32689/maup.it.2025.4.25Keywords:
SCADA/ICS, neural network model, targeted attack, regularization, critical infrastructure objectAbstract
Quantifying the targeted attacks risk on SCADA/ICS systems of critical infrastructure facilities is a key prerequisite for making informed decisions to increase cyber resilience, optimize protection mechanisms, and minimize potential manmade and socio-economic consequences. Objective. Development of the adaptive hybrid neural network model development for the detection and quantification of the targeted attacks risk on SCADA/ICS systems of critical infrastructure facilities. The proposed architecture combines multimodal integration of process and network signals through specialized encoders, cross-modal attentional fuse with prototypical regularization to increase local interpretability, and mechanisms for processing uneven and partially missing telemetry (variational auto-imputation, latent ordinary differential equations, or transformer approaches with masks). The proposed combined detection criterion combines reconstruction, prediction, and contrast components with adaptive predictive components to increase sensitivity to “low-to-slow” attack scenarios. For quantitative risk assessment, a calibrated probabilistic score and an expected loss function were introduced, which made it possible to formalize the threshold response policy (monitoring, isolation, and automatic countermeasures) as a multi-level strategy. Incremental learning with a limited buffer, MAML-like initialization, and domain-adversarial regularization were used to ensure adaptability to drift and new configurations. XAI mechanisms (internal attention, prototypes, integrated gradients, and SHAP-like approximations) provide logical tracing of cause-and-effect scenarios and support for forensic conclusions. Experimental validation was carried out on a multi-modal dataset formed by combining public SCADA/ICS sets with simulated trajectories and attacked scenarios. The evaluation included ROC-AUC and F1-metric for anomaly detection, RMSE for the predictive component, and economically oriented metrics of expected loss and calibrated risk. Scientific novelty. Development of an adaptive interpreted neural network model that, for the first time, combines multimodal integration of SCADA/ICS network and process signals, robust detection of “low-slow” targeted attacks under limited telemetry conditions, and formalized quantitative risk assessment with prediction of consequences for physical processes of critical infrastructure. Conclusion. The results demonstrate increased stability in detecting “low-slow” attacks and correlation of predictive deviations with increasing RMSE in attack phases for formalized selection of operational thresholds.
References
Прокопович-Ткаченко Д. І., Звєрєв В. П., Козаченко І. М. Кіберзагрози та методи захисту фізичної інфраструктури промислового інтернету речей (ILOT). Вчені записки ТНУ імені В.І. Вернадського. Серія: Технічні науки. 2025. Том 36 (75), № 1. С. 218–225. doi: 10.32782/2663-5941/2025.1.2/32.
Assante M. J., Lee R. M. The Industrial Control System Cyber Kill Chain. 2015. 22 p. URL: https://icscsi.org/library/Documents/White_Papers/SANS%20-%20ICS%20Cyber%20Kill%20Chain.pdf
Cherdantseva Y., Burnap P., Nadjm-Tehrani S., Jones K. A Configurable Dependency Model of a SCADA System for Goal-Oriented Risk Assessment. Applied Sciences. 2022. Vol. 12, no. 10. 4880. doi: 10.3390/app12104880.
Ikotun A. M., Ezugwu A. E., Abualigah L., Abuhaija B., Heming J. K-means clustering algorithms: A comprehensive review, variants analysis, and advances in the era of big data. Information Sciences. 2023. Vol. 622. P. 178–210. doi: 10.1016/j.ins.2022.11.139.
Mesbah M., Elsayed M. S., Jurcut A. D., Azer M. Analysis of ICS and SCADA Systems Attacks Using Honeypots. Future Internet. 2023. Vol. 15, no. 7. 241. doi: 10.3390/fi15070241.
Okur C., Dener M. Symmetrical Resilience: Detection of Cyberattacks for SCADA Systems Used in IIoT in Big Data Environments. Symmetry. 2025. Vol. 17, no. 4. 480. doi: 10.3390/sym17040480.
Quirumbay Yagual D., Fernández Iglesias D., Nóvoa F. J. A Hybrid Deep Learning-Based Architecture for Network Traffic Anomaly Detection via EFMS-Enhanced KMeans Clustering and CNN-GRU Models. Applied Sciences. 2025. Vol. 15, no. 20. 10889. doi: 10.3390/app152010889.
Reuter L., Jung O., Magin J. Neural network based anomaly detection for SCADA systems. 23rd Conference on Innovation in Clouds, Internet and Networks and Workshops (ICIN), Paris, France, 24–27 February 2020, pp. 194–201.
Umer M. A., Junejo K. N., Jilani M. T., Mathur A. P. Machine learning for intrusion detection in industrial control systems: Applications, challenges, and recommendations. International Journal of Critical Infrastructure Protection. 2022. Vol. 38. 100516. doi: 10.1016/j.ijcip.2022.100516.
Zakariah M., Amin S. U., Alrayes F. S., Helal M., Khan Z. I. SCADA intrusion detection using deep factorization machines. Scientific Reports. 2025. Vol. 15. 39753. doi: 10.1038/s41598-025-20625-2.
