MER-GCN: Reasoning about attacking group behaviors using industrial control system attack knowledge graphs

To enhance the ability of Intrusion Detection Systems (IDSs) to detect complex attacks on Industrial Control Systems (ICSs), we developed the ICS attack knowledge graph (ICS-Attack-KG). This graph focuses on learning the correlations across attack groups’ behaviors to enable cross-group threat intelligence sharing. Based on the knowledge learned, the graph can reason about potential attack behaviors more comprehensively and accurately, which is beneficial for IDS to update its rulebase and detect complex attacking behaviors. However, data sparsity caused by the difficulty in obtaining threat intelligence of advanced attack group, as well as the data complexity brought by learning correlations across attack groups’ behaviors, increases the difficulty of embedding and reasoning on a knowledge graph. To address these issues, we introduce a novel link prediction model named the Multi-Edge Relation Graph Convolutional Network (MER-GCN). This model overcomes the limitations of data sparsity by embedding global graph structure into relation vectors, enabling it to supply missing information through adjacent or related nodes. To better learn the correlations across attack groups’ behaviors, MER-GCN sets attack group as relations and involves three-dimensional convolutional computation and relational projections to capture pattern sharing and differences across relational subgraphs. Empirical evaluation results demonstrate that the model significantly improves the accuracy and completeness of reasoning about attack groups’ behaviors in ICS. On the ICS-Attack-KG dataset, the model achieves an 11.3% improvement in mean reverse rank (MRR) over the state-of-the-art MR-GCN model. Additionally, the model also improved by 6.8% on the widely recognized Reuters dataset, demonstrating the model’s good generalization ability on a common dataset.