Extracting Novel Attack Strategies for Industrial Cyber-Physical Systems Based on Cyber Range

With the rapid development of information technologies, more and more cyberattacks are emerging to cause serious consequences to the critical infrastructures in industrial cyber-physical systems. As the cyberattacks are becoming more and more complicated, which might be composed by multiple steps, obtaining the attack strategies can help understand and better defend these attacks. However, there are many unknown cyberattacks every day, while attackers will not reveal the attack steps and tools normally, it is a persistent challenging problem to obtain attack strategies. Cyber range is a testbed that can simulate a networked system, which supports attack and defense activities to be conducted with no harm to the real system. As the cyber range can record process data within the activity, extracting cyberattack strategies based on the cyber range has become one effective approach. In this article, we propose an attack strategies extraction framework to obtain the attack strategies from the security alerts that are generated in the cyber range, which uses a model called attack strategies identifier to identify the attack sequence that has similar attack patterns to some known attack strategies. Through our experiments, the attack strategies identifier was able to judge unknown attack sequences with 98.26% accuracy, 98.70% recall, and 98.44% F1-score. We implemented and tested our framework on two network attack and defense activities in the cyber range, and obtained 45 and 47 attack strategies, respectively. Through manual validation, our framework has the ability to extract novel attack strategies from security alerts.