Joni Herttuainen

Joni Herttuainen, Vesa Kuikka, Kimmo K. Kaski

Cyberattacks on enterprise networks exploit complex dependencies among infrastructure, services, and applications, which challenge traditional analysis methods that focus on attack paths or network topology in isolation. In this study, we introduce a novel probabilistic multilayer modelling framework, based on influence propagation in networks, that integrates attack graphs with the communication network topology, enabling a service-centric impact analysis of cyberattacks. Our method captures both the vulnerability exploitability and network connectivity, allowing us to assess the likelihood of attack propagation and cumulative impacts across interconnected services. By integrating standard vulnerability metrics (such as CVSS) with the network-level connectivity probabilities, the framework provides a cohesive view of the dynamics of cyberattacks. We validate this approach using a realistic case study of an enterprise network, demonstrating its ability to determine critical nodes, vulnerabilities, and service dependencies that significantly influence attack outcomes. Our findings show that integrating network and attack graph perspectives offers more actionable insights into risk assessment and mitigation planning, advancing the analysis of cyberattacks in complex networked environments.

Kosti Koistinen, Kirsi Hellsten, Joni Herttuainen et al.

Industrial Control Systems (ICS) underpin critical infrastructure and face growing cyber-physical threats due to the convergence of operational technology and networked environments. While machine learning-based anomaly detection approaches in ICS shows strong theoretical performance, deployment is often limited by poor explainability, high false-positive rates, and sensitivity to evolving system behavior, i.e., baseline drifting. We propose a Spatio-Temporal Attention Graph Neural Network (STA-GNN) for unsupervised and explainable anomaly detection in ICS that models both temporal dynamics and relational structure of the system. Sensors, controllers, and network entities are represented as nodes in a dynamically learned graph, enabling the model to capture inter-dependencies across physical processes and communication patterns. Attention mechanisms provide influential relationships, supporting inspection of correlations and potential causal pathways behind detected events. The approach supports multiple data modalities, including SCADA point measurements, network flow features, and payload features, and thus enables unified cyber-physical analysis. To address operational requirements, we incorporate a conformal prediction strategy to control false alarm rates and monitor performance degradation under drifting of the environment. Our findings highlight the possibilities and limitations of model evaluation and common pitfalls in anomaly detection in ICS. Our findings emphasise the importance of explainable, drift-aware evaluation for reliable deployment of learning-based security monitoring systems.