Abstract:
The article presents a method for detecting information security (IS) threat indicators in critical information infrastructure (CII) facilities using a digital twin (DT) with an adaptive mechanism. It addresses the limitations of traditional IS approaches under conditions of scarce real attack data, challenges in testing on operational CII facilities, and difficulties in identifying targeted, evasive threats. A dual-loop method (DT loop and CII facility loop) integrated with a three-level adaptation mechanism (operational, tactical, strategic modes) is proposed. The method encompasses stages of synthetic data generation, model training/testing in the DT, detection/classification at the facility, and defines adaptation trigger. Key advantages include the ability to safely generate threat scenarios and train in the virtual DT environment, automated maintenance of threat detection models. Validation results on a synthetic model of energy facility control system show significant improvement in quality metrics after adaptation.
Keywords:information security threat detection, critical information infrastructure, digital twin, adaptive anomaly detection, synthetic data, Isolation Forest.
Fulltext:
PDF file (2873 kB)