Efficient Cyberattack Detection in Logs of Cyber-Physical Production Systems

Cyber-physical production systems are increasingly targeted by cyberattacks, making security monitoring essential. Log analysis is a crucial component of security monitoring, but it is often hampered by the large volume and unstructured nature of log data from diverse hardware and software components. This paper introduces CyberLog, a novel approach for the efficient detection of cyberattacks based on log data. CyberLog combines clustering and process mining techniques in a two-step process. First, it preprocesses and clusters log messages by extracting common patterns, or templates, using the Drain algorithm. These templates are then automatically annotated with security techniques based on the MITRE ATT&CK framework for industrial control systems. Second, the approach learns behavior models by calculating dependency scores between templates, which are then used to represent the system’s behavior as a behavior model. The effectiveness of CyberLog is demonstrated by learning and visualizing behavior models from three distinct programmable logic controllers in a realistic industrial control system testbed. The resulting models provide a clear representation of system behavior, establishing a foundation for subsequent security monitoring.