Explainable Attack Path Reasoning for Industrial Control Network Security Based on Knowledge Graphs

Abstract

Industrial control systems face escalating cyber threats that exploit protocol-specific vulnerabilities. This paper develops an explainable attack path reasoning framework integrating knowledge graph construction with large language model-assisted semantic analysis. The methodology constructs a domain-specific ontology capturing ICS assets, vulnerabilities, and attack techniques aligned with MITRE ATT&CK for ICS. A graph-based inference engine performs multi-hop reasoning to identify attack chains while generating human-interpretable explanations satisfying regulatory requirements. The LLM-assisted log analysis component extracts semantic patterns from heterogeneous industrial protocols including Modbus, DNP3, and IEC 60870-5-104. Experimental evaluation on public ICS datasets demonstrates 94.7% attack path identification accuracy with 89.3% explainability satisfaction scores. The framework achieves 12.8% improvement in adversarial robustness compared to baseline graph neural network approaches while maintaining real-time inference capabilities.