A Simulation-Driven Cybersecurity Framework for Detecting Novel Multi-Stage Attacks in Cyber-Physical Smart Infrastructure

Cyber-physical smart infrastructures integrate sensing devices, communication networks, control components, and service platforms, which makes them vulnerable to malicious activities that may evolve gradually through several attack stages. The objective of this study is to develop and evaluate a simulation-based cybersecurity framework capable of detecting a proposed novel multi-stage cyber attack and identifying its internal progression within a realistic smart infrastructure environment. To achieve this objective, a NetSim-based cyber-physical smart infrastructure was modeled to generate both normal operational traffic and staged malicious traffic. The generated traffic was captured, processed, labeled, and transformed into a stage-aware cybersecurity dataset. An artificial neural network (ANN) model was then trained and evaluated for two detection tasks: binary classification of normal versus attack traffic and multi-class classification of compromise, coordination, and execution attack stages. Twenty experimental configurations were designed to examine the model under progressively broader infrastructure contexts, including sensing, service, gateway, control, backbone, and full-span operational scenarios. The best binary testing performance was achieved in the eighteenth experimental configuration, representing a broad full-span infrastructure scenario, with 97.96% accuracy, 97.80% precision, 97.65% recall, 97.72% F1-score, and 1.06% false positive rate. For stage-aware multi-class detection, the ANN model achieved 96.97% accuracy, 96.36% macro-averaged precision, 96.20% macro-averaged recall, 96.28% macro-averaged F1-score, and 96.55% weighted F1-score. Macro-averaged metrics report the unweighted average performance across classes, while weighted F1-score accounts for class support. These results show that the proposed simulation-based framework can generate realistic attack-aware traffic data and support reliable ANN-based detection of both attack presence and attack-stage progression.