AutoMAEC: an automated framework for semantic-aware malware characterization in power grid industrial control systems
摘要
Effective cyber threat intelligence (CTI) sharing is hindered by the semantic gap between raw, heterogeneous malware artifacts and standardized behavioral representations. The cybersecurity of power grid Industrial Control Systems (ICS) is of paramount importance, as cyber incidents in electrical infrastructure can cascade into widespread blackouts, equipment damage, and service disruption to millions of end users. In this paper, we propose AutoMAEC, a unified framework designed to bridge this gap in power grid ICS environments. Unlike traditional pipelines relying on fragmented tools and manual interpretation, AutoMAEC proposes a semantic mapping method that transforms unstructured and semi-structured sandbox traces into MAEC 5.0 causal graphs. AutoMAEC uses high-interaction honeypots—deployed at the network perimeter of operational power systems—for in-wild acquisition, custom sandboxing for reproducible behavior replay and rule-driven semantic abstraction. Experimental results demonstrate that AutoMAEC achieves a semantic fidelity of 97.8% and a single-worker sequential processing throughput of 28.6 samples/hour, effectively converting raw threats into shareable, machine-readable intelligence models suitable for automated defense in critical power infrastructure.