Open Access  Subscription Access

This study tackles three key cybersecurity challenges in Industrial Control Systems (ICS): fragmented event data, difficulty reconstructing cross-domain attack chains, and low explainability and standardization in attack graphs. To address these issues, we propose an automated attack graph construction system combining Zeek for ICS traffic analysis and SAGE for behavior modeling via an unsupervised S-PDFA algorithm. The system transforms Zeek logs into semantic event sequences, builds behavior models, and generates visual, standardized graphs aligned with the MITRE ATT&CK for ICS framework. We implement a four-stage event abstraction pipeline for structured protocol-aware transformation, and adopt a goal-oriented attack graph strategy to better detect multi-stage, low-frequency threats. Experiments on a custom Modbus dataset and a public SCADA HMI dataset confirm the system's effectiveness: analyzing seven attack types in under 6 minutes, achieving a 764:1 compression ratio, and processing over 1.17 million packets. The resulting graphs demonstrate strong explainability and coverage of 15 attack categories and 83 ATT&CK techniques.