面向微电网安全的边缘可部署机器学习代理：实时战术与技术归因

The proliferation of microgrids increases exposure to advanced persistent threats (APTs) that evolve through structured adversarial stages defined by tactics and techniques. While the MITRE ATT&CK for ICS framework offers a comprehensive threat taxonomy, its integration into edge-level Intrusion Detection Systems (IDSs) remains limited. Existing IDSs mainly perform binary classification (benign vs. malicious) and depend heavily on centralized Security Operations Centers (SOCs) for contextual analysis and response. This work proposes a machine learning-based agent for real-time attribution of adversarial tactics and techniques, leveraging the MITRE ATT&CK framework. Designed as an add-on to existing IDSs, the agent ingests alerts in the standardized Intrusion Detection Message Exchange Format (IDMEF). Its effectiveness is validated through integration with a realistic microgrid environment, supported by real-time experimental data and edge deployment on a Raspberry Pi. A comparative study of classifiers, SVM, Random Forest, Decision Tree, Naïve Bayes, and XGBoost has been conducted, with feature selection optimized using Binary Particle Swarm Optimization (BPSO). XGBoost achieved the highest classification accuracy of 98% with an inference latency of 15 ms, and minimal CPU (16.2%) and memory (1.7%) utilization, demonstrating its suitability for resource-constrained edge devices. The results are visualized in Grafana, enabling proactive, tactic-aware defense and improving local situational awareness while reducing dependency on cloud-based SOCs.