Network Security Prediction of Industrial Control Based on Projection Equalization Optimization Algorithm

This paper predicts the network security posture of an ICS, focusing on the reliability of Industrial Control Systems (ICSs). Evidence reasoning (ER) and belief rule base (BRB) techniques are employed to establish an ICS network security posture prediction model, ensuring the secure operation and prediction of the ICS. This model first integrates various information from the ICS to determine its network security posture value. Subsequently, through ER iteration, information fusion occurs and serves as an input for the BRB prediction model, which necessitates initial parameter setting by relevant experts. External factors may influence the experts’ predictions; therefore, this paper proposes the Projection Equalization Optimization (P-EO) algorithm. This optimization algorithm updates the initial parameters to enhance the prediction of the ICS network security posture through the model. Finally, industrial datasets are used as experimental data to improve the credibility of the prediction experiments and validate the model’s predictive performance in the ICS. Compared with other methods, this paper’s prediction model demonstrates a superior prediction accuracy. By further comparing with other algorithms, this paper has a certain advantage when using less historical data to make predictions.


Introduction
Industrial Control Systems (ICSs) are integrated and critical control systems consisting of both hardware and software components interconnected via networks to support the operation and security of critical infrastructure.Their applications are diverse, with the majority being utilized in facilities such as power plants, sewage treatment plants, and other critical infrastructure factories [1].Technological advancements and the expansion of factories have led to many ICSs needing to interact with external networks.However, due to inadequate security defenses in some ICSs, they are susceptible to novel cyberattacks during network interactions, which can disrupt the normal operation of companies [2].Therefore, it is crucial to prioritize security predictions for ICSs.
The prediction of an Industrial Control System's (ICS) network security posture is an effective means of preventing network security incidents [3].The predicted results can prevent network attacks and provide a basis for administrators to take necessary measures in advance.However, ICSs feature characteristics such as diversity, heterogeneity, and high security, necessitating the fulfillment of high robustness and security requirements [4].Moreover, the complex and changeable production environment of ICSs, interference-prone data extraction, and the large data volume present challenges in data acquisition [5,6].Inherent uncertainty in the data obtained from ICSs, which includes both probabilistic and fuzzy uncertainties, complicates the establishment of predictive models for ICS network Sensors 2024, 24, 4716 2 of 22 security [7].Therefore, establishing predictive models requires a comprehensive analysis of additional information to efficiently forecast the network security posture of ICSs.Additionally, understanding popular forecasting methods in related fields is also essential.
In recent years, there has been a growing number of various network attack incidents, resulting in significant economic losses and disruptions to daily life.This has led many experts to increasingly emphasize the direction of security prediction.Nowadays, numerous different security prediction methods have been proposed.Yin et al. proposed a situational prediction model combining a Time Series Convolutional Network (TCN) with a Transformer [8].Similarly, Xu et al. introduced an intelligent prediction algorithm to address real-time security performance issues and improve Convolutional Neural Network (CNN) models [9].Sepasgozar et al. utilized federated learning and Long Short-Term Memory (LSTM) algorithms for network traffic prediction [10].Li et al. employed a convolutional neural network approach for privacy protection prediction [11].Qi et al. focused on privacy-aware data in urban industrial environments, combining local sensitive hash techniques for data fusion and prediction [12].Liu et al. addressed short-term wind power prediction using discrete wavelet transformation and LSTM technology [13].Riihijarvi et al. applied machine learning techniques to wireless network performance prediction problems [14].Wen et al. proposed a semi-supervised prediction model for solving prediction function problems [15].
Based on the prediction methods and information used in the modeling above, security prediction can be classified into three methods.
(1) Qualitative knowledge-based methods: These methods rely on experts' practical experience and various factors to determine the weights of model factors and appropriate algorithms for prediction.Examples of studies using them include that by Ma et al., who proposed an effective online prediction algorithm for Petri net marking prediction [16].Tehseen et al. proposed an algorithm for earthquake prediction using expert systems [17].Xi et al. used the analytic hierarchy process to establish evaluation indicators for solid mineral exploration and target areas [18].However, solely relying on qualitative knowledge-based methods may not be sufficient to establish accurate prediction models due to the complexity of ICS network structures and the suddenness of virus attacks.Moreover, this method is primarily based on expert experience, which is subjective and may lead to significant errors if expert experience is inadequate.Additionally, various types of uncertain information cannot be effectively utilized.
(2) Quantitative data-based prediction methods: These methods involve the use of artificial intelligence to establish relevant mathematical models, which are then trained using a large amount of related data.Examples of studies using them include that by Ge et al., who utilized a high-dimensional Bayesian regression framework and multi-gene risk scores to address the multi-gene prediction problem [19].Wang et al. employed traditional linear regression, Factsage calculations, and backpropagation (BP) neural networks to predict the deformation temperature of coal ash [20].Jin et al. designed a plane flow variational auto-encoder prediction model (PFVAE) using time series methods [21].Liu et al. proposed an end-to-end deep learning architecture for predicting subway entrance and exit passenger flow [22].Chen et al. tackled the prediction accuracy issue in network situational awareness by proposing a generalized radial basis function [23].Speiser et al. were able to assess different variable selection techniques in random forest classification settings [24].This method operates as a black box, and its operational mechanism cannot provide reasonable explanations.Therefore, it is challenging to apply this method in complex ICS network security situation prediction.Furthermore, obtaining good model parameters is difficult for small-scale samples using quantitative data-based prediction methods, leading to a reduced prediction accuracy.
(3) Semi-quantitative information-based prediction methods: These methods integrate qualitative knowledge and quantitative data.They use qualitative knowledge to determine the parameters of the prediction model and train the prediction model using a large amount of quantitative data for prediction.Some examples of studies using them include that by Dong et al., who applied the extended Markov model to evaluate and predict the status of spiral motors [25].Cao et al. proposed several improved fuzzy rough neural network models and validated their advantages through experiments on complex stock time series prediction tasks [26].Zhang et al. used Bayesian and automated machine learning methods to tackle the performance prediction problem of tunnel boring machines [27].These methods combine qualitative knowledge and quantitative data, using expert experiences to establish preliminary models, ensuring the accurate prediction of complex ICS network security posture situations with fewer data samples.However, existing semi-quantitative information-based methods can only handle single types of uncertain information, and expert knowledge may also be affected by external and internal factors, thereby influencing the prediction results.
From the above methods, it can be seen that the first two approaches consider only single knowledge or data sources.The third approach, while combining and improving upon the first two methods, can handle only single types of data and overlooks the uncertainty of expert knowledge.Several scholars have proposed solutions as well.For example, Wang et al. proposed the ER algorithm [28] and the BRB method [29], introducing a novel logical data processing approach.Yang et al. introduced a new model integrating the extended belief rule-based system (EBRBS) and evidence reasoning rules for environmental investment prediction [30].Cheng et al. applied the BRB to fault detection in flywheel systems, proposing a Fault Diagnosis Model (FFBRB) based on fuzzy fault tree analysis theory [31].Li et al. studied complex systems and embedded expert knowledge into transformation matrices based on rule change techniques, proposing a health assessment model based on ER rules [32].Zhang et al. addressed the problem of setting parameters rationally due to the increase in antecedent attributes, proposing a method to automatically generate large-scale BRB initial parameters using partial standard rules and cloud models [33].He et al. applied ER and the BRB to the field of wireless sensor network fault prediction, proposing a wireless sensor fault prediction method [34].Han et al. proposed a model parameter optimization method using interval optimization strategies to predict lithium battery capacity, also employing the Whale Optimization Algorithm (WOA) [35].Hu et al. introduced a new network security situation prediction model using Hidden BRB models and the Covariance Matrix Adaptation Evolution Strategy (CMA-ES) algorithm [36].
Through the analysis above, this study applies ER and the BRB to construct a predictive model.When predicting the security situation of heterogeneous networks in ICSs, it is essential to consider the actual situation.Due to the complexity of industrial environments, heterogeneous networks are even more intricate.Therefore, it is intended to select the best parameters of the prediction model through the EO algorithm [37].Due to the characteristics of industrial control heterogeneous networks, projection operation is added based on the EO algorithm.Then, the P-EO algorithm is used to mitigate its impact and enhance the prediction accuracy.Since semi-quantitative information is also crucial, it requires careful processing.However, when dealing with excessive data, it may lead to the challenge of BRB combination explosion.To tackle this issue, this study employs the ER iteration algorithm to integrate semi-quantitative information.The BBR model offers a visually intuitive reasoning process and a rigorous structure.It effectively addresses the challenge of poor modeling effectiveness in industrial control heterogeneous networks, attributed to their large scale and data deficiencies [38].This enables managers to obtain more reliable prediction results and accurate information, thereby reducing company losses and avoiding risks.Consequently, it enhances the risk resistance and emergency response capabilities of industrial control heterogeneous network systems.
The structure of this paper is as follows: The second section describes the problem of predicting the security posture of ICS networks and provides an overview of the process.The third section introduces the construction of the ICS network security situational prediction model, providing further details on its development process.The fourth section involves testing the predictive model using specific case data and comparing this with other methods to evaluate its practicality.Finally, the fifth section summarizes the findings and presents the outlook for this research field.

Problem Description
This section will be divided into three parts to introduce the prediction of ICS network security: (1) Given the complexity of ICSs, conducting network security posture assessment is essential.Evaluation indicators are derived from impact analysis, and subsequently, an evaluation framework is established based on their significance.The multitude and diversity of evaluation indicators make data fusion challenging, hence the adoption of the ER iteration algorithm to mitigate this issue.
(2) A network security posture prediction model is established based on the BRB, where the network security posture values of adjacent time periods are used as inputs to predict the network security posture of the next time period.
(3) Expert knowledge in setting initial parameters may lead to significant errors in the prediction model.Therefore, the P-EO algorithm is adopted to update the initial parameters of the BRB model to address this issue.

Parameter Table
All parameter descriptions are summarized in Table 1.

D n
The assessment grade is n The jth evaluation indicator is the basic probability quality The basic probability quality that is not assigned to the evaluation scale in the jth evaluation indicator With the exception of the jth evaluation indicator, the basic probability quality that is not assigned to the evaluation scale The incompleteness of the jth assessment indicator After the fusion of the two evaluation indicators, the basic probability quality of the evaluation grade is n The joint probability quality assigned to the identification framework after the combination of evaluation indicators r1 and r2 The two evaluation indicators are combined and assigned to the joint probability quality of the identification framework The confidence level after the fusion of evaluation indicators r1 and r2

Industrial Control Network
The industrial control network exhibits heterogeneity and can be classified based on deterministic latency.Communication in heterogeneous networks can be categorized into integrated and interconnected modes.The integrated mode is suitable for scenarios with weak latency requirements, while the interconnected mode is suitable for scenarios with stronger latency requirements.A structural diagram is constructed based on the characteristics of heterogeneous networks and the IEC 62264-1 standard [39], illustrating the specific architecture of ICSs, as depicted in Figure 1.
By observing the structure of ICSs, it can be divided into five layers from bottom to top according to different functions: (1) Field device layer: this layer includes various types of sensing devices and actuator units used for perceiving and operating the production process.
(2) Field control layer: this layer includes various types of controller units used for controlling the actuator devices.
(3) Process monitoring layer: this layer includes monitoring servers used for managing the production process.
(4) Production management layer: this layer includes PLMS and management servers used for managing the production process.
(5) Enterprise management layer: This layer includes functional units such as web servers, which provide decision-making capabilities for employees at the enterprise decisionmaking level.
To better facilitate prediction and data integration, this paper divides ICSs into information networks and control networks.Regarding the information network component, which encompasses the enterprise management layer, it possesses the capability to quickly integrate and process data from lower layers and requires extensive interaction with external networks for data processing.As for the control network component, this encompasses the production management layer, process monitoring layer, field control layer, and field device layer.Situated at the lowest layer, it is more vulnerable to attacks.Continuously acquiring information is essential for promptly informing administrators and enabling them to take emergency measures in case of an attack.By observing the structure of ICSs, it can be divided into five layers from bottom to top according to different functions: (1) Field device layer: this layer includes various types of sensing devices and actuator units used for perceiving and operating the production process.
(2) Field control layer: this layer includes various types of controller units used for controlling the actuator devices.
(3) Process monitoring layer: this layer includes monitoring servers used for managing the production process.
(4) Production management layer: this layer includes PLMS and management servers used for managing the production process.
(5) Enterprise management layer: This layer includes functional units such as web servers, which provide decision-making capabilities for employees at the enterprise decision-making level.
To better facilitate prediction and data integration, this paper divides ICSs into information networks and control networks.Regarding the information network component, which encompasses the enterprise management layer, it possesses the capability to Due to the structural characteristics of ICSs, they are susceptible to various network attacks.Many ICSs are not directly connected to external networks; thus, enabling network access poses a risk of system vulnerability to network viruses, potentially causing damage to the company.Generally, ICSs establish complete architectures and protocols during their manufacture.However, over time, these architectures and protocols may become vulnerable to new attack methods, revealing vulnerabilities and flaws.

Fusion of Evaluation Indicators
After dividing the ICS structure, it is necessary to analyze how to integrate its evaluation indicators.To address the network security posture of ICSs and integrate evaluation indicators more effectively, this paper categorizes the evaluation indicators into four levels to manage the relevant data and establish an ICS assessment model.Initially, data from the fourth-level framework undergo fusion using ER, combining the attack frequency and attack severity of the evaluation indicators to derive results for the third-level evaluation indicators.Secondly, ER fuses the results of the third-level evaluation index to obtain the second-level evaluation index results.Subsequently, ER further integrates the results of the second-level evaluation indicators, ultimately yielding the network security situation assessment results.The model is formulated as Equation (1).
a i represents the frequency of various attacks in the i-th evaluation indicator and q i represents the severity of the corresponding attack in the i-th evaluation indicator.A i represents the fused result of the i-th third-level evaluation indicator.B z represents the second-level evaluation indicators obtained through the fusion of the third-level evaluation results.C represents the first-level evaluation indicators, derived by integrating the second-level evaluation results.This serves as the comprehensive fused assessment result of the ICS network security posture.ER() denotes the process of merging the evaluation indicator data based on ER iteration.

Network Security Posture Prediction and Model Optimization
Once the evaluation indicators are fused, the network security posture assessment result is obtained.When this is achieved along with the construction of the initial parameters, it is appropriate to build the predictive model using the BRB.The construction of the model is formulated as Equation (2).
Here, y represents the model's prediction result.BRB() denotes the nonlinear process of deriving the prediction result using BRB technology.O(k − 1) denotes the network security posture value at time k − 1, while O(k) denotes the network security posture value at time k, and ∂ represents the parameter set of the BRB, which is determined by experts.
During prediction, the construction of expert parameters may not always be reliable.Factors such as the actual network situation and network equipment can influence expert knowledge.To mitigate this influence, this paper proposes the P-EO algorithm for parameter optimization.Through this algorithm, model parameters are optimized to enhance the prediction accuracy and achieve satisfactory prediction results.

Prediction Process
This article divides the network security posture prediction process into three steps, as illustrated in Figure 2: Step 1: Based on factors such as the structure of the ICS, select representative evaluation indicators, and establish the actual network security posture assessment framework.
Step 2: Utilize the evaluation framework established for the ICS, apply ER fusion to integrate data from various layers, and derive their network security posture values.
Step 3: Develop a predictive model using the BRB and optimize parameters using the P-EO algorithm to minimize prediction errors.
as illustrated in Figure 2: Step 1: Based on factors such as the structure of the ICS, select representative evaluation indicators, and establish the actual network security posture assessment framework.
Step 2: Utilize the evaluation framework established for the ICS, apply ER fusion to integrate data from various layers, and derive their network security posture values.
Step 3: Develop a predictive model using the BRB and optimize parameters using the P-EO algorithm to minimize prediction errors.

The weight of evaluation indicators Evaluation indicators
Level 4 evaluation framework

ER iterative algorithm
Evaluation level and its reference value Step 1

Network security situation value
Step 2

BRB ER analysis
Forecast results

Establishment of Evaluation Framework
When conducting the model predictions in this paper, the first step is to establish an evaluation framework.This paper considers the structure, security aspects, and types of

Establishment of Evaluation Framework
When conducting the model predictions in this paper, the first step is to establish an evaluation framework.This paper considers the structure, security aspects, and types of attacks in the ICS, selecting representative indicators as evaluation metrics.The resulting four-level evaluation framework is detailed in Table 2.  Establishing the evaluation framework enables the better analysis and organization of data.According to Table 2, it can be observed that both the information network and the control network are categorized as first-level indicators.Considering that different devices may face various threats of network attacks, the information network is prone to attacks due to frequent information transmission, exchange, and sharing.Therefore, the second-level indicators of the information network are different types of network attacks.The control network includes various information and network devices, such as sensors and switches, which are crucial for system operation.The second-level indicators of the control network are significant devices, as network attacks may target these devices.Therefore, the third-level indicators of the control network are the types of network attacks corresponding to its devices.Finally, the attack frequency and severity are used as the ultimate evaluation metrics.The attack frequency is determined by the number of attacks of each type within a unit time period.The severity of attacks is determined based on standards set by relevant experts.
Following the establishment of the evaluation framework, the model proceeds to determine the weights of the evaluation indicators.Based on the importance of each layer of evaluation indicators, weights (ω) are assigned to the evaluation indicators (r).In ICSs, the impact of an evaluation indicator on the assessment result increases with its data variability; thus, indicators with larger data variations are assigned higher weights.The coefficient of variation method is employed to effectively determine these weights.The specific process is outlined as follows: Step 1: Initial Matrix Generate the initial matrix Y using evaluation data.
where y ij represents the jth evaluation value in the ith sample, m represents the maximum number of samples contained, and n represents the maximum number of evaluation indicators.
Step 2: Standardization Each indicator may have different magnitudes, so it is necessary to scale them to the same range.
Step 3: Mean Calculation Calculate the mean A j for each assessment indicator.
Step 4: Standard Deviation Calculation Calculate the standard deviation  j for each assessment indicator.
Step 5: Coefficient of Variation Calculation Calculate the coefficient of variation for each assessment indicator.
V j = S j A j (7) Step 6: Weight Calculation Calculate the weight  j for each assessment indicator.

Network Security Posture Assessment Based on ER
After establishing the evaluation indicators, the next step involves utilizing the indicator data to assess the network security posture.Each data point holds unique significance and contributes to the final evaluation result.This paper employs ER iteration to progres-sively integrate relevant indicator data, thereby obtaining the fused result.The process unfolds as follows: Step 1: Initialization Assume a set of basic attributes r 1 , r 2 , • • • , r j , • • • , r N constitutes the evaluation system, with corresponding weights ω 1 , ω 2 , • • • , ω j , • • • , ω N , and 0 ≤ ω i ≤ 1.The evaluation level is denoted as P, with N levels.The description of the evaluation indicators for each level is as follows: Step 2: Basic Probability Mass The corresponding basic probability mass is calculated using the confidence level α i,j , as follows: U n,j = ω j α n,j Step 3: ER Iterative (a) Combinatorial fundamental probability quality The combined probability mass is obtained through the basic probability masses.The formula is as follows: (b) Combining Confidence The formula for combining confidence levels is as follows: (c) Final Confidence The synthesized basic probability masses are combined with the subsequent evidence in a loop, alternating between steps (a) and (b), ultimately calculating the final result.The formula is as follows: The expected utility of the evaluation, assuming the utility of evaluation level P n is u(P n ), is as follows: The fusion result will be constrained between 0 and 1, where smaller values indicate a safer state.

Network Security Posture Prediction Based on BRB
Once the network security posture assessment results of the system are obtained, the next step is to proceed with the prediction work.This paper integrates adjacent time series to obtain the network security posture value for the next moment.The BRB model integrates the values at time k − 1 and time kto obtain the network security posture value for the next moment.The process is detailed as follows: When performing network security posture prediction, the model derivation requires ER analysis for deduction.The specific steps are as follows: Step 1: Attribute Matching The matching degree between the input sample information and the confidence rules needs to be calculated as follows: Step 2: Activation Weight Calculation Once the rule is successfully matched, the corresponding rule will be activated, and its activation weight is calculated as follows: Step 3: ER Analysis After calculating the activation weights, the activated rules need to be combined.This is achieved through ER inference for rule synthesis, calculated as follows: Step 4: Utility Calculation After computing the confidence levels for each assessment grade, the prediction is obtained through a utility calculation, as follows:

Optimization of BRB Model Based on P-EO Algorithm
To address the uncertainty associated with expert knowledge in setting the initial parameters, this study employs a P-EO algorithm for model optimization.By leveraging projection to manage the constraints of the BRB, the P-EO algorithm enhances the BRB model, thereby improving its predictive accuracy.
The optimization and constraint description of the prediction model is outlined as follows: min The model updates the initial parameters set by experts through optimization algorithms, thereby enhancing the predictive performance of the model.The symbol MSE represents the mean squared error between the predicted network security posture values of the forecasting model and the actual network security posture values, determining whether the model accurately predicts the security situation.The formula is outlined as follows: where output estimated represents the actual network security posture value of the ICS, and output actual represents the predicted network security posture value of the ICS.The formula is Here, T represents the number of samples used for training.This paper employs the P-EO algorithm to reduce the mean squared error of the model.A lower mean squared error indicates a closer approximation to the actual network security posture, thus improving the accuracy.The computational process of the P-EO optimization algorithm is depicted in Figure 3, and the specific calculation process is as follows: R REVIEW 14 of 24 represents the mean squared error between the predicted network security posture values of the forecasting model and the actual network security posture values, determining whether the model accurately predicts the security situation.The formula is outlined as follows: where   represents the actual network security posture value of the ICS, and   represents the predicted network security posture value of the ICS.The formula is   = ∑ (  )  =1 .Here, T represents the number of samples used for training.This paper employs the P-EO algorithm to reduce the mean squared error of the model.A lower mean squared error indicates a closer approximation to the actual network security posture, thus improving the accuracy.The computational process of the P-EO optimization algorithm is depicted in Figure 3, and the specific calculation process is as follows: Step 1: Initialization

Step 2: Projection and adaptive values
Step 3: Equilibrium state pools Step 4: Updating Exponential Item Coefficients Step 5: Updating Quality Generation Coefficients Step 1: Initialization Initialize vector  0 as the initial expectation of the P-EO algorithm.Step 1: Initialization Initialize vector C 0 as the initial expectation of the P-EO algorithm.
Step 2: Projection and Adaptive Values Due to the limitations of the EO algorithm on the constraints of industrial control heterogeneous networks, that is, some candidate solutions do not meet the constraints, but they conform to the actual situation, the mapping is carried out by projection, and then the candidate solutions meet the conditions.The EO algorithm is made more effective in making predictions.After projection, the adaptive value needs to be calculated, that is, whether the updated parameters can achieve a good prediction result.The mean squared error (MSE) serves as the objective function, while C eq,k represents the parameters of the inference process.
Step 3: Equilibrium State Pools To enhance its global optimization capability and obtain better local optimal solutions, five current optimal solutions are selected from the samples.After selecting the balanced state (see Figure 4), the candidate solutions' balance pool is as follows: C eq,pool = C eq,I , C eq,I I , C eq,I I I , C eq,IV , C eq,ave Step 4: Update Exponential Coefficients To facilitate both local and global searches more effectively, exponential coefficients are introduced, and are computed as follows: Step 5: Update Quality Generation Coefficients To better explore local optimal solutions, the generation rate is restricted.The calculation is as follows: Step 6: Update Individual Current Solution For the optimization problem, the individual solution is updated as follows: Repeat steps two to six until the iteration count is met.When the iteration count is reached, the loop will terminate, yielding the optimal parameters.
Step 6: Update Individual Current Solution For the optimization problem, the individual solution is updated as follows: Repeat steps two to six until the iteration count is met.When the iteration count is reached, the loop will terminate, yielding the optimal parameters.

Case Study
This section aims to verify the predictive capability of the model through experiments.We utilize the X-IIoTID Dataset [40] and TON-IoT [41][42][43] dataset as experimental data to evaluate the model's performance indicators at the first level.These datasets provide real-time status information for the ICS.Based on these data, we establish a prediction model and compare its effectiveness with other methods.

Problem Statement
The X-IIoTID Dataset used is an intrusion dataset that is independent of connections and devices, encompassing multiple attack types and protocols.It serves as a dataset for control networks, focusing on attacks targeting historical/real-time databases, asset management systems, and industrial gateways.Historical/real-time databases are primarily subjected to three types of attacks: vulnerability scanning, general scanning, and erroneous data injection.Asset management systems face attacks such as ransomware, ransom denial-of-service, and discovery-assisted attacks.Industrial gateways encounter attacks like Modbus register reading, brute force attacks, and reverse shell attacks.The TON-IoT dataset used contains heterogeneous data sources such as IoT service remote sensing datasets and network traffic datasets from mobile devices.Serving as a dataset for information networks, it is primarily targeted by four types of attacks: DDoS attacks, backdoor attacks, password attacks, and injection attacks.
After analyzing the datasets, the attack data need to be preprocessed and integrated.In this study, we select consecutive 120 h data for experimentation.These data are segmented into 120 groups, with each group representing one hour of attacks, thereby determining the attack frequency and severity.To predict the next network security posture value based on adjacent time values, 118 sets of experimental data can be derived from the 120 groups for prediction experiments.

ER Iterative Algorithm Fusion
Before conducting the experiments, it is necessary to integrate the experimental data to obtain their specific network security posture values.By gradually integrating the indicators as described in Section 3.3, the information within the assessment framework can be consolidated, resulting in the safety state value of the ICS network, thereby providing an understanding of its network security posture.The network security posture values are depicted in Figure 5.After completing the integration process, these data serve as the initial input for the ICS network safety state prediction model, establishing credibility for the next prediction step.The integrated data represent the current network security posture of the system, against which the model's predictions are compared to assess the prediction accuracy.

Establishment of Industrial Control System Network Security Situation Prediction Model Based on ER and BRB
After obtaining the integrated network security status values, the next step is to establish the prediction model.In this study, two adjacent network security status values are selected as inputs to the model.These status values are then fed into the BRB model to obtain the security prediction values.According to the classification of the basic situation security index of network security released by CNCERT/CC, the results of the industrial control network security prediction model are categorized into five prediction levels: Excellent (A), Good (B), Fair (C), Poor (D), and Critical (E).The transformation of the input data into prediction values is based on the confidence rules of the BRB network security posture prediction model, as described below: In this study, both the rule weights and attribute weights of the model are set to 1, with their initial confidences detailed in Table A1 in Appendix A. The final prediction results obtained from the confidence rules are referenced against the points and values specified in Table 3.The above describes the relevant operations of the experiment.In this study, the fused security situation values obtained in Section 4.2 will be segmented into 118 groups.Subsequently, the security prediction will be conducted using the predictive model outlined in Section 4.3.The first 108 groups of data will serve as training data for the param- With rule weight θ k and attribute weight δ 1 , δ 2 (41) In this study, both the rule weights and attribute weights of the model are set to 1, with their initial confidences detailed in Table A1 in Appendix A. The final prediction results obtained from the confidence rules are referenced against the points and values specified in Table 3.  Figure 6 reveals that the initial BRB model displays significant prediction bias, whereas the BRB model optimized using the P-EO algorithm shows a better alignment with the actual situation.Moreover, it demonstrates an enhanced capability to predict the network security posture and address limitations associated with the expert parameter settings.
To further validate the predictive performance of the proposed method, several other methods are compared.This study selects some typical prediction models, including the Backpropagation Neural Network (BP) based on quantitative data-a mathematical model for distributed parallel information processing [20].Radial basis function (RBF) is compared, a commonly used machine learning method that utilizes radial basis functions for data processing and nonlinear mapping to perform regression predictions [23].The random forest (RF) prediction model is compared, which predicts samples by statistically evaluating the predictions of each decision tree and selecting the final prediction result through a voting mechanism [24].Two optimization algorithms commonly used in the BRB are also considered: BRB-based Whale Optimization Algorithm (WOA) and Popula-  To further validate the predictive performance of the proposed method, several other methods are compared.This study selects some typical prediction models, including the Backpropagation Neural Network (BP) based on quantitative data-a mathematical model for distributed parallel information processing [20].Radial basis function (RBF) is compared, a commonly used machine learning method that utilizes radial basis functions for data processing and nonlinear mapping to perform regression predictions [23].The random forest (RF) prediction model is compared, which predicts samples by statistically evaluating the predictions of each decision tree and selecting the final prediction result through a voting mechanism [24].Two optimization algorithms commonly used in the BRB are also considered: BRB-based Whale Optimization Algorithm (WOA) and Population-based Covariance Matrix Adaptation Evolution Strategy (P-CMA-ES) [35,36].Both algorithms have demonstrated an effective optimization performance in the BRB.The prediction results of each method are shown in Figure 7.To evaluate the predictive performance of each model regarding the network security posture, the mean squared error (MSE), root mean squared error (RMSE), and mean absolute percentage error (MAPE) between the actual and predicted values are computed.Each model is subjected to 10 rounds of testing to reduce randomness, and their average values are presented in Table 4. From Figure 7 and Table 4, it is evident that the method proposed in this paper achieves a closer proximity to the actual values compared to the other methods.The MSE, RMSE, and MAPE values were superior to those of the other methods.From Table 4, it is evident that the method proposed in this paper yields favorable predictive results compared to the other methods.Moreover, the operations of our method are interpretable, unlike those of artificial intelligence, which operate as black boxes.The prediction errors of our method are also comparable to those of the other two BRB model optimization algorithms.Therefore, further comparisons are necessary.By dividing the 118 sets of data into training samples comprising 108, 98, and 88 sets, and testing samples comprising 10, 20, and 30 sets, respectively, the predictive performance can be evaluated based on the MSE values.The comparisons are shown in Table 5.To evaluate the predictive performance of each model regarding the network security posture, the mean squared error (MSE), root mean squared error (RMSE), and mean absolute percentage error (MAPE) between the actual and predicted values are computed.Each model is subjected to 10 rounds of testing to reduce randomness, and their average values are presented in Table 4. From Figure 7 and Table 4, it is evident that the method proposed in this paper achieves a closer proximity to the actual values compared to the other methods.The MSE, RMSE, and MAPE values were superior to those of the other methods.From Table 4, it is evident that the method proposed in this paper yields favorable predictive results compared to the other methods.Moreover, the operations of our method are interpretable, unlike those of artificial intelligence, which operate as black boxes.The prediction errors of our method are also comparable to those of the other two BRB model optimization algorithms.Therefore, further comparisons are necessary.By dividing the 118 sets of data into training samples comprising 108, 98, and 88 sets, and testing samples comprising 10, 20, and 30 sets, respectively, the predictive performance can be evaluated based on the MSE values.The comparisons are shown in Table 5.From Table 5, it is evident that the P-EO optimization algorithm shows lower MSE values compared to the two other optimization algorithms, even with fewer training samples.This suggests higher predictive accuracy.These experiments underscore the advantage of the predictive model proposed in this paper in scenarios with limited samples.Moreover, it effectively addresses challenges related to expert uncertainty while enhancing prediction accuracy.

Conclusions
This paper analyzed the structure of an ICS and its actual network security posture, establishing a four-level evaluation framework to facilitate information integration.Through the iterative process of ER, information within the framework was integrated.By establishing an ICS network security prediction model based on the BRB, this study aimed to reduce the shortcomings of expert knowledge in parameter setting by using the P-EO optimization algorithm to optimize the model.This approach effectively utilizes semi-quantitative and uncertain information, thereby reducing expert uncertainty.The experimental results show that the prediction model proposed in this paper performs better in predicting the ICS safety compared with other methods, especially when there is less historical data.However, to achieve more accurate predictions, additional historical information may be necessary as input to the model, potentially leading to the BRB model combination explosion problem and decreased prediction efficiency.Moreover, during optimization, optimization algorithms may significantly alter expert predictions, which could reduce interpretability.Future research directions include reducing the number of rules by adjusting the BRB rule combinations to address the combination explosion problem and enhancing the interpretability by introducing reasonable conditions to constrain optimization algorithms.

Figure 2 .
Figure 2. Prediction process of industrial control system network security posture.

Figure 2 .
Figure 2. Prediction process of industrial control system network security posture.
k ) With rule weight θ k and attribute weight δ 1 , δ 2 (24) Here, R k represents the kth belief rule, B k 1 and B k 2 represent the reference values corresponding to the two premise attributes of the kth rule.D 1 • • • , D N represent N results, and β 1,k • • • , β N,k are the confidence levels associated with all N results in the kth belief rule.θ k represents the weight of the kth belief rule, while δ 1 and δ 2 denote the weights assigned to two antecedent attributes.

Figure 3 .
Figure 3. Computational process of the P-EO optimization algorithm.

Figure 3 .
Figure 3. Computational process of the P-EO optimization algorithm.

Figure 4 .
Figure 4. Schematic diagram of the P-EO algorithm selecting the equilibrium state.

4. 3 .
Establishment of Industrial Control System Network Security Situation Prediction Model Based on ER and BRB After obtaining the integrated network security status values, the next step is to establish the prediction model.In this study, two adjacent network security status values are selected as inputs to the model.These status values are then fed into the BRB model to obtain the security prediction values.According to the classification of the basic situation security index of network security released by CNCERT/CC, the results of the industrial control network security prediction model are categorized into five prediction levels: Excellent (A), Good (B), Fair (C), Poor (D), and Critical (E).The transformation of the input data into prediction values is based on the confidence rules of the BRB network security posture prediction model, as described below:

Figure 6 .
Figure 6.Comparison curve between initial BRB and optimized BRB.

Figure 6 .
Figure 6.Comparison curve between initial BRB and optimized BRB.

Figure 6
Figure6reveals that the initial BRB model displays significant prediction bias, whereas the BRB model optimized using the P-EO algorithm shows a better alignment with the actual situation.Moreover, it demonstrates an enhanced capability to predict the network security posture and address limitations associated with the expert parameter settings.To further validate the predictive performance of the proposed method, several other methods are compared.This study selects some typical prediction models, including the Backpropagation Neural Network (BP) based on quantitative data-a mathematical model for distributed parallel information processing[20].Radial basis function (RBF) is compared, a commonly used machine learning method that utilizes radial basis functions for data processing and nonlinear mapping to perform regression predictions[23].The random

Figure 7 .
Figure 7.Comparison results of different models' predictions.

Table 2 .
Industrial control system network security posture assessment framework.

Table 3 .
Reference points and values of prediction results.

Table 3 .
Reference points and values of prediction results.

Table 4 .
Average MSE values of different models.

Table 4 .
Average MSE values of different models.

Table 5 .
Average MSE values of optimization algorithms.