Global-local integration for GNN-based anomalous device state detection in industrial control systems

Abstract

Anomaly detection are gaining popularity among the research communities for its essential role in securing Industrial Control Systems (ICS). Over the decades, diverse approaches have been proposed to profile anomalous behaviours propagating across the ICS networks. Recent attempts using the Graph Neural Network (GNN) methodologies have enabled state prediction of a device node via encoding its immediate neighbourhood. Such an encoding scheme potentially compromises the model’s detection accuracy due to the nodes’ biased attention towards their local surroundings. To investigate this issue, we present the Global-Local Integration Network (GLIN) that achieves node-level anomaly detection by merging a node’s local and the network’s global expressions. It comprises a preprocessor for graph construction and data transformation, an encoder for node embedding learning, a pooling module producing global representations, an integration module that performs message fusion, and a decoder for label prediction. We develop and evaluate GLIN with 7 global integration schemes and train it over 3 message passing mechanisms. We compare its performance against both classical machine learning and recent deep learning baselines and demonstrate its superiority in terms of multiple popular metrics. Finally, we provide useful insights on the results and suggest promising future work directions.