Over the past few years, massive penetrations targeting an Industrial Control System (ICS) network intend to compromise its core industrial processes. So far, numerous advanced methods have been proposed to detect anomalous patterns in the numeric data streams with respect to the heterogeneous field devices involved in the industrial processes. These methods, despite reporting decent results, usually conduct system-wise detection instead of fine-grained anomalous pattern recognition at the device level. Furthermore, lacking explicit consideration of the exclusive process-related features with respect to each differentiated device, the fitness of their application in specified industrial processes is undermined. To tackle these issues, a GNN-based Attributed Heterogeneous Graph Analyzer (the AHGA) is designed to perform device-wise anomalous pattern detection via in-depth process-oriented associativity learning. The AHGA’s framework is constructed with four building blocks: a graph processor, a feature analyzer, a link inference decoder, and an anomaly detector. Its performance is assessed and compared against multiple link inference and anomaly detection baselines over 2 popular ICS datasets (SWaT and WADI). Comparative results demonstrate the AHGA’s reliability in capturing sophisticated process-oriented relations among heterogeneous devices as well as its effectiveness in boosting the performance of anomalous pattern recognition at device-level granularity.
Read full abstract