Process-Oriented heterogeneous graph learning in GNN-Based ICS anomalous pattern recognition

•A multi-dimensional feature extraction scheme is designed to profile heterogeneous ICS devices.•A GNN framework is built for device-level rather than system-wise anomaly recognition.•Evaluation on ICS datasets proves the framework’s superiority to mainstream methods. [Display omitted] Over the past...

Full description

Saved in:
Bibliographic Details
Published in:Pattern recognition 2023-09, Vol.141, p.109661, Article 109661
Main Authors: L(y)u, Shuaiyi, Wang, Kai, Zhang, Liren, Wang, Bailing
Format: Article
Language:English
Subjects:
Fine-Grained anomaly recognition
Heterogeneous graph learning
Industrial control systems
Process-Oriented associativity
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:•A multi-dimensional feature extraction scheme is designed to profile heterogeneous ICS devices.•A GNN framework is built for device-level rather than system-wise anomaly recognition.•Evaluation on ICS datasets proves the framework’s superiority to mainstream methods. [Display omitted] Over the past few years, massive penetrations targeting an Industrial Control System (ICS) network intend to compromise its core industrial processes. So far, numerous advanced methods have been proposed to detect anomalous patterns in the numeric data streams with respect to the heterogeneous field devices involved in the industrial processes. These methods, despite reporting decent results, usually conduct system-wise detection instead of fine-grained anomalous pattern recognition at the device level. Furthermore, lacking explicit consideration of the exclusive process-related features with respect to each differentiated device, the fitness of their application in specified industrial processes is undermined. To tackle these issues, a GNN-based Attributed Heterogeneous Graph Analyzer (the AHGA) is designed to perform device-wise anomalous pattern detection via in-depth process-oriented associativity learning. The AHGA’s framework is constructed with four building blocks: a graph processor, a feature analyzer, a link inference decoder, and an anomaly detector. Its performance is assessed and compared against multiple link inference and anomaly detection baselines over 2 popular ICS datasets (SWaT and WADI). Comparative results demonstrate the AHGA’s reliability in capturing sophisticated process-oriented relations among heterogeneous devices as well as its effectiveness in boosting the performance of anomalous pattern recognition at device-level granularity.
ISSN:0031-3203
1873-5142
DOI:10.1016/j.patcog.2023.109661