Explainable correlation-based anomaly detection for Industrial Control Systems
Anomaly detection is vital for enhancing the safety of Industrial Control Systems (ICS). However, the complicated structure of ICS creates complex temporal correlations among devices with many parameters. Current methods often ignore these correlations and poorly select parameters, missing valuable...
Saved in:
| Main Authors: | , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
Frontiers Media S.A.
2025-02-01
|
| Series: | Frontiers in Artificial Intelligence |
| Subjects: | |
| Online Access: | https://www.frontiersin.org/articles/10.3389/frai.2024.1508821/full |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832542329511084032 |
|---|---|
| author | Ermiyas Birihanu Imre Lendák |
| author_facet | Ermiyas Birihanu Imre Lendák |
| author_sort | Ermiyas Birihanu |
| collection | DOAJ |
| description | Anomaly detection is vital for enhancing the safety of Industrial Control Systems (ICS). However, the complicated structure of ICS creates complex temporal correlations among devices with many parameters. Current methods often ignore these correlations and poorly select parameters, missing valuable insights. Additionally, they lack interpretability, operating efficiently with limited resources, and root cause identification. This study proposes an explainable correlation-based anomaly detection method for ICS. The optimal window size of the data is determined using Long Short-Term Memory Networks—Autoencoder (LSTM-AE) and the correlation parameter set is extracted using the Pearson correlation. A Latent Correlation Matrix (LCM) is created from the correlation parameter set and a Latent Correlation Vector (LCV) is derived from LCM. Based on the LCV, the method utilizes a Multivariate Gaussian Distribution (MGD) to identify anomalies. This is achieved through an anomaly detection module that incorporates a threshold mechanism, utilizing alpha and epsilon values. The proposed method utilizes a novel set of input features extracted using the Shapley Additive explanation (SHAP) framework to train and evaluate the MGD model. The method is evaluated on the Secure Water Treatment (SWaT), Hardware-in-the-loop-based augmented ICS security (HIL-HAI), and Internet of Things Modbus dataset using precision, recall, and F-1 score metrics. Additionally, SHAP is used to gain insights into the anomalies and identify their root causes. Comparative experiments demonstrate the method's effectiveness, achieving a better 0.96% precision and 0.84% F1-score. This enhanced performance aids ICS engineers and decision-makers in identifying the root causes of anomalies. Our code is publicly available at a GitHub repository: https://github.com/Ermiyas21/Explainable-correlation-AD. |
| format | Article |
| id | doaj-art-b49ad4a83a294e85a210fd827904ac04 |
| institution | Kabale University |
| issn | 2624-8212 |
| language | English |
| publishDate | 2025-02-01 |
| publisher | Frontiers Media S.A. |
| record_format | Article |
| series | Frontiers in Artificial Intelligence |
| spelling | doaj-art-b49ad4a83a294e85a210fd827904ac042025-02-04T06:31:55ZengFrontiers Media S.A.Frontiers in Artificial Intelligence2624-82122025-02-01710.3389/frai.2024.15088211508821Explainable correlation-based anomaly detection for Industrial Control SystemsErmiyas BirihanuImre LendákAnomaly detection is vital for enhancing the safety of Industrial Control Systems (ICS). However, the complicated structure of ICS creates complex temporal correlations among devices with many parameters. Current methods often ignore these correlations and poorly select parameters, missing valuable insights. Additionally, they lack interpretability, operating efficiently with limited resources, and root cause identification. This study proposes an explainable correlation-based anomaly detection method for ICS. The optimal window size of the data is determined using Long Short-Term Memory Networks—Autoencoder (LSTM-AE) and the correlation parameter set is extracted using the Pearson correlation. A Latent Correlation Matrix (LCM) is created from the correlation parameter set and a Latent Correlation Vector (LCV) is derived from LCM. Based on the LCV, the method utilizes a Multivariate Gaussian Distribution (MGD) to identify anomalies. This is achieved through an anomaly detection module that incorporates a threshold mechanism, utilizing alpha and epsilon values. The proposed method utilizes a novel set of input features extracted using the Shapley Additive explanation (SHAP) framework to train and evaluate the MGD model. The method is evaluated on the Secure Water Treatment (SWaT), Hardware-in-the-loop-based augmented ICS security (HIL-HAI), and Internet of Things Modbus dataset using precision, recall, and F-1 score metrics. Additionally, SHAP is used to gain insights into the anomalies and identify their root causes. Comparative experiments demonstrate the method's effectiveness, achieving a better 0.96% precision and 0.84% F1-score. This enhanced performance aids ICS engineers and decision-makers in identifying the root causes of anomalies. Our code is publicly available at a GitHub repository: https://github.com/Ermiyas21/Explainable-correlation-AD.https://www.frontiersin.org/articles/10.3389/frai.2024.1508821/fullanomaly detectioncorrelationexplainableIndustrial Control Systemroot cause analysis |
| spellingShingle | Ermiyas Birihanu Imre Lendák Explainable correlation-based anomaly detection for Industrial Control Systems Frontiers in Artificial Intelligence anomaly detection correlation explainable Industrial Control System root cause analysis |
| title | Explainable correlation-based anomaly detection for Industrial Control Systems |
| title_full | Explainable correlation-based anomaly detection for Industrial Control Systems |
| title_fullStr | Explainable correlation-based anomaly detection for Industrial Control Systems |
| title_full_unstemmed | Explainable correlation-based anomaly detection for Industrial Control Systems |
| title_short | Explainable correlation-based anomaly detection for Industrial Control Systems |
| title_sort | explainable correlation based anomaly detection for industrial control systems |
| topic | anomaly detection correlation explainable Industrial Control System root cause analysis |
| url | https://www.frontiersin.org/articles/10.3389/frai.2024.1508821/full |
| work_keys_str_mv | AT ermiyasbirihanu explainablecorrelationbasedanomalydetectionforindustrialcontrolsystems AT imrelendak explainablecorrelationbasedanomalydetectionforindustrialcontrolsystems |