Graph Optimization via Decoupled Edge Tuning for Efficient Industrial Anomaly Detection

GNN-based anomaly detection is one of the most critical security strategies protecting industrial control systems (ICSs) from external attacks. Existing studies mainly focus on how to effectively exploit the behavioural patterns of ICS data streams for detection tasks using topologically-based or fully-connected input graphs. Such graph settings, however, are far from optimal, in that topologically-based structures usually fail to incorporate data associativity among non-connected devices, while the fully-connected style, on the other hand, contains extensive redundant links, leading to excessive computational costs and over-smoothing problems. To address this issue, this work explores graph construction schemes in GNN-based anomaly detection frameworks, and proposes the Local Graph Spatial Analyzer (LGSA) to perform fine-grained device-level anomaly identification instead of conducting system-wise detection, and achieve superior runtime efficiency. In particular, the LGSA creates a moderately balanced input graph for GNN message exchanging via decoupled edge set tuning, which is accomplished by adjusting the quantity and distribution of connections among a specified set of industrial nodes. Redundant connections removed and the majority of core spatial contextual semantics preserved, the LGSA achieves performance comparable to the fully-connected scenario and superior to the topologically-based one. Furthermore, with only the most common spatial features considered in construction of input graphs, the LGSA can potentially generalize over a wide range of industrial processes rather than being exclusive to particular scenarios. Experimental results on 5 ICS datasets (SWaT, WADI, CISS, BATADAL and PCP) demonstrate the superiority of LGSA in achieving top notch anomaly detection performance with an AUROC gain of up to 17.32% and an improved runtime efficiency with a 5.57% and 7.21% time cutdown in training and testing.