Hierarchical GNN Message Passing for Node-Level Anomaly Detection in Industrial Control Systems

Advances in Graph Neural Networks (GNNs) have prompted remarkable progress in anomaly detection for securing the Industrial Control Systems (ICSs). As the core functioning block of a GNN network, message passing in most of the current frameworks is conducted via local aggregation, in which a node's vector representation is updated with messages from its directly connected neighbours. However, despite its efficiency over numerous application scenarios, such neighbouring aggregation mechanism tends to be highly biased towards a node's locality, and hence may not accurately profile the hierarchical semantics in layered ICS architectures, such as the supervisory relations among controllers and field devices. The resulting node embeddings, in this case, may not be knowledgeable enough to instruct downstream tasks such as fine-grained device-wise ICS anomaly detection. To address this issue, we introduce the Hierarchical Message Analyzer (the HMA), a new message passing scheme that explores a network's supervisory structural features and regulates a message's transmission paths to create balanced embeddings for node-level ICS anomaly detection. This model comprises in its architecture a Preprocessor that condenses the original data flow into initial node vectors, an Adjacency Parser that regulates how messages are transmitted in the aggregation process, an Encoder performing message passing in compliance with the adjacency info obtained from the Adjacency Parser, and a Decoder for label inference. We assess the HMA's performance over multiple evaluation metrics and compare it against various state-of-the-art baselines. Results on multiple datasets certify the HMA's validity and superiority in device-wise ICS anomaly detection.