Data Driven Anomaly Detection and Inference
The detection and subsequent analysis of Industrial Control System (ICS) anomalies, particularly those occurring from cyber incidents, has become increasingly challenging as adversaries employ stealthier Programmable Logic Controller (PLC) attack techniques. The current lack of commercial ICS digital forensic tools and solutions prevents cyber practitioners from rapidly assessing an attack and determining how to restore an ICS to a state of normal, safe operation. As one of the key challenges when detecting PLC anomalies is assessing and determining the type of anomaly, (because different anomalies can present similar observations both physically and virtually), anomalous behaviour resulting from a system fault can produce effects that are indistinguishable from a malicious attack conducted by an advanced cyber adversary.
Our research investigates the application of graph-based neural networks (GNNs) to model normal operational behaviour in Industrial Control Systems. We compare two established paradigms for this task: predictive and reconstruction-based methodologies, providing a rigorous quantification of their respective trade-offs in the ICS security context.
Building on this foundation, we explore multi-modal data fusion strategies to construct richer, more comprehensive behavioural profiles of ICS environments. These enriched profiles not only enable robust detection of deviations from normal operation, but also support deeper characterisation of anomalous behaviour — including how manipulated signals and measurements evolve over time, offering insight into the underlying nature and progression of attacks.
Publications
- Nahalka, Martin, Cook, Marco and Pezaros, Dimitrios, " Heterogeneous Graph Fusion for Multi-Modal Industrial Anomaly Detection ", IEEE International Conference on Cyber Security and Resilience (IEEE CSR), Lisbon, Portugal, 2026
- Nahalka, Martin, Cook, Marco M. and Pezaros, Dimitrios, " The Good, the Bad and the Ugly: Investigating the Effectiveness of Graph Deep Neural Networks for Anomaly Detection in Industrial Control Systems ". IFIP International Internet of things (IoT) Conference, Nice, France, 2024
- Cook, Marco M., Angelos K. Marnerides, and Dimitrios Pezaros. "PLCPrint: Fingerprinting memory attacks in programmable logic controllers." IEEE Transactions on Information Forensics and Security (2023).
- Cook, Marco, et al. "Anomaly diagnosis in cyber-physical systems." ICC 2022-IEEE International Conference on Communications. IEEE, 2022.