Towards Graph-based Self-learning of Industrial Process Behaviour for Anomaly Detection

The increasing sophistication of cyber threats targeting industrial control systems (ICS) necessitates advanced anomaly detection techniques capable of identifying attacks by analyzing industrial process data exchange. This paper addresses the challenge of representing and learning the spatio-temporal characteristics of industrial network communication as Graph for self-learning anomaly detection. We propose a novel framework that models the spatio-temporal characteristics as graph snapshots and applies Graph Neural Networks (GNNs) for anomaly detection. Each graph snapshot captures the structural and temporal dynamics of PROFINET-based industrial traffic, with edge features encoding the payload transitions, timing intervals, and cycle counter differences. We evaluate the performance of an isotropic Graph Convolutional Network (GCN) and anisotropic GNN variants - Message Passing Neural Network (MPNN), Gated Graph ConvNet (GatedGCN) and Graph Transformer (GT) - for the task of graph classification on real-world datasets from a miniaturized deterministic production plant. Our evaluation results demonstrate that anisotropic GNN models (MPNN, GatedGCN, GT) achieve complete anomaly detection (specificity) while maintaining perfect recall on normal behavior (sensitivity). In contrast, the isotropic GCN fails to distinguish between normal and anomalous states of the miniaturized plant. These findings highlight the efficacy of encoding spatio-temporal characteristics on graph edges and the capability of anisotropic GNNs to learn complex process behaviors for anomaly detection in the industrial networks of the evaluated production plant.