Rethinking Spatio-Temporal Anomaly Detection: A Vision for Causality-Driven Cybersecurity

TL;DR

This paper proposes a causality-driven approach to spatio-temporal anomaly detection in cyber-physical systems, emphasizing interpretability, adaptability, and robustness over traditional black-box methods.

Contribution

It introduces a causal learning framework with key directions like causal graph profiling, multi-view fusion, and continual learning for improved anomaly detection.

Findings

Causal models enable early warning signals.

Root cause attribution is enhanced with causality.

Addresses limitations of black-box detectors in dynamic systems.

Abstract

As cyber-physical systems grow increasingly interconnected and spatially distributed, ensuring their resilience against evolving cyberattacks has become a critical priority. Spatio-Temporal Anomaly detection plays an important role in ensuring system security and operational integrity. However, current data-driven approaches, largely driven by black-box deep learning, face challenges in interpretability, adaptability to distribution shifts, and robustness under evolving system dynamics. In this paper, we advocate for a causal learning perspective to advance anomaly detection in spatially distributed infrastructures that grounds detection in structural cause-effect relationships. We identify and formalize three key directions: causal graph profiling, multi-view fusion, and continual causal graph learning, each offering distinct advantages in uncovering dynamic cause-effect structures across time and space. Drawing on real-world insights from systems such as water treatment infrastructures, we illustrate how causal models provide early warning signals and root cause attribution, addressing the limitations of black-box detectors. Looking ahead, we outline the future research agenda centered on multi-modality, generative AI-driven, and scalable adaptive causal frameworks. Our objective is to lay a new research trajectory toward scalable, adaptive, explainable, and spatially grounded anomaly detection systems. We hope to inspire a paradigm shift in cybersecurity research, promoting causality-driven approaches to address evolving threats in interconnected infrastructures.