Causal Graph Profiling via Structural Divergence for Robust Anomaly Detection in Cyber-Physical Systems

TL;DR

This paper introduces CGAD, a causal graph-based framework that improves anomaly detection in cyber-physical systems by leveraging causal structures to handle distribution shifts and class imbalance, resulting in higher accuracy and robustness.

Contribution

The paper presents a novel two-phase supervised framework using causal graph comparison for robust anomaly detection in complex, non-stationary environments.

Findings

Significant improvements in F1 and ROC-AUC scores over baselines.

Effective detection of delayed and structurally complex anomalies.

Enhanced robustness against distribution shifts and class imbalance.

Abstract

With the growing complexity of cyberattacks targeting critical infrastructures such as water treatment networks, there is a pressing need for robust anomaly detection strategies that account for both system vulnerabilities and evolving attack patterns. Traditional methods -- statistical, density-based, and graph-based models struggle with distribution shifts and class imbalance in multivariate time series, often leading to high false positive rates. To address these challenges, we propose CGAD, a Causal Graph-based Anomaly Detection framework designed for reliable cyberattack detection in public infrastructure systems. CGAD follows a two-phase supervised framework -- causal profiling and anomaly scoring. First, it learns causal invariant graph structures representing the system's behavior under "Normal" and "Attack" states using Dynamic Bayesian Networks. Second, it employs structural divergence to detect anomalies via causal graph comparison by evaluating topological deviations in causal graphs over time. By leveraging causal structures, CGAD achieves superior adaptability and accuracy in non-stationary and imbalanced time series environments compared to conventional machine learning approaches. By uncovering causal structures beneath volatile sensor data, our framework not only detects cyberattacks with markedly higher precision but also redefines robustness in anomaly detection, proving resilience where traditional models falter under imbalance and drift. Our framework achieves substantial gains in F1 and ROC-AUC scores over best-performing baselines across four industrial datasets, demonstrating robust detection of delayed and structurally complex anomalies.