Spatio-Temporal Attention Graph Neural Network: Explaining Causalities With Attention

TL;DR

This paper introduces STA-GNN, a spatio-temporal graph neural network that models interdependencies and provides explainability for anomaly detection in industrial control systems, addressing issues of false positives and system drift.

Contribution

The paper presents a novel unsupervised, explainable GNN model that captures system dynamics and causal relationships in ICS, incorporating conformal prediction for operational reliability.

Findings

Effective modeling of interdependencies in ICS data

Enhanced explainability through attention mechanisms

Addressed false alarms and system drift in anomaly detection

Abstract

Industrial Control Systems (ICS) underpin critical infrastructure and face growing cyber-physical threats due to the convergence of operational technology and networked environments. While machine learning-based anomaly detection approaches in ICS shows strong theoretical performance, deployment is often limited by poor explainability, high false-positive rates, and sensitivity to evolving system behavior, i.e., baseline drifting. We propose a Spatio-Temporal Attention Graph Neural Network (STA-GNN) for unsupervised and explainable anomaly detection in ICS that models both temporal dynamics and relational structure of the system. Sensors, controllers, and network entities are represented as nodes in a dynamically learned graph, enabling the model to capture inter-dependencies across physical processes and communication patterns. Attention mechanisms provide influential relationships, supporting inspection of correlations and potential causal pathways behind detected events. The approach supports multiple data modalities, including SCADA point measurements, network flow features, and payload features, and thus enables unified cyber-physical analysis. To address operational requirements, we incorporate a conformal prediction strategy to control false alarm rates and monitor performance degradation under drifting of the environment. Our findings highlight the possibilities and limitations of model evaluation and common pitfalls in anomaly detection in ICS. Our findings emphasise the importance of explainable, drift-aware evaluation for reliable deployment of learning-based security monitoring systems.