Clustering-Enhanced Domain Adaptation for Cross-Domain Intrusion Detection in Industrial Control Systems

TL;DR

This paper introduces a clustering-enhanced domain adaptation approach to improve cross-domain intrusion detection in industrial control systems, addressing data scarcity and domain shift challenges.

Contribution

It proposes a novel framework combining feature-based transfer learning with clustering strategies to enhance detection accuracy and stability across different industrial control scenarios.

Findings

Detection accuracy improved by up to 49% compared to baselines.

Clustering enhancement increased detection accuracy by up to 26%.

Method demonstrated stronger stability and effectiveness in dynamic environments.

Abstract

Industrial control systems operate in dynamic environments where traffic distributions vary across scenarios, labeled samples are limited, and unknown attacks frequently emerge, posing significant challenges to cross-domain intrusion detection. To address this issue, this paper proposes a clustering-enhanced domain adaptation method for industrial control traffic. The framework contains two key components. First, a feature-based transfer learning module projects source and target domains into a shared latent subspace through spectral-transform-based feature alignment and iteratively reduces distribution discrepancies, enabling accurate cross-domain detection. Second, a clustering enhancement strategy combines K-Medoids clustering with PCA-based dimensionality reduction to improve cross-domain correlation estimation and reduce performance degradation caused by manual parameter tuning. Experimental results show that the proposed method significantly improves unknown attack detection. Compared with five baseline models, it increases detection accuracy by up to 49%, achieves larger gains in F-score, and demonstrates stronger stability. Moreover, the clustering enhancement strategy further boosts detection accuracy by up to 26% on representative tasks. These results suggest that the proposed method effectively alleviates data scarcity and domain shift, providing a practical solution for robust cross-domain intrusion detection in dynamic industrial environments.