Medoid Prototype Alignment for Cross-Plant Unknown Attack Detection in Industrial Control Systems

TL;DR

This paper proposes a medoid prototype alignment framework to improve cross-plant unknown attack detection in industrial control systems, addressing domain shift challenges.

Contribution

It introduces a novel prototype alignment method that enhances transfer stability and detection accuracy across heterogeneous industrial environments.

Findings

Achieves an average accuracy of 0.843 and F1-score of 0.838 on transfer tasks.

Reduces noisy cross-domain matching and improves transfer stability.

Demonstrates transfer asymmetry and the effectiveness of prototype guidance in challenging settings.

Abstract

Deploying an intrusion detector trained in one industrial plant to another remains difficult because Industrial Control System (ICS) traffic is highly site-dependent, labels are scarce, and unseen attacks often appear after deployment. To address this challenge, this paper introduces a medoid prototype alignment framework for cross-plant unknown attack detection. Instead of aligning all source and target samples directly, the method first compresses heterogeneous traffic into a comparable representation space and then extracts robust medoid prototypes that summarize local operational structure in each domain. A prototype-calibrated transfer objective is further designed to align target prototypes with source prototypes while preserving source-domain discrimination and encouraging confident target predictions. This strategy reduces noisy cross-domain matching and improves transfer stability under heterogeneous industrial conditions. Experiments conducted on natural gas and water storage control systems show that the proposed method achieves the best average performance among all compared models, reaching an average accuracy of 0.843 and an average F1-score of 0.838 across four unknown-attack transfer tasks. The analysis also shows clear transfer asymmetry between source-target directions and confirms that prototype guidance is especially helpful on challenging reverse-transfer settings. These findings suggest that medoid prototype alignment is a practical solution for robust industrial intrusion detection under domain shift.