# Non-local attention enhanced deep learning for robust cyberattack detection in industrial IoT-based SCADA systems

**Authors:** Mustafa Tahsin Yilmaz, Onur Polat, Enes Algul, Ferdi Doğan

PMC · DOI: 10.1038/s41598-026-37146-1 · Scientific Reports · 2026-02-09

## TL;DR

This paper introduces a deep learning model for detecting cyberattacks in industrial IoT systems, achieving high accuracy and performance on benchmark datasets.

## Contribution

The novel contribution is a deep learning model combining CNNs with non-local attention blocks for improved cyberattack detection in IIoT-based SCADA systems.

## Key findings

- DeepNonLocalNN achieved an accuracy of 0.9999 and ROC-AUC of 1.0000 on the WUSTL-IIoT-2021 dataset.
- The model excelled in detecting minority attack classes like Backdoor and Command Injection with F1 scores of 0.73 and 0.92 respectively.
- The architecture is scalable and addresses class imbalance in intrusion detection for IIoT environments.

## Abstract

Industrial Internet of Things (IIoT)-enabled Supervisory Control and Data Acquisition (SCADA) systems are pivotal for real-time monitoring and control in critical sectors like energy, manufacturing, and water management. However, their connectivity and complexity expose them to cyber threats, including zero-day vulnerabilities and advanced persistent threats (APTs). Traditional security measures, like signature-based intrusion detection systems (IDSs), are inadequate against dynamic attacks. This study introduces DeepNonLocalNN, a deep learning model combining convolutional neural networks (CNNs) with non-local attention blocks to capture local patterns and global dependencies in IIoT network traffic. Evaluated on the WUSTL-IIoT-2021 dataset, DeepNonLocalNN achieved strong performance, with an accuracy of 0.9999, a receiver operating characteristic-area under the curve (ROC-AUC) of 1.0000, and a macro F1-score of 0.93, outperforming baseline models such as NonLocalNN, CNNWithAttention, ResidualAttentionNetwork, and Long Short-Term Memory (LSTM). Notably, it excelled in detecting minority attack classes, including Backdoor (F1: 0.73) and Command Injection (CommInj, F1: 0.92), addressing class imbalance. The model’s scalable architecture, leveraging non-local attention and regularization, provides a high-performance solution for SCADA security in IIoT environments. Future work will focus on adapting the DeepNonLocalNN approach to real-time intrusion detection. It also aims to reduce the computational cost for resource-constrained PLCs and RTUs in SCADA systems. We also aim to validate this model on various industrial datasets and SCADA environments.

## Full-text entities

- **Diseases:** LSTM (MESH:D000088562), SCADA (MESH:C536209), MITM (MESH:D010033), IoT (MESH:C000719207)
- **Chemicals:** BOT (-), Gas (MESH:D005708), TCP (MESH:C049563), water (MESH:D014867)
- **Species:** Homo sapiens (human, species) [taxon 9606]

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/PMC12954067/full.md

## Figures

6 figures with captions in the complete paper: https://tomesphere.com/paper/PMC12954067/full.md

## References

28 references — full list in the complete paper: https://tomesphere.com/paper/PMC12954067/full.md

---
Source: https://tomesphere.com/paper/PMC12954067