PdGAT-ID: An intrusion detection method for industrial control systems based on periodic extraction and spatiotemporal graph attention

Abstract

The stable operation of Industrial Control Systems (ICS) is critical to industrial production. However, with the advancement of industrialization and informatization, ICS face increasing security threats, particularly from cyber-attacks. As a core technology for ICS security, intrusion detection has garnered significant attention in recent years. Traditional intrusion detection methods typically rely on models constructed from network event logs, but these methods have notable limitations in capturing the spatiotemporal correlations among multiple variables (sensors/actuators) and the periodicity of data within the system. To address these challenges, this paper proposes an ICS intrusion detection method, PdGAT-ID, which integrates periodicity extraction with spatiotemporal graph attention networks. This method aggregates multi-scale periodic information from time series and utilizes spatiotemporal graph attention networks to capture the system's spatiotemporal features, thereby enhancing the accuracy and reliability of detection. Experimental results on three publicly available datasets, SWaT, WADI, and Gas Pipeline Dataset, demonstrate that PdGAT-ID performs exceptionally well in detecting abnormal behaviors and intrusion events. Specifically, its F1 score outperforms the best existing models by 1.55 % to 5.51 %, significantly improving the effectiveness and reliability of ICS anomaly detection.