CGAAD: Centrality- and Graph-Aware Deep-Learning Model for Detecting Cyberattacks Targeting Industrial Control Systems in Critical Infrastructure

Industrial control systems (ICSs) are crucial in managing critical infrastructure, making their security a paramount concern. In recent years, their widespread adoption, together with the overall distance spanned by the critical infrastructure of industrial communication networks, have increased the complexity of the networks' topological arrangement, increasing their structural vulnerabilities. In this scenario, deep-learning models, especially those that incorporate graph-aware mechanisms, have arisen as a promising solution. This article presents a novel centrality- and graph-aware attack detector (CGAAD) that includes nodes' significance by centrality measures within a graph convolution network (GCN) framework to provide superior cyberattack detection performance and increase the resilience of critical ICS infrastructure. The proposed CGAAD model is in three parts. First, centrality measures are used as features for each of the nodes in the ICS graph topology. Then, a sparse-autoencoder (sparse-AE) enhances the feature representations to harness the subsequent classification step. Finally, the GCN leverages the graph structure and the enhanced features to classify dataflow between nodes as either normal or attacked. Experimental results demonstrate promising performance, reaching nearly 99% in terms of accuracy and F1-score, reducing misclassifications of both normal and attacked samples, which is crucial in ICS critical infrastructure applications.