DAN: Neural network based on dual attention for anomaly detection in ICS

In the interpretability research on anomalies of Industrial Control Systems (ICS) with Graph Convolutional Neural Networks (GCN), the causality between the equipment components is a non-negligible factor. Nonetheless, few existing interpretable anomaly detection methods keeps a good balance of detection and interpretation, because of inadequate insufficient learning of causality and improper representation of nodes in GCN. In this paper, we propose a Dual Attention Network (DAN) for a multivariate time series anomaly detection approach, in which temporal causality based on attention is used for representing the relationship of device components. With this condition, the performance of detection is hardly satisfactory. In addition, in the existing graph neural networks, hyperparameters are used to construct an adjacency matrix, so that the detection accuracy is greatly affected. To address the above problems, we introduce a graph neural network based on an attention mechanism to further learn the causal relationship between device components, and propose an adjacency matrix construction method based on the median, to break through the constraint of hyperparameters. In terms of interpretation and detection effect, the performed experiments using the SWaT and WADI datasets from highly simulated real water plants, demonstrate the validity and universality of the DAN.1