Graph-Based Anomaly Detection in Cyber Physical Systems

Abstract

Graph-based anomaly detection has gained traction in securing Cyber-Physical Systems (CPS), where interdependencies among sensors, actuators, and controllers play a pivotal role. In 2021, researchers introduced techniques that model CPS data as graphs and leverage graph neural networks (GNNs) or transformer-based architectures to detect anomalies more accurately and interpretably. One approach introduced structure learning with GNNs and attention mechanisms to capture inter-sensor correlations in multivariate time series, achieving superior detection accuracy and interpretability on real sensor datasets arXiv. Another method, GTA, proposed automatic graph structure learning via Gumbel-softmax and transformer-based temporal modeling for IoT anomaly detection, demonstrating state-of-the-art performance on benchmarks arXiv. In ICS contexts, multi-level GNNs tailored to industrial control architectures incorporate domain knowledge into graph regularization for better accuracy and interpretability MDPI. Classic graph convolutional networks have also been applied effectively to model sensor-telemetry graphs and detect anomalous attacks ACM Digital Library. This paper synthesizes these 2021-era advances, providing a comparative analysis of graph-based anomaly detection methods for CPS—highlighting trade-offs in accuracy, interpretability, and domain integration. We then propose a unified methodology: constructing domain-informed graphs, applying GNN or transformer modules for anomaly inference, and enabling root-cause interpretability via attention or graph structure cues. Our evaluation across synthetic ICS scenarios and publicly available CPS datasets demonstrates that graph-based approaches outperform traditional time-series methods, reducing false positives and improving localization of faults. We conclude by discussing challenges such as data sparsity, graph construction overhead, and real-time deployment, and outline future directions including online graph adaptation, multi-modal fusion, and edge-deployable graph models.