Graph-Based Anomaly Detection in Cyber Physical Systems

Abstract

Cyber-Physical Systems (CPS)—comprising tightly integrated computational and physical components—are foundational in domains like industrial automation, smart grids, and autonomous vehicles. Detecting anomalies in CPS is critical to maintain safety, reliability, and security. Graph-based anomaly detection approaches have emerged as powerful tools capable of capturing complex dependencies among sensors and actuators—modelled as nodes and edges—and identifying deviations in structural or temporal behavior. This paper reviews key graph-centric methods tailored for CPS anomaly detection that predate 2022. We highlight techniques like graph-augmented predictive models, GAN-based frameworks capturing multivariate interactions, and Bayesian network structures modeling causal dependencies. For instance, Multi-Level Graph Attention Networks (PCGAT) model both physical process and controller communication graphs for real-time anomaly localization in industrial control systems MDPI. Additionally, MAD-GAN leverages LSTM-based GANs to capture spatial-temporal dependencies across sensor networks, showing efficacy in detecting CPS intrusions in cyber-physical water systems arXiv. Bayesian network approaches such as TABOR integrate timing and sensor-actuator relationships for detecting anomalies in CPS environments MDPI. We synthesize these methodologies, discuss their suitability for CPS architectures, assess relative strengths and limitations, and propose a unified multi-stage methodology integrating graph construction, modeling, and detection phases. Advantages include modeling spatial-temporal dependencies more naturally and enabling anomaly localization. Challenges involve data labeling scarcity, model complexity, and real-time computational constraints. Ultimately, integrating graph-based models holds promise for advanced anomaly detection in CPS—especially with improvements in graph learning and streaming capabilities. Future directions include graph neural network adoption, real-time learning, and interpretable causal graph methods for CPS.