STMBAD: Spatio-Temporal Multimodal Behavior Anomaly Detector for Industrial Control Systems

Modern cyber attacks against industrial control systems (ICSs) are highly stealthy, persistent, and targeted. Existing anomaly detection methods are mainly based on a set of rules defining correct behaviors and use loosely bounded detection thresholds, which can be exploited by attackers to evade detection. In this article, we propose STMBAD, a spatio-temporal multimodal behavior anomaly detector based on spatio-temporal ICS behavior analysis to improve the performance of ICS anomaly detection. STMBAD leverages the rich information available in industrial multimodal data to achieve a deep understanding of complex ICS behaviors and enhance the ability to detect stealthy attacks. To avoid data processing cross heterogeneous type/structure and temporal confusion caused by unsynchronized time series, STMBAD embeds time series of individual modality separately into variate tokens and applies the attention mechanism and feedforward network to capture multivariate correlations and interdependencies. Meanwhile, based on the attention mechanisms, temporal evolution law and spatial correlation of different modalities can be captured to model the characteristics of the spatio-temporal multimodal behavior of ICS. When detecting attacks, an adaptive detection mechanism combining global and local detection is proposed to utilize dynamic thresholds at different levels and reduce errors caused by a loose global threshold. The simulation results show that the proposed method outperforms the baseline methods and yields the highest F1 score, reaching 95%.