From black boxes to transparent insights: enhancing Industrial Control Systems anomaly detection with deep autoencoder models

In the realm of securing Industrial Control Systems (ICS), time-series anomaly detection is pivotal, particularly for identifying unknown or zero-day attacks by detecting deviations from established normal behavior. Deep learning models, while effective, often act as black boxes, obscuring how individual features impact detection outcomes. Given the vulnerability of machine learning models to adversarial attacks and their potential reliance on shortcuts, it's crucial that anomaly detection methods are interpretable and grounded in reliable principles. In this work, we introduce novel explainable anomaly detection models that incorporate attention mechanisms in both CNN and LSTM frameworks, enhancing the interpretability and performance of the detection process. Our approach leverages Explainable AI (XAI) techniques to analyze ICS anomaly detection models trained on multidimensional time-series data from the Secure Water Treatment (SWaT) dataset. We specifically compare the effectiveness of two explainability methods—SHAP and counter-factual explanations—within the context of attention-enhanced LSTM-AE and CNN-AE models. Our results demonstrate that our models achieve the highest F-score compared to other peer models, offering superior consistency and descriptive accuracy. This advancement not only improves the interpretability of feature influences on anomaly classification but also significantly enhances the reliability of detection in critical industrial systems.