Attributions for ML-based ICS Anomaly Detection: From Theory to Practice
Clement Fung
Network and Distributed System Security (NDSS) Symposium 2024 · Day 2 · ML Security
Industrial Control Systems (ICS) form the bedrock of critical infrastructure, orchestrating vital processes from power generation to water treatment. The integrity of these systems is paramount, as evidenced by historical incidents like Stuxnet and attacks on the Ukrainian power grid. Machine learning (ML) based anomaly detection offers a promising real-time defense mechanism, learning normal ICS behavior to flag deviations indicative of an attack. However, a significant limitation of current ML-based solutions is their inability to provide actionable context: they merely signal *that* an anomaly has occurred, not *where* or *why*. This lack of interpretability severely hampers operators' ability to diagnose root causes and mount effective responses.