Explainable Online Unsupervised Anomaly Detection for Cyber-Physical Systems via Causal Discovery from Time Series
Daniele Meli
TL;DR
This work addresses online unsupervised anomaly detection in cyber-physical systems by replacing black-box neural models with a causal-discovery-based approach. It learns a nominal temporal causal graph using PCMCI via Conditional Mutual Information $I(X;Y|Z)$ and detects online anomalies by tracking deviations in the learned causal links. The method achieves 100% precision/recall/F1 on SWAT and strong recall on Pepper, with significantly faster training than neural baselines and the added benefit of interpretable root-cause explanations. Overall, causal-discovery-based OUAD demonstrates explainable, efficient real-time monitoring for CPS.
Abstract
Online unsupervised detection of anomalies is crucial to guarantee the correct operation of cyber-physical systems and the safety of humans interacting with them. State-of-the-art approaches based on deep learning via neural networks achieve outstanding performance at anomaly recognition, evaluating the discrepancy between a normal model of the system (with no anomalies) and the real-time stream of sensor time series. However, large training data and time are typically required, and explainability is still a challenge to identify the root of the anomaly and implement predictive maintainance. In this paper, we use causal discovery to learn a normal causal graph of the system, and we evaluate the persistency of causal links during real-time acquisition of sensor data to promptly detect anomalies. On two benchmark anomaly detection datasets, we show that our method has higher training efficiency, outperforms the accuracy of state-of-the-art neural architectures and correctly identifies the sources of >10 different anomalies. The code is at https://github.com/Isla-lab/causal_anomaly_detection.