System-aware contextual digital twin for ICS anomaly diagnosis

Donghoon Shin; Eungyu Woo; Wonje Heo; Yooshin Kim

arxiv: 2604.24051 · v1 · submitted 2026-04-27 · 💻 cs.CR

System-aware contextual digital twin for ICS anomaly diagnosis

Eungyu Woo , Yooshin Kim , Wonje Heo , Donghoon Shin This is my paper

Pith reviewed 2026-05-08 03:22 UTC · model grok-4.3

classification 💻 cs.CR

keywords industrial control systemsanomaly detectiondigital twinlarge language modelunsupervised learningcybersecurityinterpretabilityICS security

0 comments

The pith

A framework combining unsupervised detection with an LLM-augmented contextual digital twin provides real-time, interpretable anomaly diagnosis for industrial control systems.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper proposes an unsupervised approach to spotting anomalies in industrial control systems by tracking deviations from normal operation without needing system topology details or labeled attack examples. It then uses a contextual digital twin enhanced by a large language model to turn those detections into clear diagnostic hypotheses and step-by-step verification suggestions for human operators. This addresses the shortcomings of existing methods that either demand vast amounts of attack data or offer little insight into why an anomaly occurred, which often results in excessive false alarms and delayed responses. By focusing on lightweight online detection and actionable explanations, the method aims to support timely interventions in critical infrastructures such as power grids and water treatment facilities.

Core claim

The central claim is that a system-aware unsupervised framework can achieve reliable ICS anomaly diagnosis by first identifying deviations from observed normal behaviors in real time without prior topology knowledge, and then employing a contextual digital twin augmented with a large language model to translate the detection evidence into grounded diagnostic hypotheses and verification steps that enable operators to respond effectively.

What carries the argument

The contextual digital twin augmented with a large language model, which takes detection evidence and generates interpretable diagnostic hypotheses along with verification steps.

If this is right

Real-time detection efficiency on public ICS benchmarks.
Consistent and interpretable anomaly diagnoses.
Low-latency warnings suitable for practical deployment in complex industrial environments.
Reduced dependence on labeled attack data and system topology knowledge.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Integration with existing monitoring tools could further speed up operator responses in live ICS deployments.
Similar digital twin approaches might extend to anomaly diagnosis in other networked control systems like transportation or building automation.
The method's unsupervised nature suggests it could adapt to evolving threats without frequent retraining.

Load-bearing premise

The large language model within the digital twin can consistently translate detection evidence into accurate diagnostic hypotheses and verification steps without generating hallucinations or unsupported claims.

What would settle it

Running the framework on new ICS datasets where the LLM-generated diagnoses are compared against ground-truth root causes and found to frequently mismatch or invent unsupported explanations would disprove the reliability of the interpretive component.

Figures

Figures reproduced from arXiv: 2604.24051 by Donghoon Shin, Eungyu Woo, Wonje Heo, Yooshin Kim.

**Figure 1.** Figure 1: An illustration of Process 1 in the SWaT testbed [ view at source ↗

**Figure 2.** Figure 2: Overview of the proposed SCDT framework. The left panel shows training, where normal features are view at source ↗

**Figure 3.** Figure 3: ICS Operation The full SCDT pipeline, illustrated in view at source ↗

**Figure 4.** Figure 4: Example overview of anomaly diagnosis with LLM. The left panel shows anomaly detection results and view at source ↗

read the original abstract

Industrial Control Systems (ICS) integrate computing, physical processes, and communication to operate critical infrastructures such as power grids, water treatment plants, and oil and gas facilities. As ICS become increasingly targeted by cyberattacks, timely and reliable anomaly diagnosis is essential for protecting operational safety. However, existing ICS anomaly detection approaches face practical limitations: supervised methods require extensive labeled attack data and suffer from class imbalance, while model-based detectors often lack the ability to provide deep insight into the root causes of anomalies, leading to elevated false alarms and making it difficult for operators to initiate a timely response. In this work, we propose a system-aware unsupervised framework for ICS anomaly diagnosis that combines lightweight online detection with contextual explanation. The system identifies deviations from observed normal behaviors without prior knowledge of system topology. To support actionable response, we further concatenate a contextual digital twin augmented with an Large Language Model (LLM) to enhance interpretability, which translates detection evidence into grounded diagnostic hypotheses and verification steps for operators. Experiments on public ICS benchmarks demonstrate that the proposed framework achieves real-time detection efficiency and provides consistent, interpretable anomaly diagnoses, enabling low-latency warning and practical deployment in complex industrial environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper combines unsupervised ICS anomaly detection with an LLM-augmented contextual digital twin for explanations, but the abstract asserts real-time efficiency and consistent diagnoses without any supporting numbers or grounding details for the LLM outputs.

read the letter

The paper proposes a system-aware unsupervised framework for diagnosing anomalies in industrial control systems by combining lightweight detection with a contextual digital twin powered by an LLM. The headline result is that this setup delivers real-time efficiency and consistent, interpretable diagnoses on public benchmarks, but the abstract provides no numbers or method details to back that up. What is new is the particular stacking of system-aware detection that skips topology knowledge, a digital twin for context, and the LLM to translate evidence into diagnostic hypotheses and verification steps. The paper does a solid job identifying the practical gaps in supervised and model-based detectors for ICS, where labeled data is scarce and explanations matter for operator response in critical infrastructure like power grids. It earns credit for targeting low-latency warnings in complex environments without assuming prior system knowledge. The unsupervised core and the push for actionable interpretability address real deployment barriers. The soft spots are in the LLM component and the missing evidence. The claim that the digital twin plus LLM produces grounded hypotheses rests on an assumption that the model won't introduce hallucinations or unverified claims, yet the description gives no grounding mechanisms, constrained outputs, or validation steps. Without quantitative results, error analysis, or human validation in the provided text, the consistent and interpretable part stays unproven. If the full paper has those details and they hold, the concern shrinks, but as presented the interpretability benefit is the load-bearing claim without support. This is for readers working on AI for critical infrastructure protection who want to see how LLMs might fit into anomaly pipelines. Someone seeking a turnkey solution with proven metrics will find it thin, but the architecture could spark ideas for follow-on work. It deserves a serious referee because the topic is high-stakes and the combination is coherent enough to merit checking the experiments and the LLM reliability. I recommend sending it to peer review, with the expectation that revisions will need to add concrete results on explanation quality and any safeguards against bad outputs.

Referee Report

2 major / 1 minor

Summary. The manuscript proposes a system-aware unsupervised framework for ICS anomaly diagnosis. It performs lightweight online detection of deviations from observed normal behaviors without requiring prior system topology knowledge. To enable actionable operator response, the framework augments this with a contextual digital twin combined with an LLM that translates detection evidence into grounded diagnostic hypotheses and verification steps. Experiments on public ICS benchmarks are claimed to demonstrate real-time detection efficiency together with consistent, interpretable anomaly diagnoses that support low-latency warnings and practical deployment in industrial environments.

Significance. If the empirical claims hold and the LLM component can be shown to produce reliably grounded outputs, the work would address two persistent limitations in ICS security: the labeled-data and class-imbalance problems of supervised detectors, and the lack of root-cause insight in many model-based approaches. The unsupervised, topology-free detection plus LLM-augmented explanation is a concrete attempt to move from raw alerts to operator-actionable hypotheses. Credit is due for framing the problem around practical deployment constraints in critical infrastructure and for attempting to combine lightweight detection with contextual explanation in a single pipeline.

major comments (2)

[Abstract] Abstract: The headline claim that the LLM-augmented contextual digital twin 'translates detection evidence into grounded diagnostic hypotheses and verification steps' is load-bearing for the asserted interpretability benefit, yet the manuscript supplies no description of grounding mechanisms (retrieval from the digital twin model, constrained decoding, or post-generation verification), no hallucination-rate metrics, and no human-expert validation protocol. In ICS settings an ungrounded hypothesis can trigger unsafe operator actions; therefore the 'consistent, interpretable anomaly diagnoses' part of the result rests on an unverified assumption.
[Abstract] Abstract / Experiments: The assertions of 'real-time detection efficiency' and 'consistent' diagnoses on public benchmarks are presented without any quantitative results, latency figures, accuracy or F1 scores, baseline comparisons, or error analysis. This absence prevents evaluation of whether the data actually support the practical-deployment conclusion.

minor comments (1)

The term 'contextual digital twin' is introduced without a precise definition or diagram showing how it differs from a conventional digital twin or from the underlying detection model.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thoughtful and constructive report. The comments highlight important considerations for safety-critical ICS applications, particularly around grounding and empirical substantiation. We address each major comment below and commit to revisions that strengthen the manuscript without altering its core contributions.

read point-by-point responses

Referee: [Abstract] Abstract: The headline claim that the LLM-augmented contextual digital twin 'translates detection evidence into grounded diagnostic hypotheses and verification steps' is load-bearing for the asserted interpretability benefit, yet the manuscript supplies no description of grounding mechanisms (retrieval from the digital twin model, constrained decoding, or post-generation verification), no hallucination-rate metrics, and no human-expert validation protocol. In ICS settings an ungrounded hypothesis can trigger unsafe operator actions; therefore the 'consistent, interpretable anomaly diagnoses' part of the result rests on an unverified assumption.

Authors: We agree that the safety implications in ICS environments require explicit grounding details. The manuscript describes the contextual digital twin as supplying verified system-state data to constrain LLM prompts and generate verification steps, but we acknowledge that the abstract and main text would benefit from a clearer, dedicated exposition of the retrieval and constraint mechanisms. We will revise the abstract and add a subsection in the methods to detail these grounding procedures. Regarding hallucination metrics and human-expert validation, the current work does not include quantitative hallucination rates or formal expert studies; we will note this as a limitation and outline planned future validation protocols. revision: yes
Referee: [Abstract] Abstract / Experiments: The assertions of 'real-time detection efficiency' and 'consistent' diagnoses on public benchmarks are presented without any quantitative results, latency figures, accuracy or F1 scores, baseline comparisons, or error analysis. This absence prevents evaluation of whether the data actually support the practical-deployment conclusion.

Authors: The experiments section evaluates the framework on public ICS benchmarks and reports detection performance and diagnostic consistency. To directly address the concern, we will revise the abstract to include concise quantitative highlights (e.g., latency ranges, key performance scores, and baseline comparisons) drawn from the existing results, together with a brief summary of error patterns. This will make the empirical support for real-time efficiency and practical deployment more transparent while preserving the manuscript's length constraints. revision: yes

Circularity Check

0 steps flagged

No circularity: framework is a composition of existing techniques validated on external benchmarks

full rationale

The paper describes a proposed system-aware unsupervised framework that concatenates lightweight detection with an LLM-augmented contextual digital twin for interpretability. No equations, derivations, fitted parameters, or predictions are presented in the abstract or description. Claims rest on experiments using public ICS benchmarks rather than any self-referential fitting or internal consistency checks. No self-citations, uniqueness theorems, or ansatzes from prior author work are invoked. The load-bearing step (LLM translation into grounded hypotheses) is an assumption about external component behavior, not a reduction of outputs to inputs by construction.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 1 invented entities

Based on abstract only; the central claim rests on the assumption that normal behaviors can be observed and deviations identified without topology knowledge, plus the premise that LLM output yields reliable diagnostic hypotheses.

axioms (2)

domain assumption Deviations from observed normal behaviors can be identified without prior knowledge of system topology
Explicitly stated as the basis for the unsupervised detection component.
ad hoc to paper LLM can translate detection evidence into grounded diagnostic hypotheses and verification steps
Core premise for the interpretability enhancement; no independent validation described.

invented entities (1)

contextual digital twin augmented with LLM no independent evidence
purpose: To enhance interpretability by generating diagnostic hypotheses from detection evidence
Introduced as the mechanism for turning raw anomalies into actionable operator guidance; no external falsifiable evidence provided.

pith-pipeline@v0.9.0 · 5506 in / 1349 out tokens · 39076 ms · 2026-05-08T03:22:50.095085+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

51 extracted references · 30 canonical work pages

[1]

ATT&CKforICSmatrix,

Keith Stouffer, Michael Pease, CheeYee Tang, Timothy Zimmerman, Victoria Pillitteri, Suzanne Lightman, Adam Hahn, Stephanie Saravia, Aslam Sherule, and Michael Thompson. Guide to industrial control systems (ics) security, revision 3. Technical Report 800-82r3, National Institute of Standards and Technology, 2022. URL https://doi.org/10.6028/NIST.SP.800-82r3

work page doi:10.6028/nist.sp.800-82r3 2022
[2]

Cyber-physical systems security—a survey.IEEE Internet of Things Journal, 4(6):1802–1831, 2017

Abdulmalik Humayed, Jingqiang Lin, Fengjun Li, and Bo Luo. Cyber-physical systems security—a survey.IEEE Internet of Things Journal, 4(6):1802–1831, 2017. doi:10.1109/JIOT.2017.2703172

work page doi:10.1109/jiot.2017.2703172 2017
[3]

Apt attacks on industrial control systems: A tale of three incidents.International Journal of Critical Infrastructure Protection, 37:100521, 2022

Rajesh Kumar, Rohan Kela, Siddhant Singh, and Rolando Trujillo-Rasua. Apt attacks on industrial control systems: A tale of three incidents.International Journal of Critical Infrastructure Protection, 37:100521, 2022. ISSN 1874-5482. doi:https://doi.org/10.1016/j.ijcip.2022.100521. URL https://www.sciencedirect.com/ science/article/pii/S1874548222000129

work page doi:10.1016/j.ijcip.2022.100521 2022
[4]

Stuxnet: Dissecting a cyberwarfare weapon.IEEE Security & Privacy, 9(3):49–51, 2011

Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon.IEEE Security & Privacy, 9(3):49–51, 2011. doi:10.1109/MSP.2011.67

work page doi:10.1109/msp.2011.67 2011
[5]

ACM Trans

Zhong Li, Yuxuan Zhu, and Matthijs Van Leeuwen. A survey on explainable anomaly detection.ACM Trans. Knowl. Discov. Data, 18(1), September 2023. ISSN 1556-4681. doi:10.1145/3609333. URL https://doi.org/ 10.1145/3609333

work page doi:10.1145/3609333 2023
[6]

Machine learning for intrusion detection in industrial control systems: challenges and lessons from experimental evaluation.Cybersecurity, 4(1):27, 2021

Gauthama Raman MR, Chuadhry Mujeeb Ahmed, and Aditya Mathur. Machine learning for intrusion detection in industrial control systems: challenges and lessons from experimental evaluation.Cybersecurity, 4(1):27, 2021

2021
[7]

Machine learning in industrial control system (ics) security: current landscape, opportunities and challenges.Journal of Intelligent Information Systems, 60(2):377–405, 2023

Abigail MY Koay, Ryan K L Ko, Hinne Hettema, and Kenneth Radke. Machine learning in industrial control system (ics) security: current landscape, opportunities and challenges.Journal of Intelligent Information Systems, 60(2):377–405, 2023

2023
[8]

Shyaa, Noor Farizah Ibrahim, Zurinahni Zainol, Rosni Abdullah, Mohammed Anbar, and Laith Alzubaidi

Methaq A. Shyaa, Noor Farizah Ibrahim, Zurinahni Zainol, Rosni Abdullah, Mohammed Anbar, and Laith Alzubaidi. Evolving cybersecurity frontiers: A comprehensive survey on concept drift and feature dynamics aware machine and deep learning in intrusion detection systems.Engineering Applications of Artificial Intelligence, 137:109143, 2024. ISSN 0952-1976. do...

work page doi:10.1016/j.engappai.2024.109143 2024
[9]

Deepaid: Interpreting and improving deep learning-based anomaly detection in security applications

Dongqi Han, Zhiliang Wang, Wenqi Chen, Ying Zhong, Su Wang, Han Zhang, Jiahai Yang, Xingang Shi, and Xia Yin. Deepaid: Interpreting and improving deep learning-based anomaly detection in security applications. InProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, page 3197–3217, New York, NY , USA, 2021. Associa...

work page doi:10.1145/3460120.3484589 2021
[10]

Sok: Modeling explainability in security analytics for interpretability, trustworthiness, and usability

Dipkamal Bhusal, Rosalyn Shin, Ajay Ashok Shewale, Monish Kumar Manikya Veerabhadran, Michael Clifford, Sara Rampazzi, and Nidhi Rastogi. Sok: Modeling explainability in security analytics for interpretability, trustworthiness, and usability. InProceedings of the 18th International Conference on Availability, Reliability and Security, ARES ’23, New York, ...

work page doi:10.1145/3600160.3600193 2023
[11]

Marwa Keshk, Nickolaos Koroniotis, Nam Pham, Nour Moustafa, Benjamin Turnbull, and Albert Y . Zomaya. An explainable deep learning-enabled intrusion detection framework in iot networks.Information Sciences, 639:119000, 2023. ISSN 0020-0255. doi:https://doi.org/10.1016/j.ins.2023.119000. URL https://www. sciencedirect.com/science/article/pii/S0020025523005856

work page doi:10.1016/j.ins.2023.119000 2023
[12]

Deep learning-based anomaly detection in cyber-physical systems: Progress and opportunities.ACM Comput

Yuan Luo, Ya Xiao, Long Cheng, Guojun Peng, and Danfeng (Daphne) Yao. Deep learning-based anomaly detection in cyber-physical systems: Progress and opportunities.ACM Comput. Surv., 54(5), May 2021. ISSN 0360-0300. doi:10.1145/3453155. URLhttps://doi.org/10.1145/3453155

work page doi:10.1145/3453155 2021
[13]

Ics anomaly detection based on sensor patterns and actuator rules in spatiotemporal dependency.IEEE Transactions on Industrial Informatics, 20(8):10647–10656, 2024

Jun Cai, Zeheng Wei, and Jianzhen Luo. Ics anomaly detection based on sensor patterns and actuator rules in spatiotemporal dependency.IEEE Transactions on Industrial Informatics, 20(8):10647–10656, 2024. doi:10.1109/TII.2024.3393528

work page doi:10.1109/tii.2024.3393528 2024
[14]

A dataset to support research in the design of secure water treatment systems

Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. A dataset to support research in the design of secure water treatment systems. In Grigore Havarneanu, Roberto Setola, Hypatia Nassopoulos, and Stephen Wolthusen, editors,Critical Information Infrastructures Security, pages 88–99, Cham, 2017. Springer International Publishing. ISBN 978-3-...

2017
[15]

A systematic framework to generate invariants for anomaly detection in industrial control systems

Cheng Feng, Venkata Reddy Palleti, Aditya Mathur, and Deeph Chana. A systematic framework to generate invariants for anomaly detection in industrial control systems. InNDSS, pages 1–15, 2019. 11 SCDTA PREPRINT

2019
[16]

Anomaly detection using invariant rules in industrial control systems.Control Engineering Practice, 154:106164, 2025

Qilin Zhu, Yulong Ding, Jie Jiang, and Shuang-Hua Yang. Anomaly detection using invariant rules in industrial control systems.Control Engineering Practice, 154:106164, 2025. ISSN 0967-0661. doi:https://doi.org/10.1016/j.conengprac.2024.106164. URL https://www.sciencedirect.com/science/ article/pii/S096706612400323X

work page doi:10.1016/j.conengprac.2024.106164 2025
[17]

Adopting {AI} to protect industrial control systems: Assessing challenges and opportunities from the {Operators’} perspective

Clement Fung, Eric Zeng, and Lujo Bauer. Adopting {AI} to protect industrial control systems: Assessing challenges and opportunities from the {Operators’} perspective. InTwenty-First Symposium on Usable Privacy and Security (SOUPS 2025), pages 555–573, 2025

2025
[18]

Christopher

Jason D. Christopher. State of ics/ot security 2025. White paper, SANS Institute, November 2025. URL https://www.sans.org/white-papers/state-of-ics-ot-security-2025. Accessed 19 Nov 2025

2025
[19]

Large language models can deliver accurate and interpretable time series anomaly detection

Jun Liu, Chaoyun Zhang, Jiaxu Qian, Minghua Ma, Si Qin, Chetan Bansal, Qingwei Lin, Saravan Rajmohan, and Dongmei Zhang. Large language models can deliver accurate and interpretable time series anomaly detection. In Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V .2, KDD ’25, page 4623–4634, New York, NY , USA, 2025....

work page doi:10.1145/3711896.3737239 2025
[20]

UFO: A UI-focused agent for windows OS interaction

Chaoyun Zhang, Liqun Li, Shilin He, Xu Zhang, Bo Qiao, Si Qin, Minghua Ma, Yu Kang, Qingwei Lin, Saravan Rajmohan, Dongmei Zhang, and Qi Zhang. UFO: A UI-focused agent for windows OS interaction. In Luis Chiruzzo, Alan Ritter, and Lu Wang, editors,Proceedings of the 2025 Conference of the Nations of the Americas Chapter of the Association for Computationa...

work page doi:10.18653/v1/2025.naacl-long.26 2025
[21]

Allhands :ask me anything on large-scale verbatim feedback via large language models

Chaoyun Zhang, Zicheng Ma, Yuhao Wu, Shilin He, Si Qin, Minghua Ma, Xiaoting Qin, Yu Kang, Yuyi Liang, Xiaoyu Gou, Yajie Xue, Qingwei Lin, Saravan Rajmohan, Dongmei Zhang, and Qi Zhang. Allhands :ask me anything on large-scale verbatim feedback via large language models. In2025 IEEE 41st International Conference on Data Engineering (ICDE), pages 43–57, 20...

work page doi:10.1109/icde65448.2025.00011 2025
[22]

Large language models are zero-shot time series forecasters

Nate Gruver, Marc Finzi, Shikai Qiu, and Andrew Gordon Wilson. Large language models are zero-shot time series forecasters. InProceedings of the 37th International Conference on Neural Information Processing Systems, NIPS ’23, Red Hook, NY , USA, 2023. Curran Associates Inc

2023
[23]

Hal- luguard: Demystifying data-driven and reasoning-driven hallucinations in llms,

Xinyue Zeng, Junhong Lin, Yujun Yan, Feng Guo, Liang Shi, Jun Wu, and Dawei Zhou. Halluguard: Demystifying data-driven and reasoning-driven hallucinations in llms, 2026. URLhttps://arxiv.org/abs/2601.18753

work page arXiv 2026
[24]

A survey on hallucination in large language models: Principles, taxonomy, challenges, and open questions,

Lei Huang, Weijiang Yu, Weitao Ma, Weihong Zhong, Zhangyin Feng, Haotian Wang, Qianglong Chen, Weihua Peng, Xiaocheng Feng, Bing Qin, and Ting Liu. A survey on hallucination in large language models: Principles, taxonomy, challenges, and open questions.ACM Trans. Inf. Syst., 43(2), January 2025. ISSN 1046-8188. doi:10.1145/3703155. URLhttps://doi.org/10.1...

work page doi:10.1145/3703155 2025
[25]

Integration of Old and New Knowledge for Generalized Intent Discovery: A Consistency-driven Prototype-Prompting Framework

Xiyuan Zhang, Ranak Roy Chowdhury, Rajesh K. Gupta, and Jingbo Shang. Large language models for time series: a survey. InProceedings of the Thirty-Third International Joint Conference on Artificial Intelligence, IJCAI ’24, 2024. ISBN 978-1-956792-04-1. doi:10.24963/ijcai.2024/921. URL https://doi.org/10.24963/ ijcai.2024/921

work page doi:10.24963/ijcai.2024/921 2024
[26]

Zhang, Xiaoming Shi, Pin-Yu Chen, Yuxuan Liang, Yuan-Fang Li, Shirui Pan, and Qingsong Wen

Ming Jin, Shiyu Wang, Lintao Ma, Zhixuan Chu, James Y . Zhang, Xiaoming Shi, Pin-Yu Chen, Yuxuan Liang, Yuan-Fang Li, Shirui Pan, and Qingsong Wen. Time-LLM: Time series forecasting by reprogramming large language models. InThe Twelfth International Conference on Learning Representations, 2024. URL https://openreview.net/forum?id=Unb5CVPtae

2024
[27]

A novel anomaly detection scheme based on principal component classifier

Mei-Ling Shyu, Shu-Ching Chen, Kanoksri Sarinnapakorn, and Liwu Chang. A novel anomaly detection scheme based on principal component classifier. Technical Report ADA465712, MIAMI UNIV CORAL GABLES FL DEPT OF ELECTRICAL AND COMPUTER ENGINEERING, Washington, DC, USA, 2003. URL https: //apps.dtic.mil/sti/pdfs/ADA465712.pdf. Retrieved from DTIC

2003
[28]

Fast outlier detection in high dimensional spaces

Fabrizio Angiulli and Clara Pizzuti. Fast outlier detection in high dimensional spaces. In Tapio Elomaa, Heikki Mannila, and Hannu Toivonen, editors,Principles of Data Mining and Knowledge Discovery, pages 15–27, Berlin, Heidelberg, 2002. Springer Berlin Heidelberg. ISBN 978-3-540-45681-0

2002
[29]

Platt, John C

Bernhard Schölkopf, John C. Platt, John C. Shawe-Taylor, Alex J. Smola, and Robert C. Williamson. Estimating the support of a high-dimensional distribution.Neural Comput., 13(7):1443–1471, July 2001. ISSN 0899-7667. doi:10.1162/089976601750264965. URLhttps://doi.org/10.1162/089976601750264965

work page doi:10.1162/089976601750264965 2001
[30]

D. E. Rumelhart, G. E. Hinton, and R. J. Williams.Learning internal representations by error propagation, page 318–362. MIT Press, Cambridge, MA, USA, 1986. ISBN 026268053X. 12 SCDTA PREPRINT

1986
[31]

Deep autoencoding gaussian mixture model for unsupervised anomaly detection

Bo Zong, Qi Song, Martin Renqiang Min, Wei Cheng, Cristian Lumezanu, Daeki Cho, and Haifeng Chen. Deep autoencoding gaussian mixture model for unsupervised anomaly detection. InInternational Conference on Learning Representations, 2018. URLhttps://openreview.net/forum?id=BJJLHbb0-

2018
[32]

Daehyung Park, Yuuna Hoshi, and Charles C. Kemp. A multimodal anomaly detector for robot-assisted feeding using an lstm-based variational autoencoder.IEEE Robotics and Automation Letters, 3(3):1544–1551, 2018. doi:10.1109/LRA.2018.2801475

work page doi:10.1109/lra.2018.2801475 2018
[33]

Mad-gan: Multivariate anomaly detection for time series data with generative adversarial networks

Dan Li, Dacheng Chen, Baihong Jin, Lei Shi, Jonathan Goh, and See-Kiong Ng. Mad-gan: Multivariate anomaly detection for time series data with generative adversarial networks. In Igor V . Tetko, Vˇera K˚ urková, Pavel Karpov, and Fabian Theis, editors,Artificial Neural Networks and Machine Learning – ICANN 2019: Text and Time Series, pages 703–716, Cham, 2...

2019
[34]

Julien Audibert, Pietro Michiardi, Frédéric Guyard, Sébastien Marti, and Maria A. Zuluaga. Usad: Unsupervised anomaly detection on multivariate time series. InProceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, KDD ’20, page 3395–3404, New York, NY , USA, 2020. Association for Computing Machinery. ISBN 9781450...

work page doi:10.1145/3394486.3403392 2020
[35]

Graph neural network-based anomaly detection in multivariate time series.Proceed- ings of the AAAI Conference on Artificial Intelligence, 35(5):4027–4035, May 2021

Ailin Deng and Bryan Hooi. Graph neural network-based anomaly detection in multivariate time series.Proceed- ings of the AAAI Conference on Artificial Intelligence, 35(5):4027–4035, May 2021. doi:10.1609/aaai.v35i5.16523. URLhttps://ojs.aaai.org/index.php/AAAI/article/view/16523

work page doi:10.1609/aaai.v35i5.16523 2021
[36]

Siho Han and Simon S. Woo. Learning sparse latent graph representations for anomaly detection in multivariate time series. InProceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD ’22, pages 2977–2986, New York, NY , USA, 2022. Association for Computing Machinery. ISBN 9781450393850. doi:10.1145/3534678.3539117. URLhttps...

work page doi:10.1145/3534678.3539117 2022
[37]

A comprehensive survey on digital twin: Focusing on security threats and requirements.IEEE Access, 13:73362–73390, 2025

Hyeran Mun, Kyusuk Han, Ernesto Damiani, {Hyun Ku} Yeun, {Tae Yeon} Kim, Luigi Martino, and {Chan Yeob} Yeun. A comprehensive survey on digital twin: Focusing on security threats and requirements.IEEE Access, 13:73362–73390, 2025. ISSN 2169-3536. doi:10.1109/ACCESS.2025.3563621. Publisher Copyright: © 2013 IEEE

work page doi:10.1109/access.2025.3563621 2025
[38]

Yap, Mario V ozza, and Silvestro Vespoli

Luigi Nele, Giulio Mattera, Emily W. Yap, Mario V ozza, and Silvestro Vespoli. Towards the application of machine learning in digital twin technology: a multi-scale review.Discover Applied Sciences, 6(10):502, Sep 2024. ISSN 3004-9261. doi:10.1007/s42452-024-06206-4. URLhttps://doi.org/10.1007/s42452-024-06206-4

work page doi:10.1007/s42452-024-06206-4 2024
[39]

De Gasperis, S

Giovanni De Gasperis and Sante Dino Facchini. A comparative study of rule-based and data-driven approaches in industrial monitoring, 2025. URLhttps://arxiv.org/abs/2509.15848

work page arXiv 2025
[40]

Digital twin evolution for sustainable smart ecosystems

Judith Michael, Istvan David, and Dominik Bork. Digital twin evolution for sustainable smart ecosystems. InPro- ceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems, MODELS Companion ’24, page 1061–1065, New York, NY , USA, 2024. Association for Computing Machinery. ISBN 9798400706226. doi:10.1145/365262...

work page doi:10.1145/3652620.3688343 2024
[41]

Ai explainability methods in digital twins: A model and a use case

Tim Kreuzer, Panagiotis Papapetrou, and Jelena Zdravkovic. Ai explainability methods in digital twins: A model and a use case. In José Borbinha, Tiago Prince Sales, Miguel Mira Da Silva, Henderik A. Proper, and Marianne Schnellmann, editors,Enterprise Design, Operations, and Computing, pages 3–20, Cham, 2025. Springer Nature Switzerland. ISBN 978-3-031-78338-8

2025
[42]

Llm-assisted physical invariant ex- traction for cyber-physical systems anomaly detection,

Danial Abshari, Peiran Shi, Chenglong Fu, Meera Sridhar, and Xiaojiang Du. Invarllm: Llm-assisted physical invariant extraction for cyber-physical systems anomaly detection.arXiv preprint arXiv:2411.10918, 2024

work page arXiv 2024
[43]

Attackllm: Llm-based attack pattern generation for an industrial control system

Chuadhry Mujeeb Ahmed. Attackllm: Llm-based attack pattern generation for an industrial control system. In Proceedings of the 2nd International Workshop on Foundation Models for Cyber-Physical Systems & Internet of Things, pages 31–36, 2025

2025
[44]

Uniform manifold approximation and projection.Nature Reviews Methods Primers, 4(1):82, 2024

John Healy and Leland McInnes. Uniform manifold approximation and projection.Nature Reviews Methods Primers, 4(1):82, 2024

2024
[45]

Density-based clustering based on hierarchical density estimates

Ricardo JGB Campello, Davoud Moulavi, and Jörg Sander. Density-based clustering based on hierarchical density estimates. InPacific-Asia conference on knowledge discovery and data mining, pages 160–172. Springer, 2013

2013
[46]

Silhouettes: a graphical aid to the interpretation and validation of cluster analysis.Journal of computational and applied mathematics, 20:53–65, 1987

Peter J Rousseeuw. Silhouettes: a graphical aid to the interpretation and validation of cluster analysis.Journal of computational and applied mathematics, 20:53–65, 1987

1987
[47]

On the generalized distance in statistics.Sankhy ¯a: The Indian Journal of Statistics, Series A (2008-), 80:S1–S7, 2018

Prasanta Chandra Mahalanobis. On the generalized distance in statistics.Sankhy ¯a: The Indian Journal of Statistics, Series A (2008-), 80:S1–S7, 2018

2008
[48]

1991 , publisher =

Jianhua Lin. Divergence measures based on the shannon entropy.IEEE Transactions on Information Theory, 37 (1):145–151, 1991. doi:10.1109/18.61115. 13 SCDTA PREPRINT

work page doi:10.1109/18.61115 1991
[49]

Chuadhry Mujeeb Ahmed, Venkata Reddy Palleti, and Aditya P. Mathur. Wadi: a water distribution testbed for research in the design of secure cyber physical systems. InProceedings of the 3rd International Workshop on Cyber-Physical Systems for Smart Water Networks, CySWATER ’17, pages 25–28, New York, NY , USA,
[50]

ISBN 9781450349758

Association for Computing Machinery. ISBN 9781450349758. doi:10.1145/3055366.3055375. URL https://doi.org/10.1145/3055366.3055375

work page doi:10.1145/3055366.3055375
[51]

HAI 1.0: HIL-based augmented ICS security dataset

Hyeok-Ki Shin, Woomyo Lee, Jeong-Han Yun, and HyoungChun Kim. HAI 1.0: HIL-based augmented ICS security dataset. In13th USENIX Workshop on Cyber Security Experimentation and Test (CSET 20). USENIX Association, August 2020. URLhttps://www.usenix.org/conference/cset20/presentation/shin. 14

2020

[1] [1]

ATT&CKforICSmatrix,

Keith Stouffer, Michael Pease, CheeYee Tang, Timothy Zimmerman, Victoria Pillitteri, Suzanne Lightman, Adam Hahn, Stephanie Saravia, Aslam Sherule, and Michael Thompson. Guide to industrial control systems (ics) security, revision 3. Technical Report 800-82r3, National Institute of Standards and Technology, 2022. URL https://doi.org/10.6028/NIST.SP.800-82r3

work page doi:10.6028/nist.sp.800-82r3 2022

[2] [2]

Cyber-physical systems security—a survey.IEEE Internet of Things Journal, 4(6):1802–1831, 2017

Abdulmalik Humayed, Jingqiang Lin, Fengjun Li, and Bo Luo. Cyber-physical systems security—a survey.IEEE Internet of Things Journal, 4(6):1802–1831, 2017. doi:10.1109/JIOT.2017.2703172

work page doi:10.1109/jiot.2017.2703172 2017

[3] [3]

Apt attacks on industrial control systems: A tale of three incidents.International Journal of Critical Infrastructure Protection, 37:100521, 2022

Rajesh Kumar, Rohan Kela, Siddhant Singh, and Rolando Trujillo-Rasua. Apt attacks on industrial control systems: A tale of three incidents.International Journal of Critical Infrastructure Protection, 37:100521, 2022. ISSN 1874-5482. doi:https://doi.org/10.1016/j.ijcip.2022.100521. URL https://www.sciencedirect.com/ science/article/pii/S1874548222000129

work page doi:10.1016/j.ijcip.2022.100521 2022

[4] [4]

Stuxnet: Dissecting a cyberwarfare weapon.IEEE Security & Privacy, 9(3):49–51, 2011

Ralph Langner. Stuxnet: Dissecting a cyberwarfare weapon.IEEE Security & Privacy, 9(3):49–51, 2011. doi:10.1109/MSP.2011.67

work page doi:10.1109/msp.2011.67 2011

[5] [5]

ACM Trans

Zhong Li, Yuxuan Zhu, and Matthijs Van Leeuwen. A survey on explainable anomaly detection.ACM Trans. Knowl. Discov. Data, 18(1), September 2023. ISSN 1556-4681. doi:10.1145/3609333. URL https://doi.org/ 10.1145/3609333

work page doi:10.1145/3609333 2023

[6] [6]

Machine learning for intrusion detection in industrial control systems: challenges and lessons from experimental evaluation.Cybersecurity, 4(1):27, 2021

Gauthama Raman MR, Chuadhry Mujeeb Ahmed, and Aditya Mathur. Machine learning for intrusion detection in industrial control systems: challenges and lessons from experimental evaluation.Cybersecurity, 4(1):27, 2021

2021

[7] [7]

Machine learning in industrial control system (ics) security: current landscape, opportunities and challenges.Journal of Intelligent Information Systems, 60(2):377–405, 2023

Abigail MY Koay, Ryan K L Ko, Hinne Hettema, and Kenneth Radke. Machine learning in industrial control system (ics) security: current landscape, opportunities and challenges.Journal of Intelligent Information Systems, 60(2):377–405, 2023

2023

[8] [8]

Shyaa, Noor Farizah Ibrahim, Zurinahni Zainol, Rosni Abdullah, Mohammed Anbar, and Laith Alzubaidi

Methaq A. Shyaa, Noor Farizah Ibrahim, Zurinahni Zainol, Rosni Abdullah, Mohammed Anbar, and Laith Alzubaidi. Evolving cybersecurity frontiers: A comprehensive survey on concept drift and feature dynamics aware machine and deep learning in intrusion detection systems.Engineering Applications of Artificial Intelligence, 137:109143, 2024. ISSN 0952-1976. do...

work page doi:10.1016/j.engappai.2024.109143 2024

[9] [9]

Deepaid: Interpreting and improving deep learning-based anomaly detection in security applications

Dongqi Han, Zhiliang Wang, Wenqi Chen, Ying Zhong, Su Wang, Han Zhang, Jiahai Yang, Xingang Shi, and Xia Yin. Deepaid: Interpreting and improving deep learning-based anomaly detection in security applications. InProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, page 3197–3217, New York, NY , USA, 2021. Associa...

work page doi:10.1145/3460120.3484589 2021

[10] [10]

Sok: Modeling explainability in security analytics for interpretability, trustworthiness, and usability

Dipkamal Bhusal, Rosalyn Shin, Ajay Ashok Shewale, Monish Kumar Manikya Veerabhadran, Michael Clifford, Sara Rampazzi, and Nidhi Rastogi. Sok: Modeling explainability in security analytics for interpretability, trustworthiness, and usability. InProceedings of the 18th International Conference on Availability, Reliability and Security, ARES ’23, New York, ...

work page doi:10.1145/3600160.3600193 2023

[11] [11]

Marwa Keshk, Nickolaos Koroniotis, Nam Pham, Nour Moustafa, Benjamin Turnbull, and Albert Y . Zomaya. An explainable deep learning-enabled intrusion detection framework in iot networks.Information Sciences, 639:119000, 2023. ISSN 0020-0255. doi:https://doi.org/10.1016/j.ins.2023.119000. URL https://www. sciencedirect.com/science/article/pii/S0020025523005856

work page doi:10.1016/j.ins.2023.119000 2023

[12] [12]

Deep learning-based anomaly detection in cyber-physical systems: Progress and opportunities.ACM Comput

Yuan Luo, Ya Xiao, Long Cheng, Guojun Peng, and Danfeng (Daphne) Yao. Deep learning-based anomaly detection in cyber-physical systems: Progress and opportunities.ACM Comput. Surv., 54(5), May 2021. ISSN 0360-0300. doi:10.1145/3453155. URLhttps://doi.org/10.1145/3453155

work page doi:10.1145/3453155 2021

[13] [13]

Ics anomaly detection based on sensor patterns and actuator rules in spatiotemporal dependency.IEEE Transactions on Industrial Informatics, 20(8):10647–10656, 2024

Jun Cai, Zeheng Wei, and Jianzhen Luo. Ics anomaly detection based on sensor patterns and actuator rules in spatiotemporal dependency.IEEE Transactions on Industrial Informatics, 20(8):10647–10656, 2024. doi:10.1109/TII.2024.3393528

work page doi:10.1109/tii.2024.3393528 2024

[14] [14]

A dataset to support research in the design of secure water treatment systems

Jonathan Goh, Sridhar Adepu, Khurum Nazir Junejo, and Aditya Mathur. A dataset to support research in the design of secure water treatment systems. In Grigore Havarneanu, Roberto Setola, Hypatia Nassopoulos, and Stephen Wolthusen, editors,Critical Information Infrastructures Security, pages 88–99, Cham, 2017. Springer International Publishing. ISBN 978-3-...

2017

[15] [15]

A systematic framework to generate invariants for anomaly detection in industrial control systems

Cheng Feng, Venkata Reddy Palleti, Aditya Mathur, and Deeph Chana. A systematic framework to generate invariants for anomaly detection in industrial control systems. InNDSS, pages 1–15, 2019. 11 SCDTA PREPRINT

2019

[16] [16]

Anomaly detection using invariant rules in industrial control systems.Control Engineering Practice, 154:106164, 2025

Qilin Zhu, Yulong Ding, Jie Jiang, and Shuang-Hua Yang. Anomaly detection using invariant rules in industrial control systems.Control Engineering Practice, 154:106164, 2025. ISSN 0967-0661. doi:https://doi.org/10.1016/j.conengprac.2024.106164. URL https://www.sciencedirect.com/science/ article/pii/S096706612400323X

work page doi:10.1016/j.conengprac.2024.106164 2025

[17] [17]

Adopting {AI} to protect industrial control systems: Assessing challenges and opportunities from the {Operators’} perspective

Clement Fung, Eric Zeng, and Lujo Bauer. Adopting {AI} to protect industrial control systems: Assessing challenges and opportunities from the {Operators’} perspective. InTwenty-First Symposium on Usable Privacy and Security (SOUPS 2025), pages 555–573, 2025

2025

[18] [18]

Christopher

Jason D. Christopher. State of ics/ot security 2025. White paper, SANS Institute, November 2025. URL https://www.sans.org/white-papers/state-of-ics-ot-security-2025. Accessed 19 Nov 2025

2025

[19] [19]

Large language models can deliver accurate and interpretable time series anomaly detection

Jun Liu, Chaoyun Zhang, Jiaxu Qian, Minghua Ma, Si Qin, Chetan Bansal, Qingwei Lin, Saravan Rajmohan, and Dongmei Zhang. Large language models can deliver accurate and interpretable time series anomaly detection. In Proceedings of the 31st ACM SIGKDD Conference on Knowledge Discovery and Data Mining V .2, KDD ’25, page 4623–4634, New York, NY , USA, 2025....

work page doi:10.1145/3711896.3737239 2025

[20] [20]

UFO: A UI-focused agent for windows OS interaction

Chaoyun Zhang, Liqun Li, Shilin He, Xu Zhang, Bo Qiao, Si Qin, Minghua Ma, Yu Kang, Qingwei Lin, Saravan Rajmohan, Dongmei Zhang, and Qi Zhang. UFO: A UI-focused agent for windows OS interaction. In Luis Chiruzzo, Alan Ritter, and Lu Wang, editors,Proceedings of the 2025 Conference of the Nations of the Americas Chapter of the Association for Computationa...

work page doi:10.18653/v1/2025.naacl-long.26 2025

[21] [21]

Allhands :ask me anything on large-scale verbatim feedback via large language models

Chaoyun Zhang, Zicheng Ma, Yuhao Wu, Shilin He, Si Qin, Minghua Ma, Xiaoting Qin, Yu Kang, Yuyi Liang, Xiaoyu Gou, Yajie Xue, Qingwei Lin, Saravan Rajmohan, Dongmei Zhang, and Qi Zhang. Allhands :ask me anything on large-scale verbatim feedback via large language models. In2025 IEEE 41st International Conference on Data Engineering (ICDE), pages 43–57, 20...

work page doi:10.1109/icde65448.2025.00011 2025

[22] [22]

Large language models are zero-shot time series forecasters

Nate Gruver, Marc Finzi, Shikai Qiu, and Andrew Gordon Wilson. Large language models are zero-shot time series forecasters. InProceedings of the 37th International Conference on Neural Information Processing Systems, NIPS ’23, Red Hook, NY , USA, 2023. Curran Associates Inc

2023

[23] [23]

Hal- luguard: Demystifying data-driven and reasoning-driven hallucinations in llms,

Xinyue Zeng, Junhong Lin, Yujun Yan, Feng Guo, Liang Shi, Jun Wu, and Dawei Zhou. Halluguard: Demystifying data-driven and reasoning-driven hallucinations in llms, 2026. URLhttps://arxiv.org/abs/2601.18753

work page arXiv 2026

[24] [24]

A survey on hallucination in large language models: Principles, taxonomy, challenges, and open questions,

Lei Huang, Weijiang Yu, Weitao Ma, Weihong Zhong, Zhangyin Feng, Haotian Wang, Qianglong Chen, Weihua Peng, Xiaocheng Feng, Bing Qin, and Ting Liu. A survey on hallucination in large language models: Principles, taxonomy, challenges, and open questions.ACM Trans. Inf. Syst., 43(2), January 2025. ISSN 1046-8188. doi:10.1145/3703155. URLhttps://doi.org/10.1...

work page doi:10.1145/3703155 2025

[25] [25]

Integration of Old and New Knowledge for Generalized Intent Discovery: A Consistency-driven Prototype-Prompting Framework

Xiyuan Zhang, Ranak Roy Chowdhury, Rajesh K. Gupta, and Jingbo Shang. Large language models for time series: a survey. InProceedings of the Thirty-Third International Joint Conference on Artificial Intelligence, IJCAI ’24, 2024. ISBN 978-1-956792-04-1. doi:10.24963/ijcai.2024/921. URL https://doi.org/10.24963/ ijcai.2024/921

work page doi:10.24963/ijcai.2024/921 2024

[26] [26]

Zhang, Xiaoming Shi, Pin-Yu Chen, Yuxuan Liang, Yuan-Fang Li, Shirui Pan, and Qingsong Wen

Ming Jin, Shiyu Wang, Lintao Ma, Zhixuan Chu, James Y . Zhang, Xiaoming Shi, Pin-Yu Chen, Yuxuan Liang, Yuan-Fang Li, Shirui Pan, and Qingsong Wen. Time-LLM: Time series forecasting by reprogramming large language models. InThe Twelfth International Conference on Learning Representations, 2024. URL https://openreview.net/forum?id=Unb5CVPtae

2024

[27] [27]

A novel anomaly detection scheme based on principal component classifier

Mei-Ling Shyu, Shu-Ching Chen, Kanoksri Sarinnapakorn, and Liwu Chang. A novel anomaly detection scheme based on principal component classifier. Technical Report ADA465712, MIAMI UNIV CORAL GABLES FL DEPT OF ELECTRICAL AND COMPUTER ENGINEERING, Washington, DC, USA, 2003. URL https: //apps.dtic.mil/sti/pdfs/ADA465712.pdf. Retrieved from DTIC

2003

[28] [28]

Fast outlier detection in high dimensional spaces

Fabrizio Angiulli and Clara Pizzuti. Fast outlier detection in high dimensional spaces. In Tapio Elomaa, Heikki Mannila, and Hannu Toivonen, editors,Principles of Data Mining and Knowledge Discovery, pages 15–27, Berlin, Heidelberg, 2002. Springer Berlin Heidelberg. ISBN 978-3-540-45681-0

2002

[29] [29]

Platt, John C

Bernhard Schölkopf, John C. Platt, John C. Shawe-Taylor, Alex J. Smola, and Robert C. Williamson. Estimating the support of a high-dimensional distribution.Neural Comput., 13(7):1443–1471, July 2001. ISSN 0899-7667. doi:10.1162/089976601750264965. URLhttps://doi.org/10.1162/089976601750264965

work page doi:10.1162/089976601750264965 2001

[30] [30]

D. E. Rumelhart, G. E. Hinton, and R. J. Williams.Learning internal representations by error propagation, page 318–362. MIT Press, Cambridge, MA, USA, 1986. ISBN 026268053X. 12 SCDTA PREPRINT

1986

[31] [31]

Deep autoencoding gaussian mixture model for unsupervised anomaly detection

Bo Zong, Qi Song, Martin Renqiang Min, Wei Cheng, Cristian Lumezanu, Daeki Cho, and Haifeng Chen. Deep autoencoding gaussian mixture model for unsupervised anomaly detection. InInternational Conference on Learning Representations, 2018. URLhttps://openreview.net/forum?id=BJJLHbb0-

2018

[32] [32]

Daehyung Park, Yuuna Hoshi, and Charles C. Kemp. A multimodal anomaly detector for robot-assisted feeding using an lstm-based variational autoencoder.IEEE Robotics and Automation Letters, 3(3):1544–1551, 2018. doi:10.1109/LRA.2018.2801475

work page doi:10.1109/lra.2018.2801475 2018

[33] [33]

Mad-gan: Multivariate anomaly detection for time series data with generative adversarial networks

Dan Li, Dacheng Chen, Baihong Jin, Lei Shi, Jonathan Goh, and See-Kiong Ng. Mad-gan: Multivariate anomaly detection for time series data with generative adversarial networks. In Igor V . Tetko, Vˇera K˚ urková, Pavel Karpov, and Fabian Theis, editors,Artificial Neural Networks and Machine Learning – ICANN 2019: Text and Time Series, pages 703–716, Cham, 2...

2019

[34] [34]

Julien Audibert, Pietro Michiardi, Frédéric Guyard, Sébastien Marti, and Maria A. Zuluaga. Usad: Unsupervised anomaly detection on multivariate time series. InProceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining, KDD ’20, page 3395–3404, New York, NY , USA, 2020. Association for Computing Machinery. ISBN 9781450...

work page doi:10.1145/3394486.3403392 2020

[35] [35]

Graph neural network-based anomaly detection in multivariate time series.Proceed- ings of the AAAI Conference on Artificial Intelligence, 35(5):4027–4035, May 2021

Ailin Deng and Bryan Hooi. Graph neural network-based anomaly detection in multivariate time series.Proceed- ings of the AAAI Conference on Artificial Intelligence, 35(5):4027–4035, May 2021. doi:10.1609/aaai.v35i5.16523. URLhttps://ojs.aaai.org/index.php/AAAI/article/view/16523

work page doi:10.1609/aaai.v35i5.16523 2021

[36] [36]

Siho Han and Simon S. Woo. Learning sparse latent graph representations for anomaly detection in multivariate time series. InProceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining, KDD ’22, pages 2977–2986, New York, NY , USA, 2022. Association for Computing Machinery. ISBN 9781450393850. doi:10.1145/3534678.3539117. URLhttps...

work page doi:10.1145/3534678.3539117 2022

[37] [37]

A comprehensive survey on digital twin: Focusing on security threats and requirements.IEEE Access, 13:73362–73390, 2025

Hyeran Mun, Kyusuk Han, Ernesto Damiani, {Hyun Ku} Yeun, {Tae Yeon} Kim, Luigi Martino, and {Chan Yeob} Yeun. A comprehensive survey on digital twin: Focusing on security threats and requirements.IEEE Access, 13:73362–73390, 2025. ISSN 2169-3536. doi:10.1109/ACCESS.2025.3563621. Publisher Copyright: © 2013 IEEE

work page doi:10.1109/access.2025.3563621 2025

[38] [38]

Yap, Mario V ozza, and Silvestro Vespoli

Luigi Nele, Giulio Mattera, Emily W. Yap, Mario V ozza, and Silvestro Vespoli. Towards the application of machine learning in digital twin technology: a multi-scale review.Discover Applied Sciences, 6(10):502, Sep 2024. ISSN 3004-9261. doi:10.1007/s42452-024-06206-4. URLhttps://doi.org/10.1007/s42452-024-06206-4

work page doi:10.1007/s42452-024-06206-4 2024

[39] [39]

De Gasperis, S

Giovanni De Gasperis and Sante Dino Facchini. A comparative study of rule-based and data-driven approaches in industrial monitoring, 2025. URLhttps://arxiv.org/abs/2509.15848

work page arXiv 2025

[40] [40]

Digital twin evolution for sustainable smart ecosystems

Judith Michael, Istvan David, and Dominik Bork. Digital twin evolution for sustainable smart ecosystems. InPro- ceedings of the ACM/IEEE 27th International Conference on Model Driven Engineering Languages and Systems, MODELS Companion ’24, page 1061–1065, New York, NY , USA, 2024. Association for Computing Machinery. ISBN 9798400706226. doi:10.1145/365262...

work page doi:10.1145/3652620.3688343 2024

[41] [41]

Ai explainability methods in digital twins: A model and a use case

Tim Kreuzer, Panagiotis Papapetrou, and Jelena Zdravkovic. Ai explainability methods in digital twins: A model and a use case. In José Borbinha, Tiago Prince Sales, Miguel Mira Da Silva, Henderik A. Proper, and Marianne Schnellmann, editors,Enterprise Design, Operations, and Computing, pages 3–20, Cham, 2025. Springer Nature Switzerland. ISBN 978-3-031-78338-8

2025

[42] [42]

Llm-assisted physical invariant ex- traction for cyber-physical systems anomaly detection,

Danial Abshari, Peiran Shi, Chenglong Fu, Meera Sridhar, and Xiaojiang Du. Invarllm: Llm-assisted physical invariant extraction for cyber-physical systems anomaly detection.arXiv preprint arXiv:2411.10918, 2024

work page arXiv 2024

[43] [43]

Attackllm: Llm-based attack pattern generation for an industrial control system

Chuadhry Mujeeb Ahmed. Attackllm: Llm-based attack pattern generation for an industrial control system. In Proceedings of the 2nd International Workshop on Foundation Models for Cyber-Physical Systems & Internet of Things, pages 31–36, 2025

2025

[44] [44]

Uniform manifold approximation and projection.Nature Reviews Methods Primers, 4(1):82, 2024

John Healy and Leland McInnes. Uniform manifold approximation and projection.Nature Reviews Methods Primers, 4(1):82, 2024

2024

[45] [45]

Density-based clustering based on hierarchical density estimates

Ricardo JGB Campello, Davoud Moulavi, and Jörg Sander. Density-based clustering based on hierarchical density estimates. InPacific-Asia conference on knowledge discovery and data mining, pages 160–172. Springer, 2013

2013

[46] [46]

Silhouettes: a graphical aid to the interpretation and validation of cluster analysis.Journal of computational and applied mathematics, 20:53–65, 1987

Peter J Rousseeuw. Silhouettes: a graphical aid to the interpretation and validation of cluster analysis.Journal of computational and applied mathematics, 20:53–65, 1987

1987

[47] [47]

On the generalized distance in statistics.Sankhy ¯a: The Indian Journal of Statistics, Series A (2008-), 80:S1–S7, 2018

Prasanta Chandra Mahalanobis. On the generalized distance in statistics.Sankhy ¯a: The Indian Journal of Statistics, Series A (2008-), 80:S1–S7, 2018

2008

[48] [48]

1991 , publisher =

Jianhua Lin. Divergence measures based on the shannon entropy.IEEE Transactions on Information Theory, 37 (1):145–151, 1991. doi:10.1109/18.61115. 13 SCDTA PREPRINT

work page doi:10.1109/18.61115 1991

[49] [49]

Chuadhry Mujeeb Ahmed, Venkata Reddy Palleti, and Aditya P. Mathur. Wadi: a water distribution testbed for research in the design of secure cyber physical systems. InProceedings of the 3rd International Workshop on Cyber-Physical Systems for Smart Water Networks, CySWATER ’17, pages 25–28, New York, NY , USA,

[50] [50]

ISBN 9781450349758

Association for Computing Machinery. ISBN 9781450349758. doi:10.1145/3055366.3055375. URL https://doi.org/10.1145/3055366.3055375

work page doi:10.1145/3055366.3055375

[51] [51]

HAI 1.0: HIL-based augmented ICS security dataset

Hyeok-Ki Shin, Woomyo Lee, Jeong-Han Yun, and HyoungChun Kim. HAI 1.0: HIL-based augmented ICS security dataset. In13th USENIX Workshop on Cyber Security Experimentation and Test (CSET 20). USENIX Association, August 2020. URLhttps://www.usenix.org/conference/cset20/presentation/shin. 14

2020