{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,23]],"date-time":"2026-06-23T19:44:04Z","timestamp":1782243844053,"version":"3.54.5"},"reference-count":32,"publisher":"Frontiers Media SA","license":[{"start":{"date-parts":[[2025,2,4]],"date-time":"2025-02-04T00:00:00Z","timestamp":1738627200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["frontiersin.org"],"crossmark-restriction":true},"short-container-title":["Front. Artif. Intell."],"abstract":"<jats:p>Anomaly detection is vital for enhancing the safety of Industrial Control Systems (ICS). However, the complicated structure of ICS creates complex temporal correlations among devices with many parameters. Current methods often ignore these correlations and poorly select parameters, missing valuable insights. Additionally, they lack interpretability, operating efficiently with limited resources, and root cause identification. This study proposes an explainable correlation-based anomaly detection method for ICS. The optimal window size of the data is determined using Long Short-Term Memory Networks\u2014Autoencoder (LSTM-AE) and the correlation parameter set is extracted using the Pearson correlation. A Latent Correlation Matrix (LCM) is created from the correlation parameter set and a Latent Correlation Vector (LCV) is derived from LCM. Based on the LCV, the method utilizes a Multivariate Gaussian Distribution (MGD) to identify anomalies. This is achieved through an anomaly detection module that incorporates a threshold mechanism, utilizing alpha and epsilon values. The proposed method utilizes a novel set of input features extracted using the Shapley Additive explanation (SHAP) framework to train and evaluate the MGD model. The method is evaluated on the Secure Water Treatment (SWaT), Hardware-in-the-loop-based augmented ICS security (HIL-HAI), and Internet of Things Modbus dataset using precision, recall, and F-1 score metrics. Additionally, SHAP is used to gain insights into the anomalies and identify their root causes. Comparative experiments demonstrate the method's effectiveness, achieving a better 0.96% precision and 0.84% F1-score. This enhanced performance aids ICS engineers and decision-makers in identifying the root causes of anomalies. Our code is publicly available at a GitHub repository: <jats:ext-link>https:\/\/github.com\/Ermiyas21\/Explainable-correlation-AD<\/jats:ext-link>.<\/jats:p>","DOI":"10.3389\/frai.2024.1508821","type":"journal-article","created":{"date-parts":[[2025,2,4]],"date-time":"2025-02-04T06:34:48Z","timestamp":1738650888000},"update-policy":"https:\/\/doi.org\/10.3389\/crossmark-policy","source":"Crossref","is-referenced-by-count":20,"title":["Explainable correlation-based anomaly detection for Industrial Control Systems"],"prefix":"10.3389","volume":"7","author":[{"given":"Ermiyas","family":"Birihanu","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Imre","family":"Lend\u00e1k","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1965","published-online":{"date-parts":[[2025,2,4]]},"reference":[{"key":"B1","first-page":"1","article-title":"\u201cEvaluation of machine learning algorithms for anomaly detection in industrial networks,\u201d","volume-title":"2019 IEEE International Symposium on Measurements & Networking (M&N)","author":"Bernieri","year":"2019"},{"key":"B2","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1109\/CITDS54976.2022.9914316","article-title":"\u201cProximity-based anomaly detection in securing water treatment,\u201d","volume-title":"2022 IEEE 2nd Conference on Information Technology and Data Science (CITDS)","author":"Birihanu","year":"2022"},{"key":"B3","doi-asserted-by":"crossref","first-page":"982","DOI":"10.1109\/BigData.2018.8622004","article-title":"\u201cCorrelated anomaly detection from large streaming data,\u201d","volume-title":"2018 IEEE International Conference on Big Data (Big Data)","author":"Chen","year":"2018"},{"key":"B4","doi-asserted-by":"crossref","first-page":"550","DOI":"10.1007\/978-3-319-11116-2_51","article-title":"\u201cLCAD: a correlation based abnormal pattern detection approach for large amount of monitor data,\u201d","volume-title":"Web Technologies and Applications: 16th Asia-Pacific Web Conference, APWeb 2014, Changsha, China, September 5\u20137, 2014. Proceedings 16","author":"Ding","year":"2014"},{"key":"B5","doi-asserted-by":"publisher","first-page":"106458","DOI":"10.1016\/j.compeleceng.2019.106458","article-title":"Real-time anomaly detection based on long short-term memory and gaussian mixture model","volume":"79","author":"Ding","year":"2019","journal-title":"Comput. Electr. Eng"},{"key":"B6","doi-asserted-by":"publisher","first-page":"36639","DOI":"10.1109\/ACCESS.2020.2975066","article-title":"A dual-isolation-forests-based attack detection framework for industrial control systems","volume":"8","author":"Elnour","year":"2020","journal-title":"IEEE Access"},{"key":"B7","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1109\/IINTEC.2018.8695276","article-title":"\u201cA survey of industrial control system devices on the internet,\u201d","volume-title":"2018 International Conference on Internet of Things, Embedded Systems and Communications (IINTEC)","author":"Guo","year":"2018"},{"key":"B8","doi-asserted-by":"publisher","first-page":"2231","DOI":"10.1109\/TNSE.2020.3027543","article-title":"Unsupervised anomaly detection in IoT systems for smart cities","volume":"7","author":"Guo","year":"2020","journal-title":"IEEE Trans. Netw. Sci. Eng"},{"key":"B9","unstructured":"Hanni\n              A.\n            \n          \n          Correlation-based Anomaly Detection in Time Series\n          \n          2020"},{"key":"B10","doi-asserted-by":"publisher","first-page":"1183","DOI":"10.1016\/j.ifacol.2022.09.550","article-title":"Explainable anomaly detection for industrial control system cybersecurity","volume":"55","author":"Hoang","year":"2022","journal-title":"IFAC-PapersOnLine"},{"key":"B11","doi-asserted-by":"publisher","first-page":"140470","DOI":"10.1109\/ACCESS.2021.3119573","article-title":"E-SFD: explainable sensor fault detection in the ICS anomaly detection system","volume":"9","author":"Hwang","year":"2021","journal-title":"IEEE Access"},{"key":"B12","doi-asserted-by":"crossref","first-page":"1058","DOI":"10.1109\/ICDMW.2017.149","article-title":"\u201cAnomaly detection for a water treatment system using unsupervised machine learning,\u201d","volume-title":"2017 IEEE International Conference on Data Mining Workshops (ICDMW)","author":"Inoue","year":"2017"},{"key":"B13","doi-asserted-by":"publisher","first-page":"1561","DOI":"10.3390\/s23031561","article-title":"Correlation-based anomaly detection in industrial control systems","volume":"23","author":"Jadidi","year":"2023","journal-title":"Sensors"},{"key":"B14","doi-asserted-by":"publisher","first-page":"119000","DOI":"10.1016\/j.ins.2023.119000","article-title":"An explainable deep learning-enabled intrusion detection framework in IoT networks","volume":"639","author":"Keshk","year":"2023","journal-title":"Inform. Sci"},{"key":"B15","doi-asserted-by":"publisher","first-page":"11604","DOI":"10.1109\/JIOT.2021.3130156","article-title":"A new explainable deep learning framework for cyber threat discovery in industrial IoT networks","volume":"9","author":"Khan","year":"2021","journal-title":"IEEE Internet Things J"},{"key":"B16","doi-asserted-by":"publisher","first-page":"6817","DOI":"10.1007\/978-3-031-17299-1","article-title":"Univariate normal distribution","volume":"3","author":"Koh","year":"2014","journal-title":"Encycl. Qual. Life Well-being Res"},{"key":"B17","doi-asserted-by":"publisher","first-page":"4756480","DOI":"10.1155\/2022\/4756480","article-title":"Correlation-based anomaly detection method for multi-sensor system","volume":"2022","author":"Li","year":"2022","journal-title":"Comput. Intell. Neurosci"},{"key":"B18","doi-asserted-by":"publisher","first-page":"100393","DOI":"10.1016\/j.ijcip.2020.100393","article-title":"A multilayer perceptron model for anomaly detection in water treatment plants","volume":"31","author":"MR","year":"2020","journal-title":"Int. J. Crit. Infrastruct. Protect"},{"key":"B19","doi-asserted-by":"publisher","first-page":"1583","DOI":"10.3390\/sym12101583","article-title":"Madics: a methodology for anomaly detection in industrial control systems","volume":"12","author":"Perales G\u00f3mez","year":"2020","journal-title":"Symmetry"},{"key":"B20","doi-asserted-by":"publisher","first-page":"4634","DOI":"10.1109\/TKDE.2022.3154166","article-title":"CSCAD: correlation structure-based collective anomaly detection in complex system","volume":"35","author":"Qin","year":"2022","journal-title":"IEEE Trans. Knowl. Data Eng"},{"key":"B21","doi-asserted-by":"publisher","first-page":"102055","DOI":"10.1016\/j.cose.2020.102055","article-title":"Deep autoencoders as anomaly detectors: method and case study in a distributed water treatment plant","volume":"99","author":"Raman","year":"2020","journal-title":"Comput. Secur"},{"key":"B22","doi-asserted-by":"publisher","first-page":"100172","DOI":"10.1016\/j.mlwa.2021.100172","article-title":"Explainable outlier detection: what, for whom and why?","volume":"6","author":"Sejr","year":"2021","journal-title":"Machine Learn. Appl"},{"key":"B23","unstructured":"\u201c{HAI} 1.0:{HIL-based} augmented {ICS} security dataset,\u201d\n          \n          \n            \n              Shin\n              H.-K.\n            \n            \n              Lee\n              W.\n            \n            \n              Yun\n              J.-H.\n            \n            \n              Kim\n              H.\n            \n          \n          13Th USENIX Workshop on Cyber Security Experimentation and Test (CSET 20)\n          \n          2020"},{"key":"B24","doi-asserted-by":"publisher","first-page":"102532","DOI":"10.1016\/j.cose.2021.102532","article-title":"Design-knowledge in learning plant dynamics for detecting process anomalies in water treatment plants","volume":"113","author":"Sung","year":"2022","journal-title":"Comput. Secur"},{"key":"B25","doi-asserted-by":"publisher","first-page":"137929","DOI":"10.1109\/ACCESS.2023.3339556","article-title":"LSTM-autoencoder based incremental learning for industrial internet of things","volume":"11","author":"Takele","year":"2023","journal-title":"IEEE Access"},{"key":"B26","doi-asserted-by":"crossref","DOI":"10.1007\/978-1-4613-9655-0","volume-title":"Fundamental Properties and Sampling Distributions of the Multivariate Normal Distribution","author":"Tong","year":"1990"},{"key":"B27","doi-asserted-by":"publisher","first-page":"100507","DOI":"10.1016\/j.jii.2023.100507","article-title":"Anomaly detection with a container-based stream processing framework for industrial internet of things","volume":"35","author":"Wang","year":"2023","journal-title":"J. Industr. Inform. Integr"},{"key":"B28","doi-asserted-by":"publisher","first-page":"131824","DOI":"10.1109\/ACCESS.2021.3112397","article-title":"Explainable unsupervised machine learning for cyber-physical systems","volume":"9","author":"Wickramasinghe","year":"2021","journal-title":"IEEE Access"},{"key":"B29","doi-asserted-by":"crossref","first-page":"78","DOI":"10.1109\/ICPHM.2017.7998309","article-title":"\u201cAdvanced correlation-based anomaly detection method for predictive maintenance,\u201d","volume-title":"2017 IEEE International Conference on Prognostics and Health Management (ICPHM)","author":"Zhao","year":"2017"},{"key":"B30","doi-asserted-by":"crossref","first-page":"302","DOI":"10.1109\/DDCLS49620.2020.9275097","article-title":"\u201cSensor correlation network based anomaly detection for thermal systems on ships,\u201d","volume-title":"2020 IEEE 9th Data Driven Control and Learning Systems Conference (DDCLS)","author":"Zheng","year":"2020"},{"key":"B31","doi-asserted-by":"publisher","first-page":"457","DOI":"10.1109\/TR.2021.3134369","article-title":"Unmanned aerial vehicle flight data anomaly detection and recovery prediction based on spatio -temporal correlation","volume":"71","author":"Zhong","year":"2021","journal-title":"IEEE Trans. Reliabil"},{"key":"B32","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1109\/ICPHM.2016.7542850","article-title":"\u201cAn improved correlation-based anomaly detection approach for condition monitoring data of industrial equipment,\u201d","volume-title":"2016 IEEE International Conference on Prognostics and Health Management (ICPHM)","author":"Zhong","year":"2016"}],"container-title":["Frontiers in Artificial Intelligence"],"original-title":[],"link":[{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/frai.2024.1508821\/full","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,2,4]],"date-time":"2025-02-04T06:34:55Z","timestamp":1738650895000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.frontiersin.org\/articles\/10.3389\/frai.2024.1508821\/full"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,2,4]]},"references-count":32,"alternative-id":["10.3389\/frai.2024.1508821"],"URL":"https:\/\/doi.org\/10.3389\/frai.2024.1508821","relation":{},"ISSN":["2624-8212"],"issn-type":[{"value":"2624-8212","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,2,4]]},"article-number":"1508821"}}