Detection of Cyber Attacks in Critical Infrastructure Systems Using Deep Learning Approaches

Abstract

Ensuring the security of industrial control systems (ICS) and cyber-physical systems (CPS) is increasingly challenging due to the integration of real-time data flows, interconnected sensors, and evolving cyber threats. This study presents a comparative evaluation of five deep learning architectures – CNN1D, CNN-LSTM, AE-CNN, GNN-CNN, and AutoGraph-TConv – across six heterogeneous datasets: SWaT, BATADAL, BoT-IoT, EUROPEC, MEDSEC, and MSCAD. Unlike many previous studies that focus on a single model or dataset, a unified benchmarking framework is employed to assess model generalizability across diverse ICS environments. The experimental pipeline incorporates standardized preprocessing, normalization, chronological data splitting, and multi-metric evaluation using Accuracy, Precision, Recall, F1-score, AUROC, and AUPRC. Results demonstrate that dataset characteristics significantly influence model performance. Reconstruction-based architectures, particularly AE-CNN, show greater effectiveness on physical-process datasets such as SWaT, while graph-temporal architectures provide superior performance on network-centric datasets. AE-CNN achieved the highest F1-score of 0.509 on SWaT, CNN1D achieved an F1-score of 0.620 on BATADAL, CNN-LSTM achieved an F1-score of 0.935 on EUROPEC, and graph-temporal models (AutoGraph-TConv and GNN-CNN) attained near-perfect performance (F1 ≈ 1.000) on BoT-IoT, MEDSEC, and MSCAD. The findings indicate that data separability and process complexity are key factors influencing anomaly detection performance. Rather than proposing a new architecture, this work provides a comprehensive benchmarking framework that clarifies the relationship between dataset characteristics and model suitability for ICS anomaly detection.