Detection of Cyber-Attacks in a Discrete Event System Based on Deep Learning

Abstract

This paper addresses the problem of cyber-attack detection in a discrete event system by proposing a novel model. The model utilizes graph convolutional networks to extract spatial features from event sequences. Subsequently, it employs gated recurrent units to re-extract spatio-temporal features from these spatial features. The obtained spatio-temporal features are then fed into an attention model. This approach enables the model to learn the importance of different event sequences, ensuring that it is sufficiently general for identifying cyber-attacks, obviating the need to specify attack types. Compared with traditional methods that rely on synchronous product computations to synthesize diagnosers, our deep learning-based model circumvents state explosion problems. Our method facilitates real-time and efficient cyber-attack detection, eliminating the necessity to specifically identify system states or distinguish attack types, thereby significantly simplifying the diagnostic process. Additionally, we set an adjustable probability threshold to determine whether an event sequence has been compromised, allowing for customization to meet diverse requirements. Experimental results demonstrate that the proposed method performs well in cyber-attack detection, achieving over $99.9\%$ accuracy at a $1\%$ threshold and a weighted F1-score of 0.8126, validating its superior performance.

1. Introduction

As a contemporary technology-intensive system with comprehensive computing and physical capabilities, a cyber–physical system (CPS) can coordinate computational and physical resources through three cutting-edge technologies of computing, communication, and control. CPSs have attracted much research interest due to their wide range of applications, such as autonomous driving, smart grids, nuclear power plants, and chemical processes. By the nature of a CPS (usually operating under a networked environment), it is vulnerable to malicious attacks from intruders who may want to extract critical information or interfere with the system to cause havoc, and ultimately in many cases this results in great financial losses, or even threatens human life. The detection of cyber-attacks under a CPS architecture is of particular importance. However, detecting and locating a cyber-attack swiftly and precisely is challenging due to the inherently intertwined nature of digital and physical components. Cyber-attack detection has received increasing attention in discrete event systems [1,2,3].

The research in [2,4,5] proposes methods to compute the probability of a reachable state by using a labeled continuous-time Markov model to develop a tool for quantitative assessment of the attack risk. Attack risk is considered from the attacker’s point of view, where the synthesis of system attack strategies modeled by a probabilistic automaton is addressed in [6]. Specifically, this method can quantify an attack strategy based on the probability of successfully reaching an unsafe state. A cyber-attack detection model is established by varying the input and output behavior of a plant through a permutation matrix that alters the transmitted signals to disrupt the attack and by comparing the observed behavior with the expected behavior of the system to detect cyber-attacks in [7]. Similarly, this particular study involves comparing observed behavior with expected behavior, but we distinguish the proposed approach by employing probabilistic methods to detect deviations at each step. Furthermore, to detect attacks, an attack dictionary needs to be constructed in advance and transformed into a classical state estimation problem or a fault diagnosis problem [8]. However, it is well known that attacks not included in the attack dictionary cannot be detected, presenting a significant limitation in these approaches.

The problem of state estimation in a timed probabilistic setting is studied in [2]. A procedure for computing an observer for the state probability of labeled continuous-time Markov models, treated as functions of time, is designed. It requires explicit information including the system states, the system events feasible at each state, and the time of the events triggered at each state. In our cyber-attack detection model, a timed probability setting is also used but not in continuous-time, to distinguish the sequence of event occurrences. The probability of an event occurrence is computed rather than the probability of the state in which the event occurs. In [9], an observer is introduced to detect cyber-attacks in a controller by using a hidden Markov model determining the likelihood of cyber-attacks in the controller. In this paper, we extend the detection algorithm by introducing deep learning-related methods to provide different ideas for attack detection.

In the context of discrete event systems (DESs), it is often crucial to evaluate the stealthiness of attacks and determine whether attack actions result in abnormal event sequences. The works presented in [10,11,12,13,14] address intrusion detection and mitigation under four primary attack types: actuator enablement attacks, actuator disablement attacks, sensor erasure attacks, and sensor insertion attacks. Traditional methods typically require the construction of a diagnoser based on attack dictionaries. These diagnosers distinguish attack types and estimate system states for precise cyber-attack detection by synthesizing the diagnoser’s automaton through synchronous product computations. These methods often struggle with state explosion problems, particularly in large-scale systems, which complicates real-time attack detection.

To address these issues, this research employs deep learning techniques [15] to develop a cyber-attack detection model through simulation and data-driven training, effectively addressing the challenges posed by large-scale DES applications. By integrating graph convolutional networks (GCNs) [16,17] with gated recurrent units (GRUs) [18,19,20], the proposed approach eliminates the dependency on traditional synchronous product computations for diagnoser synthesis, thereby avoiding the state explosion issue. Our model is capable of capturing spatio-temporal features from event sequences and leverages an attention model to enhance the learning of key information, resulting in improved accuracy and efficiency in attack detection.

Once trained, the proposed cyber-attack detection model requires only the input of an event sequence to efficiently assess whether the system has been compromised and to pinpoint the attacked event. Additionally, the developed model does not necessitate state estimation or differentiation between actuator and sensor attacks, significantly simplifying the design of cybersecurity strategies and supervisory control policies. Unlike the extensive existing research on cybersecurity within DES frameworks, this study introduces a novel approach. It focuses on extracting spatio-temporal features from event sequences to evaluate potential cyber-attacks and detect anomalous events, offering a fresh perspective and methodology for cyber-attack detection. Therefore, this research not only enhances the efficiency of attack detection but also introduces an expandable and efficient technological route for safety studies of DESs. This innovative application of deep learning addresses the traditional challenges encountered in DES cybersecurity studies.

This research is motivated by the prediction problem of intelligent transportation systems, which also exhibit spatio-temporal dependence as described in [21,22]. Cyber-attack detection within the framework of DESs is a challenging yet intriguing topic in the control and automation community. In this research, we explore the spatial features of system behaviors, which are crucial for detecting cyber-attacks targeting a controller, as demonstrated in [9]. Considering that our model is based on an automaton capable of performing tasks such as node classification [23], node prediction [24,25], link prediction [26,27], and clustering at the graph level, we employ graph neural network methods to detect and localize cyber-attacks. Furthermore, as real-world systems under DESs can be abstracted into numerous nodes and edges, graph convolution is naturally employed for feature extraction. This graph convolution process includes the application of filters to perform weighted and normalized aggregation of nodes and edges features.

The paper is organized as follows. Section 2 introduces the preliminaries and Section 3 describes the methodology of the cyber-attack detection models. Section 4 is an experimental study, where a cyber-attack detection model is obtained for quantitative analysis by training a sequence of events generated by a virtually constructed deterministic automaton model. Section 5 concludes this paper.

2. Preliminaries

This section defines a probabilistic discrete event system (PDES) generating event sequences that serve as the input to a cyber-attack detection model. The cyber-attack detection model consists of a graph convolutional network model, a gated recurrent unit model, an attention model, and a focal loss function. This section focuses on the notion of a probabilistic automaton that models a probabilistic DES.

Definition 1. 

A deterministic finite probabilistic automaton (DFPA) is a six-tuple

$$G=(Q,\Sigma ,\delta ,q_0,Q_m,\rho ),$$

where Q is a finiteset of states, Σ is a finite set of events, $\delta :Q\times \Sigma \to Q$ is a partial transition function, $q_0\in Q$ is an initial state, $Q_m\subseteq Q$ is a set of marker states, and $\rho :Q\times \Sigma \to [0,1]$ is a state-wise event probability distribution. Given a state $q\in Q$ and an event $e\in \Sigma$, $\rho (q,e)$ indicates the firing probability of e from q such that $\rho (q,e)=0$ if $\delta (q,e)$ is not defined and $\rho (q,e)>0$ if $\delta (q,e)$ is defined, denoted by $\delta (q,e)!$. The set of events enabled at a state $q\in Q$ is defined as $En\left(q\right)=\{e\in \Sigma |\rho (q,e)>0\}$ with ${\sum }_{e\in En\left(q\right)}\rho (q,e)\le 1$.

Let ${\Sigma }^{\ast }$ denote the set of all finite strings s over $\Sigma$, including the empty string $\epsilon$. The transition function can be extended to $\delta :Q\times {\Sigma }^{\ast }\to Q$ [28] by defining $\delta (q,\epsilon )=q$ and $\delta (q,s\sigma )=\delta \left(\delta \right(q,s),\sigma )$, for $q\in Q$, $s\in {\Sigma }^{\ast }$ and $e\in \Sigma$, where $\delta (q,s)$ and $\delta \left(\delta \right(q,s),e)$ are both defined. Given a state $q\in Q$ and a string $s\in {\Sigma }^{\ast }$, write $\delta (q,s)!$ if $\delta$ is defined for the string s at the state q.

A DFPA G is non-terminating if for all reachable states $q\in Q$, ${\sum }_{\sigma \in \Sigma }\rho (q,\sigma )=1$, while G is said to be terminating if there exists at least one state q such that ${\sum }_{\sigma \in \Sigma }\rho (q,\sigma )<1$ [28]. Upon entering a state q, the probability that the system terminates at that state is $1-{\sum }_{\sigma \in \Sigma }\rho (q,\sigma )$. In this paper, only non-terminating DFPAs are considered. The language generated by a DFPA $G=(Q$, $\Sigma$, $\delta$, $q_0$, $Q_m$, $\rho )$ is defined as $L\left(G\right)=\{s\in {\Sigma }^{\ast }|\delta (q_0,s)!\}$ [28], its marked language is defined as $L_m\left(G\right)=\{s\in {\Sigma }^{\ast }|\delta (q_0,s)\in Q_m\}$, and the probabilistic language generated by G is defined as

$$L_{\rho }\left(G\right)\left(\epsilon \right)=1$$

$$L_{\rho }\left(G\right)\left(s\sigma \right)=\left\{\begin{array}{cc}{L}_{\rho }\left(G\right)\left(s\right)\times \rho (\delta (q_0,s),\sigma )\hfill & \mathrm{if}\delta (q_0,s)!,\hfill \\ 0\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

Informally, $L_{\rho }\left(G\right)\left(s\right)$ is the probability of the string s generated by G. We have $L_{\rho }\left(G\right)\left(s\right)>0$ iff $s\in L\left(G\right)$ holds.

Example 1. 

As shown in Figure 1, $G=(Q$, Σ, δ, $q_0$, $Q_m,\rho )$ is a DFPA with $\Sigma =\{a,b,c,d\}$ and $Q_m=\left\{q_1\right\}$, where $q_1$ is double-cycled. The evaluation of the probability distribution ρ of the events in G is represented by the number immediately following each event. For instance, edge $\stackrel{a:0.6}{\to }$ exiting from state $q_0$ indicates that the probability of event a occurs at state $q_0$ is $0.6$, i.e., for all $s\in {\Sigma }^{\ast }$, if there exists a state $q\in Q$ such that $\delta (q,s)=q_0$, then $\rho \left(\delta \right(q,s),a)=0.6$ holds. For example, given a string $s\sigma =cdcda$ with $\sigma =a$, the probability of generating $s\sigma$ from $q_0$ is $L_{\rho }\left(G\right)\left(s\sigma \right)=\rho (q_0,c)\times \rho (q_2,d)\times \rho (q_0,c)\times \rho (q_2,d)\times \rho (q_0,a)=0.4\times 0.2\times 0.4\times 0.2\times 0.6=0.00384$.

In addition, the event set is divided into two disjoint subsets based on the sensor deployment of a system, i.e., $\Sigma ={\Sigma }_o\cup {\Sigma }_{uo}$, where ${\Sigma }_o$ is the set of observable events and ${\Sigma }_{uo}$ is the set of unobservable events. This event partition leads to the definition of a natural projection function $P_o:{\Sigma }^{\ast }\to {\Sigma }_o^{\ast }$ defined as follows. Given $s\in {\Sigma }^{\ast }$ and $\sigma \in \Sigma$,

$$P_o\left(\epsilon \right)=\epsilon \mathrm{and}{P}_o\left(s\sigma \right)=\left\{\begin{array}{cc}{P}_o\left(s\right)\sigma \hfill & \mathrm{if}\sigma \in {\Sigma }_o\hfill \\ P_o\left(s\right)\hfill & \mathrm{if}\sigma \in {\Sigma }_{uo}\hfill \end{array}\right..$$

Example 2. 

Consider again the DFPA G in Figure 1. Suppose that ${\Sigma }_o=\{a,b,d\}$ and ${\Sigma }_{uo}=\left\{c\right\}$. If $s=c$, we have $P_o\left(s\right)=\epsilon$; if $s=cdcda$, it follows that $P_o\left(s\right)=\epsilon d\epsilon da=dda$.

3. Methodology

In this research, we record the event sequences in a DFPA to form the feature vectors of these event sequences that serve as the input of deep learning so as to obtain the spatial features of events through a graph convolutional network (GCN). Then, the features derived from the GCN are used as the input of the GRU to find the spatio-temporal features, which are subsequently processed by the attention model, making the model able to distinguish the importance of multiple event combinations. Finally, the output of the attention model is mapped to all the defined events of the system by the Softmax function, in order to obtain the probability of occurrence of any event in the system. The schematic of this methodology is shown in Figure 2. Specifically, the system can detect the types and locations of events, where an attack exists in a finite number of steps by setting a probability threshold. In what follows, let ${\mathbb{N}}_{+}$ be the set of all positive integers.

3.1. Problem Definition

Definition 2. 

Given $w\in L\left(G\right)$, $s_{net}=P_o\left(w\right)\in {\Sigma }_o^{\ast }$ is called an observation of G. The observable language of G is a collection of all of its observations, i.e., $L_o\left(G\right)=\{s_{net}\in {\Sigma }_o^{\ast }\mid \exists w\in L\left(G\right):s_{net}=P_o\left(w\right)\}$.

Given an observation $s_{net}={\sigma }_1{\sigma }_2\dots {\sigma }_n$ (${\sigma }_i\in {\Sigma }_o$ for all $i=1,2,\dots ,n$) and $m\le n$, it is divided into multiple equal-length subsequences $s_1={\sigma }_1{\sigma }_2\dots {\sigma }_m$, $s_2={\sigma }_2{\sigma }_2\dots {\sigma }_{m+1}$ …, $s_k={\sigma }_{n-m+1}{\sigma }_{n-m}\dots {\sigma }_n$ for some $k\in \mathbb{N}$, where the length of each subsequence is m. In other words, the t-th subsequence of $s_{net}$ starts with ${\sigma }_t$ and ends with ${\sigma }_{m+t-1}$ given $s_{net}={\sigma }_1{\sigma }_2\dots {\sigma }_n$. To facilitate the development of the methodology proposed in the research, we transform an observation subsequence into a directed graph called an event-graph.

Definition 3. 

Given an observation subsequence $s={\sigma }_1{\sigma }_2\dots {\sigma }_m$, a directed graph associated with s, denoted by $G\left(s\right)=(V,E)$, is said to be an event-graph if $V=\{{\sigma }_1,{\sigma }_2,\dots ,{\sigma }_m\}$ is the set of nodes and $E=\{({\sigma }_i,{\sigma }_{i+1})\mid i\in \{1,2,\dots ,m-1\}\}$ is the set of edges.

As defined, an event-graph derived from an observation subsequence $s={\sigma }_1{\sigma }_2\dots {\sigma }_m$ is actually a path starting from node ${\sigma }_1$ and ending with ${\sigma }_m$, as schematically demonstrated in Figure 3. Given a finite number of event-graphs $G\left(s_1\right)$, $G\left(s_2\right)$, …, $G\left(s_h\right)$, let $G_{\mathrm{seq}}$ be the sequence of the event-graphs, denoted by $G_{\mathrm{seq}}=G\left(s_1\right)G\left(s_2\right)\dots G\left(s_h\right)$. By a slight abuse of notation, write $G\left(s_t\right)\in G_{\mathrm{seq}}$ if $G\left(s_t\right)$ is in $G_{\mathrm{seq}}$, $t=1,2,\dots ,h$. This research collects a group of event-graphs as a block as shown in Figure 4 in order to accurately estimate the occurrence probability of an event and furthermore to predicate the detection accuracy of cyber-attacks.

Given $\Delta \in {\Sigma }_o^{\ast }$, it is said be to a full observation permutation if $|\Delta |=|{\Sigma }_o|$ and for all $\sigma \in \Sigma$, $\sigma \in \Delta$, i.e., every symbol in ${\Sigma }_o$ appears once in $\Delta$. For ${\Sigma }_o$, its full observation permutations are not unique. One trivial possibility is to produce such a permutation in lexicographical ordering. Let $\Delta \left[i\right]$ denote the i-th element in $\Delta$ and let us fix a full observation permutation $\Delta$. Then, $W(\Delta [i\left]\right)=i$ is called the feature value of element $\Delta \left[i\right]$ of the fixed $\Delta$, where $i\in \{1,2,\dots ,|{\Sigma }_o\left|\right\}$. Analogously, given an observation $s\in {\Sigma }_o^{\ast }$, $s\left[i\right]$ denotes its i-th element.

Definition 4. 

The feature vector of an event-graph $G\left(s\right)$, $\left|s\right|=m$, with respect to a fixed full observation permutation Δ is defined as an m-dimensional vector $X\left(s\right)=[x_1,x_2,\dots ,x_m]$ for which $x_i=W(\Delta \left[j\right])$ if $s\left[i\right]=\Delta \left[j\right]$, where $i\in \{1,2,\dots ,m\}$ and $j\in \{1,2,\dots ,|{\Sigma }_o\left|\right\}$. In $X\left(s\right)$, $x_i$ is said to be the vertex feature of $s\left[i\right]$.

Given a finite number of feature vectors $X\left(s_1\right)$, $X\left(s_2\right)$, …, $X\left(s_h\right)$, let $X_{\mathrm{seq}}$ be the sequence of the vertex features, denoted by $X_{\mathrm{seq}}=X\left(s_1\right)X\left(s_2\right)\dots X\left(s_h\right)$. By a slight abuse of notation, write $X\left(s_t\right)\in X_{\mathrm{seq}}$ if $X\left(s_t\right)$ is in $X_{\mathrm{seq}}$, $t=1,2,\dots ,h$, where t can also be understood as a time step.

Example 3. 

Consider the DFPA G in Figure 1 with ${\Sigma }_o=\{a,b,d\}$. Obviously, $s_{net}=ddda$ is an observation of G. Let $m=3$. Then, $s_{net}$ can be divided into two subsequences $s_1=ddd$ and $s_2=dda$. Fix $\Delta =adb$, i.e., $\Delta \left[1\right]=a$, $\Delta \left[2\right]=d$, and $\Delta \left[3\right]=b$. We have $W(\Delta [1\left]\right)=1$, $W(\Delta [2\left]\right)=2$, and $W(\Delta [3\left]\right)=3$. By the definition of the feature vector of an event-graph, $X\left(s_1\right)=[2,2,2]$ and $X\left(s_2\right)=[2,2,1]$.

Given an event-graph $G\left(s\right)$, an m-dimensional vector is assigned to store all the vertex information in the graph; a two-dimensional array is defined to show the incidence relationship between vertices, which is called the adjacency matrix of $G\left(s\right)$.

Definition 5. 

The adjacency matrix of an event-graph $G\left(s\right)=(V,E)$ is defined as

$$A_s[i,j]=\left\{\begin{array}{cc}1\hfill & \mathrm{if}({\sigma }_i,{\sigma }_j)\in E;\hfill \\ 0\hfill & \mathrm{if}({\sigma }_i,{\sigma }_j)\notin E.\hfill \end{array}\right.$$

where $i,j\in \{1,2,\dots ,|s\left|\right\}$.

By definition, the event-graphs of any two divided observation subsequences are isomorphic and thus they share the same adjacency matrices. For $G\left(s\right)$, its adjacency matrix $A_s$ and feature vector $X\left(s\right)$ serve as the inputs to a GCN, which aggregates and updates the features of each vertex in $G\left(s\right)$. Then, as shown in Figure 2, a block consisting of I event-graphs that are separately processed by corresponding GCNs and GRUs is considered as the input to an attention model. For simplicity, suppose that the whole process is represented by a function g obtained by deep learning, which expresses the spatial correlation of each event-graph and the temporal relationship of the I event-graphs. By doing so, it provides a possibility to predict the future T event-graphs’ features, represented by

$$\begin{array}{cc}\hfill & [X\left(s_t\right),...,X\left(s_{t+T}\right)]\hfill \\ \hfill & =g(A_s,(X\left(s_{t-I}\right),...,X\left(s_{t-2}\right),X\left(s_{t-1}\right))).\hfill \end{array}$$

(1)

Note that T is the length of the predicted event-graphs.

3.2. Methodology Overview

This paper proposes a novel method for detecting whether a PDES is subject to attacks by a cyber-attacker (sometimes called an intruder), as well as detecting the location of the attacked events. By observing the evolution of a DFPA, an observable event sequence $s_{net}$ is obtained, which is divided into multiple observation subsequences with the same length. For any observation subsequence s, its feature vector $X\left(s\right)$ and adjacency matrix $A_s$ are fed to a GCN and then a GRU. We denote the output of each GRU as a feature matrix. Then, we input I feature matrices, which are the output of I GRUs into an attention model, as shown in Figure 2. After being processed by an attention model, they are input to a multi-layer perceptron fusion and adjusted to a new feature vector as output. This output is compared with the $X\left(s\right)$ of the $(I+1)$-th feature vector, i.e., $X\left(s_t\right)$ in Figure 2; a loss function is used to measure the difference between the output and the feature vector of next observation subsequence. Such a computing procedure is then back-propagated to optimize the related parameters in our cyber-attack detection model to obtain a more accurate output in the following iteration.

3.3. Spatial Correlation Model

The exploration of spatial correlation features of event-graphs is critical as the correlation information hidden in the event-graphs is particularly interesting and useful, as to be exposed in what follows. A GCN model constructs a filter in the Fourier domain and acts on the vertices of a graph. The spatial correlation features between the vertices are obtained through the first-order neighborhood of the graph. Then, the GCN model is built by stacking multiple convolutional layers [19], which is defined as

$$X{\left(s_t\right)}^{(l+1)}=ReLU\left({\tilde{D}}^{-{\displaystyle \frac{1}{2}}}\widetilde{A_s}{\tilde{D}}^{-{\displaystyle \frac{1}{2}}}X{\left(s_t\right)}^{\left(l\right)}{W}^{\left(l\right)}\right)$$

(2)

where $X{\left(s_t\right)}^{\left(l\right)}$ is a feature vector input of the $(l+1)$-th GCN layer, $X{\left(s_t\right)}^{(l+1)}$ is the feature vector output of the $(l+1)$-th GCN layer, $\widetilde{A_s}=A_s+I_N$ is an adjacency matrix of the graph with self-loops added, $I_N$ is an identity matrix with appropriate dimensions, $\tilde{D}$ is a degree matrix with $\tilde{D}[i,i]={\sum }_j\widetilde{A_s}[i,j]$ and $\tilde{D}[i,j]=0$ for $i\ne j$, and $W^{\left(l\right)}$ is a weight matrix (with appropriate dimensions) of this GCN layer. We use $ReLU$ to denote an activation function. Specifically, given a vector $V=[v_1,v_2,\dots ,v_m]$, $ReLU\left(V\right)=[ReLU\left(v_1\right),ReLU\left(v_2\right),\dots ,ReLU\left(v_m\right)]$ and $ReLU\left(v_i\right)$ is defined as

$$ReLU\left(v_i\right)=\left\{\begin{array}{cc}{v}_i\hfill & \mathrm{if}{v}_i\ge 0\mathrm{for}i=1,2,...,m;\hfill \\ 0\hfill & \mathrm{if}{v}_i<0\mathrm{for}i=1,2,...,m.\hfill \end{array}\right.$$

(3)

By a slight abuse of notation, write $v_i\in V$, if $v_i$ is an entry of V, $i\in \{1,2,\dots ,m\}$.

The operation of a multi-layer GCN is shown in Equation (2). In our GCN model, a two-layer GCN is selected to obtain spatial correlation features, which is defined as

$$f(A_s,X\left(s_t\right))=\widehat{A}ReLU\left(\widehat{A}X\left(s_t\right)W_0\right)W_1$$

(4)

where $\widehat{A_s}={\tilde{D}}^{-{\displaystyle \frac{1}{2}}}\widetilde{A_s}{\tilde{D}}^{-{\displaystyle \frac{1}{2}}}$, $f(A_s,X\left(s_t\right))\in {\mathbb{R}}^{m\times T}$ is the output of feature vectors of T event-graphs, $W_0\in {\mathbb{R}}^{m\times w_h}$ is a weight matrix from an input layer to a hidden layer with m being the number of elements in the feature vector $X\left(s_t\right)$, $w_h$ is the number of hidden units, and $W_1\in {\mathbb{R}}^{w_h\times T}$ is a weight matrix from the hidden layer to an output layer.

The basic idea of a GCN is to average a graph’s neighboring features (including itself) and then pass them into linear layers (linear combination of inputs and weight matrices). The topological relationship between vertices and adjacent vertices on the event-graph $G\left(s_t\right)$ is based on the GCN model. Thus, the spatial correlation features of $G\left(s_t\right)$ is obtained.

Example 4. 

Given an event sequence $s_t={\sigma }_3{\sigma }_5{\sigma }_1{\sigma }_4{\sigma }_2$, the event-graph $G\left(s_t\right)=(V,E)$ constructed by $s_t$ contains five vertices and four edges, which is shown in Figure 5, where $V=\{{\sigma }_1,{\sigma }_2,{\sigma }_3,{\sigma }_4,{\sigma }_5\}$ is a set of vertices. Then, the feature vector of this event sequence is defined as $X\left(s_t\right)=[3,5,1,4,2]$, if a full observation permutation $\Delta ={\sigma }_3{\sigma }_5{\sigma }_1{\sigma }_4{\sigma }_2$ is fixed. We show the computational procedure of $\widehat{A_s}$ as follows.

The adjacency matrix $A_s$, the identity matrix $I_N$, and the new adjacency matrix $\tilde{A}$ are, respectively:

$$\begin{array}{cc}{A}_s=\left(\begin{array}{ccccc}0& 0& 0& 1& 1\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\\ 1& 1& 0& 0& 0\\ 1& 0& 1& 0& 0\end{array}\right),& I_N=\left(\begin{array}{ccccc}1& 0& 0& 0& 0\\ 0& 1& 0& 0& 0\\ 0& 0& 1& 0& 0\\ 0& 0& 0& 1& 0\\ 0& 0& 0& 0& 1\end{array}\right),\end{array}$$

$$\widetilde{A_s}=A_s+I_N=\left(\begin{array}{ccccc}1& 0& 0& 1& 1\\ 0& 1& 0& 1& 0\\ 0& 0& 1& 0& 1\\ 1& 1& 0& 1& 0\\ 1& 0& 1& 0& 1\end{array}\right).$$

The new degree matrix $\tilde{D}$ is:

$$\tilde{D}=\left(\begin{array}{ccccc}3& 0& 0& 0& 0\\ 0& 2& 0& 0& 0\\ 0& 0& 2& 0& 0\\ 0& 0& 0& 3& 0\\ 0& 0& 0& 0& 3\end{array}\right).$$

We compute ${\tilde{D}}^{-{\displaystyle \frac{1}{2}}}$ from the degree matrix $\tilde{D}$:

$${\tilde{D}}^{-{\displaystyle \frac{1}{2}}}=\left(\begin{array}{ccccc}1/\sqrt{3}& 0& 0& 0& 0\\ 0& 1/\sqrt{2}& 0& 0& 0\\ 0& 0& 1/\sqrt{2}& 0& 0\\ 0& 0& 0& 1/\sqrt{3}& 0\\ 0& 0& 0& 0& 1/\sqrt{3}\end{array}\right).$$

Normalize all rows and columns by $\widehat{A_s}={\tilde{D}}^{-{\displaystyle \frac{1}{2}}}\tilde{A}{\tilde{D}}^{-{\displaystyle \frac{1}{2}}}$ (approximate to four decimal places):

$$\widehat{A_s}=\left(\begin{array}{ccccc}0.3333& 0& 0& 0.3333& 0.3333\\ 0& 0.5000& 0& 0.4082& 0\\ 0& 0& 0.5000& 0& 0.4082\\ 0.3333& 0.4082& 0& 0.3333& 0\\ 0.3333& 0& 0.4082& 0& 0.3333\end{array}\right).$$

The basic idea of a GCN is to average a graph’s neighboring features (including itself) and then pass them into linear layers (linear combination of inputs and weight matrices). The topological relationship between vertices and adjacent vertices on the event-graph $G\left(s_t\right)$ is based on the GCN model. Thus, the spatial correlation features of $G\left(s_t\right)$ is obtained. The obtained matrix $\widehat{A_s}$ is the essence of a GCN model, and then $\widehat{A_s}$ can be brought into Equation (4) to compute a two-layer GCN model, as shown in Figure 6. After the spatial correlation features of the event-graph composed of the event sequence are extracted by the GCN, the cyber-attack detection model further recognizes the structure of the DFPA by computing the temporal correlation features of these event-graphs. We can choose the GRU to extract the temporal correlation features of the event-graphs.

3.4. Temporal Correlation Model

The GRU is a kind of recurrent neural network, which is proposed to solve problems such as long-term memory and gradients in back-propagation [19]. To better describe the use of temporal correlation features in our cyber-attack detection model, given a vertex feature sequence $X_{\mathrm{seq}}$, let a vertex feature subsequence $X\left(s_{t-I}\right)\dots X\left(s_{t-2}\right)X\left(s_{t-1}\right)\in X_{\mathrm{seq}}$ be the input into the GCN model to obtain a sequence of corresponding outputs $f(A_s,X\left(s_{t-I}\right))\dots f(A_s,X\left(s_{t-2}\right))f(A_s,X\left(s_{t-1}\right))$, which is written as $F_{\mathrm{seq}}$. By a slight abuse of notation, write $f(A_s,X\left(s_i\right))\in F_{\mathrm{seq}}$ if $i\in \{t-1,t-2,\dots ,t-I\}$. Moreover, we tentatively express the output of each GRU as a feature matrix. Given a sequence $F_{\mathrm{seq}}$ as input, our GRU model can process each function sequentially and generate a corresponding feature matrix as the output. Each output is passed to the next $f(A_s,X\left(s_i\right))$ for $i\in \{t-1,t-2,\dots ,t-I\}$ to compute the next output of a GRU. This is an iterative process. For instance, $f(A_s,X\left(s_{t-I}\right))$ serves as an input to the GRU and its output will be used as the input to the GRU together with $f(A_s,X\left(s_{t-I+1}\right))$ to compute a new feature matrix. In this way, our cyber-attack detection model has temporal correlation features. Each feature matrix extracts the features of a function sequence $F_{\mathrm{seq}}$, which also means that our GRU model can integrate the temporal correlation features of the event-graphs of I groups in $G_{\mathrm{seq}}$ like it has memories of past event-graphs. A feature matrix is also said to be a hidden state and the hidden state is denoted as $h_t$. The subscript t corresponds to notation t in $X\left(s_t\right)$ and has an ordering relation inherited from $X_{\mathrm{seq}}$. The subscript t can also reflects a temporal sequential relation. Thus, t can also be thought of as a time step; thus $h_{t-1}$ is a hidden state at time step $t-1$.

In the GRU model, we need two kinds of activation functions: Sigmod and Tanh, which are, respectively, defined as follows,

$$Sig\left(a_{ij}\right)={\displaystyle \frac{1}{1+e^{-a_{ij}}}},$$

(5)

$$tanh\left(b_{ij}\right)={\displaystyle \frac{e^{b_{ij}}-e^{-b_{ij}}}{e^{b_{ij}}+e^{-b_{ij}}}},$$

(6)

where $a_{ij}$ is the element of the i-th row and j-th column of a matrix A as the input of a Sigmod function, and $b_{ij}$ is the element of the i-th row and j-th column of a matrix B as the input of a Tanh function.

The GRU model has two gates and a candidate hidden state: one gate is an “update gate”, and the other is a “reset gate”. The update gate is responsible for determining the relative weight between a previous hidden state and a current input by employing an activation function. Its output is a value matrix which governs the extent of the hidden state influenced by the previous hidden state. The reset gate controls the fusion between the previous hidden state and the current input. It assists in deciding which historical information is discarded and which is retained. We define the specific operational steps of the GRU model as:

$$u_t=Sig(W_u\ast [f(A_s,X\left(s_t\right)),h_{t-1}]+b_u)$$

(7)

$$r_t=Sig(W_r\ast [f(A_s,X\left(s_t\right)),h_{t-1}]+b_r)$$

(8)

$$c_t=tanh(W_c\ast [f(A_s,X\left(s_t\right)),(r_t\ast h_{t-1})]+b_c)$$

(9)

$$h_t=u_t\ast h_{t-1}+(1-u_t)\ast c_t$$

(10)

where $u_t$ is the update gate; $r_t$ is the reset gate; $c_t$ is the candidate hidden state at time t of the GRU model; $f(A_s,X\left(s_t\right))$ is the output of the GCN model as shown in Equation (4); weight matrices $W_u$, $W_r$, and $W_c$ are generated by random initialization in the update gate, reset gate, and computational candidate hidden state process, respectively; deviations $b_u$, $b_r$, and $b_c$ are generated by random initialization in the update gate, reset gate, and computational candidate hidden state process, respectively; $h_t$ is the hidden state of an output at time step t; and $[·,·]$ is an operation that executes concatenation vertically on matrices along rows. To concatenate matrices, they must have compatible dimensions. In other words, when we concatenate matrices vertically, they must have the same number of columns. Such a vertical concatenation operation is denoted by $[·,·]$ or $Cat(·,·)$. As an illustration, given two matrices A and B, are:

$$A=\left(\begin{array}{cc}{a}_1& a_2\\ a_3& a_4\end{array}\right),B=\left(\begin{array}{cc}{b}_1& b_2\\ b_3& b_4\\ b_5& b_6\end{array}\right).$$

Then, the vertical concatenation of A and B is

$$F={\left(\begin{array}{ccccc}{a}_1& a_3& b_1& b_3& b_5\\ a_2& a_4& b_2& b_4& b_6\end{array}\right)}^T,$$

i.e., F is a matrix by operating the vertical concatenation.

The GRU model computes a hidden state $h_t$ based on the previous hidden state $h_{t-1}$ as input. The computation expressed by Equations (7)–(10) is diagrammatically shown in Figure 7, where ⊙ represents the multiplication of the corresponding elements of matrices. The process of using our GRU model is shown in Figure 8, and the whole process of combining GCN and GRU is shown in Figure 9. Due to the two gates and the candidate hidden state, the GRU model retains the changing trend of the occurrence features of historical event-graphs when capturing the function f’s. Therefore, this GRU model can extract dynamic time-varying features. Namely, the GRU model is introduced in our research to learn the temporal correlation features of the occurrences of the events. The features obtained through the GRU model can be applied to an attention model to calculate attention scores. The attention model assesses the degree to which features deserve to receive more attention and then increases the weight coefficient of $h_t$. The attention model is introduced as below.

3.5. Attention Model

An attention model is usually divided into soft attention and hard attention. In the case of a hard attention model, only the representation of a selected position is transmitted or utilized, whereas in a soft attention model, the representations of all positions are weighted and summed up. In this research, a soft attention model is assigned to learn the weight coefficient of $h_t$, which expresses the trends of event-graphs evolution [22].

The primary motivation for introducing the attention model is to enhance the model’s ability to focus on relevant features across different time steps, thereby improving its generalization capability. In this study, the event sequences in DESs may contain complex dependencies, and not all events contribute equally to predicting the next event. The attention model allows the model to assign different weights to the hidden states, thus emphasizing the most critical events in the sequence. This selective focus is crucial for accurately predicting the occurrence probability of future events, which is the main goal of our cyber-attack detection model.

Given a finite number of hidden states $h_{t-I},\dots ,h_{t-2},h_{t-1}$, the vertical concatenation of the hidden states called an integrated feature $H_{t-I}$ is defined as $H_{t-I}=Cat(h_{t-I},...,h_{t-2},h_{t-1})={[h_{t-I},...,h_{t-2},h_{t-1}]}^T$, where $Cat$ is an operation that executes the vertical concatenation defined previously. An attention scoring function is designed to compute the score (weight) of each hidden state by a multi-layer perceptron. Let us provide an explanation of the multi-layer perceptron. Multi-layer perceptron is a neural network model composed of multiple neurons organized in a hierarchical structure. Through training and adjusting the connection weights between neurons, multi-layer perceptron can learn and solve data prediction problems; thus each hidden state’s attention score is considered as a discrete neuron. The attention scoring function by a multi-layer perceptron is defined as

$$[e_{t-I},...,e_{t-2},e_{t-1}]=w_{\left(2\right)}(w_{\left(1\right)}{H}_{t-I}+b_{\left(1\right)})+b_{\left(2\right)}$$

(11)

where $[e_{t-I},\dots ,e_{t-2},e_{t-1}]$ is a vector composed of the attention scores of I hidden states, with $e_i$ ($i\in \{t-I,\dots ,t-2,t-1\}$) being the attention score of a hidden state representing the importance of this hidden state at time step i; weight matrices $w_{\left(1\right)}$ and $w_{\left(2\right)}$ are generated by random initialization in the first and the second linear layers of the multi-layer perceptron, respectively; deviations $b_{\left(1\right)}$ and $b_{\left(2\right)}$ are generated by random initialization in the first and the second linear layers of the multi-layer perceptron, respectively; and $H_{t-I}$ is an integrated feature matrix. Afterward, the output of the attention score function is calculated by the Softmax function, defined as

$${\alpha }_i={\displaystyle \frac{exp\left(e_i\right)}{{\sum }_{k=i-I}^{i-1}exp\left(e_k\right)}}$$

(12)

where $exp\left(·\right)$ is an exponential operation, I is the number of hidden states, and ${\alpha }_i$ is the output of the Softmax function that is a normalization of $e_i$, called a normalized attention score.

More specifically, given a finite number of hidden states $h_{t-I},\dots ,h_{t-2},h_{t-1}$, let $H_{\mathrm{seq}}$ be the sequence of the hidden states, denoted by $H_{\mathrm{seq}}=h_{t-I}\dots h_{t-2}{h}_{t-1}$. Our goal is to more accurately predict the occurrence probability of various events in the next time step, and this weight coefficient reflects how much a hidden state can contribute to the accuracy of our prediction goal in its corresponding $H_{\mathrm{seq}}$. Then, we use the attention score function computing each hidden state’s attention score, which can be understood as a weight coefficient of importance about a prediction target in $H_{\mathrm{seq}}$ (Equation (11)). To facilitate the subsequent calculations, the normalized attention scores are obtained by normalizing using the Softmax function; see Equation (12).

Finally, the attention model is designed to cover a context vector C that reflects the global information of a hidden state sequence $H_{\mathrm{seq}}$. The context vector C is defined as

$$C=\sum _{i-I}^{i-1}{\alpha }_i\ast h_i$$

(13)

where C is a globally I-accumulated vector (context vector), ${\alpha }_i$ is the output of the Softmax function at time step i, $i\in \{t-I,\dots ,t-2,t-1\}$, and $h_i$ is a hidden state at time step i. The whole process is shown in Figure 10.

3.6. Loss Function

The event labels as features to construct a dataset from a DFPA may be relatively uneven; there may exist samples that are difficult to classify and samples that are easy to classify. The focal loss improves the accuracy of predicting the labels of the events in our cyber-attack detection model by slightly modifying the cross-entropy [29]. Consequently, the focal loss is assigned as a loss function to complete the classification task of our cyber-attack detection model. Given a parameter $p_f\in [0,1]$ [29] as an intermediate element that expresses the predicted probability in an output matrix processed by the Softmax function, the focal loss function $Fl$ is defined as

$$Fl\left(p_f\right)=-\sum _{f=1}^O{(1-p_f)}^{l}log\left(p_f\right)$$

(14)

where O is the number of event labels in samples, f is the event label of a sample, and l is the hyperparameter, called a focus parameter. In fact, the larger the focus parameter, the more significant the difference between the difficulty and easiness to classify samples. Specifically, when the focus parameter is set to 0, the loss function degenerates to a cross-entropy loss.

3.7. Cyber-Attack Detection Model

A cyber-attack detection model is extracted by a GCN for spatial correlation features and then output to a GRU for the extraction of temporal correlation features to obtain the trend of the types of events that occur over time. The process of the GCN and GRU in the cyber-attack detection model is shown in Figure 9. Finally, as shown in Figure 10, the output including the spatial correlation features and the temporal correlation features is used as the input of an attention model for generalization. The cyber-attack detection model can pay more attention to the features of important event sequences.

Suppose that we have an event sequence $s_{net}$ handled as multiple event-graphs to form an event-graph sequence $G_{\mathrm{seq}}$. Each sequence

$$\begin{array}{c}G\left(s_{t-I}\right)...G\left(s_{t-3}\right)\\ G\left(s_{t-2}\right)G\left(s_{t-1}\right)\in G_{\mathrm{seq}}\end{array}$$

is inputted into the GCN model and then fed into the GRU model to obtain I hidden states, denoted by $h_{t-I}\dots h_{t-2}{h}_{t-1}$, which covers the spatio-temporal features. Then, the hidden states’ integrated feature $H_{t-I}$ by concatenation is inputted into the attention model to compute a context vector C covering the global I hidden states’ information. Specifically, a multi-layer perception and the Softmax function are assigned to compute the normalized attention scores of all hidden states, which are denoted as $(a_{t-I},\dots ,a_{t-2},a_{t-1})$. The context vector C can be calculated by utilizing the normalized attention scores $(a_{t-I},\dots ,a_{t-2},a_{t-1})$ and the corresponding hidden states. Finally, we use a focal loss as a loss function to compute the loss of feature vectors of the predicted event-graph in the next time step with the actual feature vectors in the next time step. The loss is used to update the weight matrices in our cyber-attack detection model by back-propagation. In this way, the cyber-attack detection model can predict each event’s occurrence probability by reverting feature vectors of event-graphs to event types in $s_{net}$. For instance, if we have a predicted probability of an event-graph’s feature vector $X\left(s_t\right)$, we are aware of the occurrence probability of each event in the next time of $s_{t-1}$.

4. Experiments

4.1. Data Description

Most existing datasets are not typical enough to represent the relationship between events and states in a DFPA. We construct a PDES dataset for the cyber-attack detection model and this PDES dataset can provide a visual and concise representation of the cyber-attack detection capabilities of various deep learning methods. The PDES dataset, available through GitHub in [30], was constructed by randomly generating a sequence of events via simulating the actual situation in a DFPA G, which is shown in Figure 11. In this PDES dataset, the event sequence $s_{net}$ contains 39,991 events. An event sequence $G_{\mathrm{seq}}$ constructed from $s_{net}$ by Definition 3 has a total of 39,991 event-graphs, and the number of vertices in each event-graph $G\left(s_t\right)$ is set to be eight. The PDES dataset contains a total of 319,928 related data, including 39,991 rows of event-graphs.

In other words, we use a DFPA G as a source of event-graph sequences $G_{\mathrm{seq}}$, which forms the PDES dataset. In fact, we do not have the structure of the DFPA G in the experiments, while only the event sequence $s_{net}$ is captured. Therefore, we call this DFPA G a hidden DFPA G. To form the PDES dataset, let us consider the hidden DFPA G in Figure 11 with inital state $q_0$. We have ${\Sigma }_o=\{a,b,c,d,e,g\}$ and ${\Sigma }_{uo}=\left\{f\right\}$. Every eight events’ features form an event-graph $G\left(s_t\right)$ by Definition 3. If $X\left(s_t\right)\in X_{\mathrm{seq}}$, $t=1,2,\dots ,h$, the event-graph feature vector of each event-graph is defined as $X\left(s_t\right)=X_{8\times 1}^t=[x_1,x_2,...,x_8]$. The PDES dataset consists of 39,991 $X\left(s_t\right)$’s.

Considering the requirement to evaluate the effectiveness of the cyber-attack detection model for optimization, we construct an attack DFPA $G_a$, as shown in the red dashed box in Figure 11. To form a dataset attacked by the attack DFPA $G_a$, we replicate the structure of the DFPA G to the attack DFPA $G_a$, with the same number of observable and unobservable events. It is assumed that the attacker has complete knowledge of the structure of the hidden DFPA G and have stolen the privileges of the initial state $q_0$ and the state $q_{10}$ in DFPA G, which means the attacker can enter and return to the DFPA G without being observed in $q_0$ and $q_{10}$, respectively. By enabling the unobservable event f in the initial state $q_0$, the attacker can induce the DPFA G into the designed attack DFPA $G_a$. The attacker can also stop the attacks at state $q_{26}$ in the attack DFPA $G_a$ and return to the state $q_{10}$ in the DFPA G by enabling the unobservable event f.

Another dataset obtained by the attack DFPA $G_a$, which contains 1500 $s_{net}$’s corrupted by the attack, is called an attacked dataset. The event sequences corrupted by the attacks generated by $G_a$ and constructed as the event-graph sequences are more difficult to be detected by the cyber-attack detection model than the attacks generated by a non-probabilistic automaton. Thus, the cyber-attack detection through the attack events generated by $G_a$ can reflect the reliability of our cyber-attack detection model.

4.2. Evaluation Metrics

The minimum probability threshold for the occurrence of each event is defined as $P_a$, implying that if the event probability of occurrence is lower than the threshold, we believe that the event is corrupted by the attacks; otherwise the event is a normal event. Consider that the occurrence probability of a normal event in the DFPA G is at least $1\%$. Thus, the initial probability threshold $P_a$ is also set to $1\%$. We classify the detection situation into four categories:

(1) If the current event is an event corrupted by an attack, and the cyber-attack detection model predicts that the occurrence probability of the current event is less than $P_a$, then the cyber-attack detection model can make a correct judgment.

(2) If the current event is a normal event, and the cyber-attack detection model predicts that the occurrence probability of the current event is less than $P_a$, then the cyber-attack detection model can make an incorrect judgment.

(3) If the current event is an event corrupted by an attack, and the cyber-attack detection model predicts that the occurrence probability of the current event is higher than $P_a$, then the cyber-attack detection model can make an incorrect judgment.

(4) If the current event is a normal event, and the cyber-attack detection model predicts that the occurrence probability of the current event is higher than $P_a$, then the cyber-attack detection model can make a correct judgment.

We denote the number of events that are correctly judged as $n_{corret}$ and the total number of events that are input into the cyber-attack detection model for prediction as $n_{total}$. The accuracy rate of detecting whether an event is corrupted by an attacker is defined as

$$Acc={\displaystyle \frac{n_{corret}}{n_{total}}},$$

where $Acc$ can reflect whether the cyber-attack detection model is able to detect events that are attacked.

In both datasets, the PDES dataset and the attacked dataset, we utilize the same cyber-attack detection model. The cyber-attack detection model can detect events in the PDES dataset as normal events, and events that were tampered in the attacked dataset as attacked events. First, our cyber-attack detection model must ensure that all attack-tampered events generated by DFPA $G_a$ can be detected, since the attack-tampered events are more dangerous for a PDES system, and then ensure that normal events generated by DFPA G are correctly identified as normal events. The above description ensures the usability of the cyber-attack detection model. In the following subsection, we analyze all the possible attack-tampered events in DFPA $G_a$ by enumeration. Here, we need to first analyze the relationship between the attack threshold $P_a$ and the accuracy rate $Acc$ in the PDES dataset. As shown in Figure 12, the contents of the red rectangular box represent when $1\%\le P_a\le 5\%$, the accuracy $Acc$ of the cyber-attack detection model reaches over $99.9\%$ in the PDES dataset, which means that almost all the events in the DFPA G are correctly predicted under this probability threshold. In particular, when $1\%\le P_a\le 2\%$, the accuracy $Acc$ reaches $100\%$ in the PDES dataset. Moreover, the relationship between the attack threshold $P_a$ and the accuracy rate $Acc$ in our attacked dataset is shown in Figure 13. From the results obtained, it becomes evident that a decrease or increase in the threshold value of $1\%$ leads to a corresponding decrease in the accuracy rate $Acc$. In order to impose a more stringent constraint, the probability threshold $P_a$ is set to $1\%$ in the subsection.

Beyond accuracy, we have also evaluated the overall performance of the cyber-attack detection model using receiver operating characteristic (ROC) curves, as shown in Figure 14. The ROC curves illustrate the model’s ability to differentiate between different event categories. The model addresses a six-class classification task, where the occurrence probability of each event is computed to further determine whether the event has been tampered. The area under the curve (AUC) values range from 0.71 to 0.93, indicating strong performance across most event categories, with Class 3 (c) achieving the highest AUC value of 0.93.

The overall performance of the proposed cyber-attack detection model is summarized by the average F1-score and weighted F1-score, which are 0.7049 and 0.8126, respectively. The weighted F1-score considers the support of each event category, making it a more reliable measure of performance, particularly in scenarios with imbalanced class distributions. These metrics indicate that our model not only maintains high accuracy but also achieves balanced performance across all event categories. To further validate the effectiveness of the model, we have compared it against models using GRU or long short-term memory (LSTM) [19] alone. Both GRU and LSTM models are trained under the same experimental settings, and their ROC curves are illustrated in Figure 15, highlighting the advantages of our approach.

As observed from

Table 1. Comparison of the cyber-attack detection model, GRU, and LSTM models.

Model	Average F1-Score	Weighted F1-Score
Cyber-Attack Detection Model	0.7049	0.8126
GRU	0.6277	0.7061
LSTM	0.6313	0.6979

, both GRU and LSTM models perform slightly inferior in distinguishing different event categories compared to the proposed model. Specifically, the GRU model achieves an average F1-score of 0.6277 and a weighted F1-score of 0.7061, while the LSTM model obtains an average F1-score of 0.6313 and a weighted F1-score of 0.6979. In contrast, the proposed cyber-attack detection model achieves a significantly higher average F1-score of 0.7049 and a weighted F1-score of 0.8126, outperforming both GRU and LSTM models.

These results indicate that while GRU and LSTM have advantages in handling sequential data, their performance in the cyber-attack detection task is still inferior to the proposed model. The model that we use in this paper not only exhibits superior AUC values but also achieves better F1-scores, particularly when considering class imbalance. These experimental findings further confirm the superiority of our proposed cyber-attack detection model in the task of detecting cyber-attacks.

4.3. Experimental Results

Considering the DFPA G and the attack DFPA $G_a$ shown in Figure 11, we can find that if the first attack-tampered event occurs and an observable event sequence $s_{net}$ ends in the $G_a$, by denoting as $S_{attack}$ the set of these observable event sequences, one has

$$\begin{array}{cc}\hfill S_{attack}=\{& b,ge,gad,gdd,ggc,gaba,gabd,gabba,\hfill \\ \hfill & gabce,gabbce,gabcad,gabbcad,gabcdgc,\hfill \\ \hfill & gabcdedgc,gabbcdedgc\}.\hfill \end{array}$$

Specially, if an event sequence $\omega$ is attacked, then an observable string ${\omega }^{\prime }$ starting from the first event of $\omega$ to the first-tampered event of $\omega$ is contained in $S_{attack}$. In this example, each attacked category of the attack DFPA $G_a$ is contained in $S_{attack}$, since $S_{attack}$ is the set of all preceding strings of attack-tampered event sequences generated by the attack DPFA $G_a$. For instance, the string $gad\in S_{attack}$ represents a category of event sequences with event g as the starting event and event d as the first attack-tampered event. The percentages of each event sequence $s_{att\left(i\right)}\in S_{attack}$ ($i\in 1,2,...,15$) of the attacked dataset are shown in Figure 16.

Among the total 1500 event sequences in the attacked dataset with attack-tampered events, 657 $s_{att\left(1\right)}$’s contain b, denoted as $b\in S_{attack}$. We input $s_{net}=\epsilon$ to the cyber-attack detection model to predict the probability of event b. The probability of $s_{net}=b$ is found to be $3.1141\times {10}^{-11}$ as shown in

Table 2. The probability of attacked event (bolded indication) in the event sequences in $S_{attack}$.

Sequence of Events in ${\mathit{S}}_{\mathit{attack}}$	Predicted Probability of the Next Event
	$\mathit{a}$	$\mathit{b}$	$\mathit{c}$	$\mathit{d}$	$\mathit{e}$	$\mathit{g}$
$s_{net}=\epsilon$	2.7246 × 10−1	3.1141 × 10−11	1.0720 × 10−12	4.2394 × 10−1	9.3816 × 10−13	3.0360 × 10−1
$s_{net}=g$	1.9997 × 10−1	5.9786 × 10−17	7.6584 × 10−20	6.2751 × 10−1	3.8545 × 10−9	1.7252 × 10−1
$s_{net}=ga$	3.9776 × 10−10	7.4531 × 10−1	2.5437 × 10−1	1.2297 × 10−14	6.8716 × 10−9	3.1642 × 10−4
$s_{net}=gd$	3.3856 × 10−3	2.9502 × 10−13	5.5116 × 10−12	1.3036 × 10−4	8.0290 × 10−1	1.9358 × 10−1
$s_{net}=gg$	1.2152 × 10−1	5.3249 × 10−27	3.4663 × 10−30	7.8465 × 10−1	3.9487 × 10−4	9.3434 × 10−2
$s_{net}=gab$	8.0296 × 10−28	5.0607 × 10−1	4.9393 × 10−1	1.5381 × 10−33	7.0198 × 10−37	2.8788 × 10−26
$s_{net}=gabb$	1.1120 × 10−21	5.0890 × 10−1	4.9110 × 10−1	1.8804 × 10−27	1.3971 × 10−15	2.6832 × 10−22
$s_{net}=gabc$	7.7555 × 10−2	6.3743 × 10−6	4.0476 × 10−5	8.6314 × 10−1	1.0257 × 10−4	5.9153 × 10−2
$s_{net}=gabbc$	1.3825 × 10−1	1.3482 × 10−14	4.3889 × 10−13	7.0813 × 10−1	2.0630 × 10−25	1.5362 × 10−1
$s_{net}=gabca$	3.1315 × 10−41	5.1623 × 10−1	4.8377 × 10−1	0.0000	1.0692 × 10−38	9.8392 × 10−41
$s_{net}=gabbca$	3.9102 × 10−3	2.4155 × 10−1	7.4626 × 10−1	5.5154 × 10−3	6.7057 × 10−10	2.7653 × 10−3
$s_{net}=gabcdg$	6.9098 × 10−5	5.2647 × 10−10	3.6647 × 10−6	1.3030 × 10−4	7.0593 × 10−1	2.9387 × 10−1
$s_{net}=gabcdedg$	3.5789 × 10−4	1.7910 × 10−13	1.8230 × 10−9	3.1316 × 10−4	9.2634 × 10−1	7.2987 × 10−2
$s_{net}=gabbcdedg$	3.7429 × 10−4	1.5784 × 10−13	1.6159 × 10−9	3.2754 × 10−4	9.2359 × 10−1	7.5707 × 10−2

, which is lower than $1\%$. Therefore, it can be decided that the event b was tampered with by the attacker at these situations.

The remaining 14 possibilities are also listed in Table 2, where the probabilities of attack-tampered events are highlighted in bold, and their probabilities are all lower than $1\%$. Thus, all possible attacks generated in $G_a$ can be detected. Considering that $1\%$ is a relatively strict condition, the probability of occurrence of all the attacks detected by the cyber-attack detection model is lower than $1\%$; then, they must be lower than the value and higher than $1\%$. Combining with Figure 12, we can find that our threshold $P_a$ can be relaxed to $5\%$ based on the actual situation.

In the analysis of a test set comprising 7997 groups of data, each group contains eight events, with each event having six possible outcomes. The aforementioned chart (Figure 17) provides a visual representation of the predicted probability distribution for each possible outcome. More specifically, each subplot reflects the model’s predicted probability for a given event category to be the next occurring event. These probability values reveal the model’s confidence in its predictions: taller probability bars indicate a stronger confidence in the occurrence of a specific event.

Within each subplot (Figure 17), the height of the bars represents the average predicted probability for that event as the true next event within the test set taken into account by the model. The error bars represent the standard deviation of the predicted probabilities, providing important information regarding the stability of the prediction distribution. For instance, in the subplot for event c, the model demonstrates a higher predicted probability along with a significant standard deviation, suggesting that the model is indeed confident in predicting this event, albeit with lower consistency in its predictions. Conversely, the subplot for event a indicates lower predicted probabilities, yet higher consistency in the distribution of probabilities, as evidenced by the relatively smaller error bars.

4.4. Experimental Complexity Analysis

In this section, we provide a detailed analysis of the computational complexity of our proposed method. Our approach mainly involves the two-layer GCN and GRU model. Let M be the number of nodes (events), L be the number of layers in the GCN, H be the hidden state dimension of the GRU, and I be the number of event-graphs of the GRUs’ input. The time complexity of GCN feature extraction can be expressed as $O\left(L·\right(2M-1\left)\right)$. As we process I graphs as one input sequence, the time complexity of GRU feature extraction is $O\left(I^2·M·H\right)$. Specifically, our model requires an average prediction time of merely 0.0281 seconds to detect attacks during the testing phase, a speed advantage that enables it to process large-scale event data in real-time and swiftly provide an assessment of security threats.

Furthermore, we have evaluated the computational efficiency of the model on a test set, where the total inference time for the entire dataset was 3.0438 seconds. This results in an average inference time per sample of 0.000396 seconds, demonstrating the model’s ability to handle individual event predictions with minimal latency. The throughput is measured at 2523.14 samples per second, highlighting the model’s capability to process a substantial volume of event data in real-time scenarios. These metrics underscore the model’s suitability for deployment in environments where rapid response and high processing capacity are critical.

5. Conclusions

This paper proposes a cyber-attack detection model within the framework of DES, modeled using a DFPA. The model employs deep learning techniques to extract and train features from event sequences. Traditional attack detection methods face challenges with state explosion when dealing with large-scale systems, which complicates real-time and effective computation. In contrast, our study automates the learning and recognition of features from event sequences, effectively reducing the computational burden caused by a large number of states and complex synchronous product computations.

A limitation of the study is the use of a case-by-case training model without the inclusion of real-world datasets, which limits the model’s generalizability to other DFPAs. Nevertheless, the reported approach aims to reduce the dependence on comprehensive knowledge of all system states, unobservable events, and state transition functions. By doing so, it addresses some challenges associated with attack detection under conditions of unclear system states, lack of sufficient prior knowledge, and frequent state explosions. While this model demonstrates potential in identifying whether a DES has been subjected to a cyber-attack and in locating anomalous events, thereby improving diagnostic precision and practicality, further validation with more diverse datasets would be beneficial to fully establish its robustness.

In future work, we aim to integrate considerations of opacity—an aspect of DESs focused on ensuring the confidentiality of certain information within the system to prevent unauthorized access. Incorporating opacity into the cyber-attack detection model will address potential ethical concerns, such as balancing effective detection with the protection of sensitive information.

Additionally, the methods developed in this research are also applicable to fields such as fault diagnosis and opacity analysis. They are capable of processing actual operational event sequences, providing predictive insights into all events that might be triggered post-attack and the potential events at each step of any event sequence. Overall, the cyber-attack detection model introduced in this paper offers a novel and efficient solution for enhancing security and monitoring within DESs.