Finding Component Relationships: A Deep-Learning-Based Anomaly Detection Interpreter

While the interpretability of deep learning (DL)-based models has been extensively explored in academia, applying existing interpretation methods to anomaly detection in industrial control systems (ICSs) poses challenges for two primary reasons. First, security experts in ICS have distinct interpretive priorities, emphasizing the need for stability and readability. Second, there are various types of device components in ICS, and the potential interactions between sensors and actuators are yet to be explored. To tackle the above challenges, we propose DeepINT, an interpreter for anomaly detection in ICS. In DeepINT, we adopt a search optimization algorithm to find the reference and capture feature importance by the backpropagation gradient to improve interpretation performance and reliability. In addition, we construct a finite difference-based interaction detection, which tests the interaction of different device components, in order to address the problem that actuators in ICS are not easily interpreted, meanwhile improving the comprehensiveness and accuracy of the interpretation results. In comprehensive experiments on two real water treatment datasets [secure water treatment (SWaT) and water distribution (WADI)], DeepINT shows excellent interpretation performance compared to the six state-of-the-art baseline methods, especially on the SWaT dataset, with a 60% improvement in interpretation accuracy. In addition, our method significantly improves the efficiency of interaction detection, which balances interpretation performance and time efficiency.