Unsupervised Anomaly Detection Framework for Multimodal Data in Industrial Control Systems

Industrial control systems (ICSs) are cyber–physical environments in which physical process data and network communication data are generated simultaneously. Existing studies have mainly focused on either sensor-based or network-based anomaly detection, making it difficult to capture diverse attack indicators and motivating the use of multimodal methods that can leverage complementary information from both modalities. In this paper, we propose an unsupervised multimodal anomaly detection framework for ICSs that jointly uses sensor and network modalities. For each modality, autoencoder-based single-modality models are trained in an unsupervised manner, and their anomaly scores and latent feature vectors are extracted. These outputs are temporally aligned to construct a time-aligned multimodal table, which is then used to implement and compare two fusion strategies: anomaly score fusion and latent feature fusion. In latent feature fusion, aligned modality-specific latent features are combined with canonical correlation analysis (CCA)-derived cross-modal correlation features. The experimental results showed that latent feature fusion achieved stable performance across multiple sensor–network encoder combinations. In particular, the gated recurrent unit–convolutional neural network (GRU–CNN) combination achieved the best F1-score of 0.9166 and ROC-AUC of 0.9795. In addition, the complementarity analysis showed that latent feature fusion recovered some missed detections by integrating complementary sensor and network evidence. These results demonstrate that latent feature fusion is an effective multimodal strategy for ICS anomaly detection.