January 2025
·
15 Reads
·
3 Citations
Background Anomaly detection is vital in industrial settings for identifying abnormal behaviors that suggest faults or malfunctions. Artificial intelligence (AI) offers significant potential to assist humans in addressing these challenges. Methods This study compares the performance of supervised and unsupervised machine learning (ML) techniques for anomaly detection. Additionally, model-specific explainability methods were employed to interpret the outputs. A novel explainability approach, MLW-XAttentIon, based on causal reasoning in attention networks, was proposed to visualize the inference process of transformer models. Results Experimental results revealed that unsupervised models perform well without requiring labeled data, offering significant promise. In contrast, supervised models demonstrated greater robustness and reliability. Conclusions Unsupervised ML techniques present a feasible, resource-efficient option for anomaly detection, while supervised methods remain more reliable for critical applications. The MLW-XAttentIon approach enhances interpretability of transformer-based models, contributing to trust and transparency in AI-driven anomaly detection systems.
![Figure 2 depicts the SDN-microSENSE business logic based on the SDN architectural model. It comprises three main conceptual frameworks [33], namely (a) SDN-microSENSE Risk Assessment Framework (S-RAF), (b) Cross-Layer Energy Prevention and Detection System (XL-EPDS) and (c) SDN-enabled Self-healing Framework (SDN-SELF) that are deployed throughout the four SDN planes: (a) Data Plane, (b) Control Plane, (c) Application Plane and (d) Management Plane. The term conceptual framework refers to a set of functions and relationships within a research area [33]. Therefore, the SDN-microSENSE frameworks mentioned earlier focus on the following cybersecurity-related research areas: (a) Risk assessment, (b) intrusion detection and correlation and (d) self healing and recovery. Each of the SDN-microSENSE frameworks takes full advantage of the SDN technology in order to detect, mitigate or even prevent possible intrusions. In particular, S-RAF instructs the SDN Controller (SDN-C) to redirect the potential cyberattackers to the EPES/SG honeypots. The EPES/SG honeypots constitute a security control of S-RAF. Next, XL-EPDS uses statistics originating from the SDN-C to detect possible anomalies or cyberattacks related to the entire SDN network. Finally, SDN-SELF communicates with the SDN-C in order to mitigate possible intrusions and anomalies. The following subsections analyse the components and the interfaces of each SDN-microSENSE framework. A more detailed view of the SDN-microSENSE architecture, along with the interfaces between the various planes, is depicted in Figure 1. The structural view is based on the SDN architecture, as defined by the Open Networking Foundation (ONF) [34] and Request for Comments (RFC) 7426 [35], and follows the rationale of decoupling the network control with the forwarding functions. Therefore, according to the above specifications, the conceptual frameworks are placed within the Data, Controller, Application, and Management Planes. In particular, the Data Plane contains the EPES/SG infrastructure, the honeypots and the SDN switches. The Controller Plane consists of multiple SDN controllers that receive guidance from the Application and Management Planes and configure the Data Plane accordingly. The conceptual frameworks and their components are placed within the Application Plane. In this plane, the most important operational decisions take place, such as the detection of a cyberattack or the decision to isolate a malicious network flow. Finally,](https://www.researchgate.net/publication/354992483/figure/fig2/AS:1075596939534341@1633453702444/depicts-the-SDN-microSENSE-business-logic-based-on-the-SDN-architectural-model-It_Q320.jpg)
