KeAD: Knowledge-enhanced Graph Attention Network for Accurate Anomaly Detection

Anomaly detection has emerged as one of the core research topics to support workflow applications across domains. To differentiate anomalies from normal patterns of workflows, Graph Neural Networks (GNNs) models have been introduced. These models leverage time series data to construct graph structures, in order to explicitly capture task dependencies among industrial Internet of Things (IoT) devices, and thus, to identify deviations from predicted behaviours as anomalies. However, existing forecasting-based anomaly detection methods may not accurately detect certain anomalies, as they rely solely on historical sensory data while seldom considering the valuable information embedded in domain knowledge. To address this limitation, this paper proposes a Knowledge-enhanced graph attention-based Anomaly Detection (KeAD) method. Specifically, a knowledge-enhanced graph structure is constructed by incorporating domain-specific knowledge to represent spatio-temporal dependencies between IoT devices. Based on which, a knowledge-enhanced graph attention-based forecasting network is developed to predict the future behaviours of IoT devices. Anomalies, such as those caused by cyber-attacks in workflows, are detected by analyzing deviations from these predicted behaviours in conjunction with domain-specific knowledge. A case study is presented, along with extensive experiments conducted on publicly available datasets. Evaluation results demonstrate that KeAD outperforms the state-of-the-art techniques in terms of anomaly detection accuracy.