Incremental Causal Graph Learning for Online Cyberattack Detection in Cyber-Physical Infrastructures

Fu are with the School of Computing and Augmented Intelligence, Arizona State University, Tempe, Arizona, USA. Abstract --The escalating threat of cyberattacks on real-time critical infrastructures poses significant risks to public safety, necessitating detection methods that can effectively capture complex system interdependencies and adapt to evolving attack patterns. Traditional real-time anomaly detection techniques often produce excessive false positives due to their statistical sensitivity to high data variability and class imbalance. T o address these limitations, recent research has explored modeling causal relationships among system components. However, prior work predominantly focuses on offline causal graph-based approaches that require static historical data and fail to generalize to real-time settings. These methods are fundamentally constrained by: (1) their inability to adapt to dynamic shifts in data distribution without retraining, and (2) the risk of catastrophic forgetting when lacking timely supervision in live systems. T o overcome these challenges, we propose INCADET, a novel framework for incremental causal graph learning tailored to real-time cyberat-tack detection. The framework comprises three modules: 1) Early Symptom Detection: Detects transitions in system status using divergence in edge-weight distributions across sequential causal graphs. Extensive experiments on real-world critical infrastructure datasets demonstrate that INCADET achieves superior accuracy, robustness, and adaptability compared to both static causal and deep temporal baselines in evolving attack scenarios. In real-world critical public infrastructures, adversarial cy-berattacks emerge incrementally, evolving from subtle data perturbations to complex intrusions that trigger delayed, cascading disruptions across interconnected nodes, complicating detection and mitigation.