AI-based scada data request behavior anomaly detection method and system

By employing a multimodal deep fusion mechanism and a cross-modal gating interaction mechanism, the logical constraints of communication behavior and physical state in the SCADA system are explicitly modeled, solving the problem of the inability to identify covert attacks and false alarms in existing technologies, and achieving efficient anomaly detection in the SCADA system.

CN122160091APending Publication Date: 2026-06-05HUANENG WEINING WIND POWER GENERATION CO LTD +2

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUANENG WEINING WIND POWER GENERATION CO LTD
Filing Date
2026-01-22
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing SCADA anomaly detection technologies cannot effectively identify covert attacks that conform to communication protocols but violate physical operating logic, and are prone to false alarms under special operating conditions, making it difficult to meet the requirements of industrial control systems for detection robustness and logical interpretability.

Method used

By employing a multimodal deep fusion mechanism, a dual-tower Transformer structure is used to extract deep contextual features of communication behavior and physical state. A cross-modal gating interaction mechanism is introduced to explicitly model the logical constraints of physical state on communication requests, generating a joint contextual encoding vector of communication behavior-physical state information. Abnormal behavior is then identified through joint reconstruction and dynamic threshold judgment.

Benefits of technology

It significantly improves the accuracy and robustness of detecting complex threats, effectively identifies deep camouflage attacks, reduces false alarm rates, and ensures the security and continuity of industrial control systems.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122160091A_ABST
    Figure CN122160091A_ABST
Patent Text Reader

Abstract

The application discloses an AI-based SCADA data request behavior anomaly detection method and system, which first performs multi-modal serialization and time sequence alignment on original request data flow and physical state data flow, and extracts deep context features of communication behavior and physical state in parallel by using a double-tower Transformer structure. Further, through a cross-modal gating interaction mechanism, consistency and inconsistency features between communication behavior and physical state are explicitly decoupled and enhanced, and joint context encoding containing physical-information causal logic is generated. Finally, based on joint reconstruction error analysis and dynamic threshold determination of communication and state sequences, accurate identification of abnormal behavior is realized. The method effectively improves the detection accuracy and robustness of the industrial control system when facing deep camouflage threats by constructing a logical constraint model of physical state on communication request.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of wind power generation control technology, and more specifically, to an AI-based method and system for detecting abnormal SCADA data request behavior. Background Technology

[0002] With the deep integration of industrial automation and information technology, Supervisory Control and Data Acquisition (SCADA) systems play a central role in critical national infrastructures such as power, water, and intelligent manufacturing. As SCADA systems increasingly break down their closed environments and connect to external networks, malicious attacks targeting their data request behavior are becoming more sophisticated and logical. Therefore, building an anomaly detection mechanism capable of accurately identifying complex threats is crucial for ensuring the continuity and security of industrial production.

[0003] However, most existing SCADA anomaly detection technologies are limited to single-modal analysis of communication logs or network traffic. These methods typically utilize statistical models or recurrent neural networks to define normality and anomalies solely based on communication protocol compliance, frequency patterns, or timing regularities. The technical problem lies in artificially separating communication behavior in the information domain from the operational state in the physical domain, lacking perception and modeling of the inherent causal consistency between the two. In real-world industrial scenarios, the legitimacy of data requests is often strictly constrained by the physical context. For example, during equipment downtime or maintenance, some read / write requests conforming to communication protocol standards may be logically abnormal. Because existing technologies cannot establish a joint mapping between physical state and communication behavior, they are prone to missing detections when facing deepfake attacks exploiting logical vulnerabilities, or generating numerous false alarms during normal system operation under varying conditions, failing to meet the stringent requirements of industrial control systems for robustness and logical interpretability.

[0004] Therefore, an optimized SCADA data request behavior anomaly detection scheme is desired. Summary of the Invention

[0005] To address the aforementioned technical problems, this application is proposed. Embodiments of this application provide an AI-based method and system for detecting abnormal SCADA data request behavior.

[0006] According to one aspect of this application, an AI-based method for detecting anomalies in SCADA data request behavior is provided, comprising: Obtain the raw request data stream and the raw state data stream; Multimodal serialization and feature embedding are performed on the original request data stream and the original state data stream to obtain the request sequence and the state sequence; Dual-tower Transformer encoding is performed on the request sequence and state sequence to obtain the context request embedding and the context state embedding; Cross-modal fusion of context request embedding and context state embedding is performed to obtain a joint context encoding vector of communication behavior-physical state information; The joint context encoding vector of communication behavior and physical state information is jointly reconstructed to obtain the reconstruction request sequence and the reconstruction state sequence; Calculate the anomaly score based on the request sequence and the reconstructed request sequence, as well as the state sequence and the reconstructed state sequence. Dynamic threshold judgment and alarm are performed based on abnormal scores to obtain alarm signals.

[0007] According to another aspect of this application, an AI-based SCADA data request behavior anomaly detection system is provided, comprising: The data acquisition module is used to acquire the original request data stream and the original status data stream; The multimodal serialization and feature embedding module is used to perform multimodal serialization and feature embedding on the original request data stream and the original state data stream to obtain the request sequence and the state sequence; The dual-tower Transformer encoding module is used to perform dual-tower Transformer encoding on request sequences and state sequences to obtain context request embeddings and context state embeddings. The cross-modal fusion module is used to perform cross-modal fusion of context request embedding and context state embedding to obtain a joint context encoding vector of communication behavior-physical state information; The joint reconstruction module is used to jointly reconstruct the joint context encoding vector of communication behavior-physical state information to obtain the reconstruction request sequence and the reconstruction state sequence. The anomaly score calculation module is used to calculate the anomaly score based on the request sequence and the reconstructed request sequence, as well as the state sequence and the reconstructed state sequence. The alarm signal acquisition module is used to perform dynamic threshold judgment and alarm based on the anomaly score to obtain alarm signals.

[0008] Compared to existing technologies, to address the issues of missed detections of logically contradictory attacks and false alarms under special operating conditions caused by the fragmented analysis of physical and information domain data, this invention first performs multimodal serialization and temporal alignment of the original request data stream and the physical state data stream. It then utilizes a dual-tower Transformer structure to extract deep contextual features of communication behavior and physical state in parallel. Furthermore, through a cross-modal gating interaction mechanism, it explicitly decouples and enhances the consistency and inconsistency features between communication behavior and physical state, generating a joint context code containing physical-information causal logic. Finally, based on joint reconstruction error analysis and dynamic threshold determination of the communication and state sequences, it achieves accurate identification of abnormal behavior. This method, by constructing a logical constraint model of physical state on communication requests, effectively improves the detection accuracy and robustness of industrial control systems against deep-camouflage threats. Attached Figure Description

[0009] The above and other objects, features, and advantages of this application will become more apparent from the more detailed description of the embodiments of this application in conjunction with the accompanying drawings. The drawings are provided to further illustrate the embodiments of this application and form part of the specification. They are used together with the embodiments of this application to explain this application and do not constitute a limitation thereof. In the drawings, the same reference numerals generally represent the same components or steps.

[0010] Figure 1 This is a flowchart of an AI-based SCADA data request behavior anomaly detection method according to an embodiment of this application; Figure 2 This is a schematic diagram of the data flow of the AI-based SCADA data request behavior anomaly detection method according to an embodiment of this application; Figure 3 This is a flowchart illustrating the process of performing multimodal serialization and feature embedding on the original request data stream and the original state data stream to obtain the request sequence and the state sequence in the AI-based SCADA data request behavior anomaly detection method according to embodiments of this application. Figure 4 This is a flowchart illustrating the cross-modal fusion of context request embedding and context state embedding to obtain a joint context encoding vector of communication behavior-physical state information in the AI-based SCADA data request behavior anomaly detection method according to embodiments of this application. Figure 5 This is a flowchart illustrating the calculation of anomaly scores based on request sequences, reconstructed request sequences, state sequences, and reconstructed state sequences in an AI-based SCADA data request behavior anomaly detection method according to embodiments of this application. Figure 6 This is a block diagram of an AI-based SCADA data request behavior anomaly detection system according to an embodiment of this application. Detailed Implementation

[0011] Hereinafter, exemplary embodiments according to this application will be described in detail with reference to the accompanying drawings. Obviously, the described embodiments are merely some embodiments of this application, and not all embodiments of this application. It should be understood that this application is not limited to the exemplary embodiments described herein.

[0012] As indicated in this application and claims, unless the context clearly indicates otherwise, the words "a," "an," "an," and / or "the" are not specifically singular and may include plural forms. Generally speaking, the terms "comprising" and "including" only indicate the inclusion of explicitly identified steps and elements, which do not constitute an exclusive list, and the method or apparatus may also include other steps or elements.

[0013] While this application makes various references to certain modules of the systems according to embodiments of this application, any number of different modules can be used and run on user terminals and / or servers. The modules described are merely illustrative, and different aspects of the systems and methods may use different modules.

[0014] Flowcharts are used in this application to illustrate the operations performed by the system according to embodiments of this application. It should be understood that the preceding or following operations are not necessarily performed in exact order. Instead, various steps can be processed in reverse order or simultaneously as needed. Furthermore, other operations can be added to these processes, or one or more steps can be removed from them.

[0015] Currently, anomaly detection technologies in SCADA systems are mostly limited to single-modal analysis of communication traffic or log data, neglecting the inherent causal consistency between communication behavior and the physical system state. This separation between physical and information domain data makes it difficult for existing methods to identify covert attacks that conform to protocol specifications but violate physical operating logic, and they are prone to false alarms under special operating conditions. Therefore, this application proposes an AI-based SCADA data request behavior anomaly detection method, aiming to solve the aforementioned detection blind spot problem by explicitly modeling the logical constraints of physical state on communication requests through a multimodal deep fusion mechanism. Specifically, this application first performs multimodal serialization and temporal alignment on the acquired original request data stream and original state data stream, and uses a dual-tower Transformer structure to extract deep context embeddings of communication behavior and physical state respectively. Then, a cross-modal gating interaction mechanism is introduced to filter the request embeddings based on physical state priors, explicitly decoupling consistent features that conform to physical logic and inconsistent features that contradict it, and generating a joint context encoding vector of communication behavior-physical state information accordingly. Next, by performing bimodal joint reconstruction on the joint encoding vector, the reconstruction error between the request sequence and the state sequence is calculated to quantify the degree of anomaly. Finally, an alarm signal is generated based on the comparison between the anomaly score and an adaptive dynamic threshold, thereby significantly improving the detection capability of cross-domain logical violations while ensuring a low false alarm rate.

[0016] Figure 1 This is a flowchart of an AI-based SCADA data request behavior anomaly detection method according to an embodiment of this application. Figure 2 This is a schematic diagram of the data flow in an AI-based SCADA data request behavior anomaly detection method according to an embodiment of this application. Figure 1 and Figure 2 As shown, the AI-based SCADA data request behavior anomaly detection method according to an embodiment of this application includes the following steps: S100, acquiring the original request data stream and the original state data stream; S200, performing multimodal serialization and feature embedding on the original request data stream and the original state data stream to obtain a request sequence and a state sequence; S300, performing dual-tower Transformer encoding on the request sequence and the state sequence to obtain a context request embedding and a context state embedding; S400, performing cross-modal fusion on the context request embedding and the context state embedding to obtain a joint context encoding vector of communication behavior-physical state information; S500, performing joint reconstruction on the joint context encoding vector of communication behavior-physical state information to obtain a reconstructed request sequence and a reconstructed state sequence; S600, calculating anomaly scores based on the request sequence, the reconstructed request sequence, the state sequence, and the reconstructed state sequence; S700, performing dynamic threshold judgment and alarm based on the anomaly scores to obtain an alarm signal.

[0017] Specifically, in step S100, the original request data stream and the original state data stream are acquired. It is understood that, due to the inherent heterogeneity and temporal correlation between control commands in the information domain and process states in the physical domain of an industrial control system, single-dimensional data is insufficient to reveal hidden logical violations, and attackers often exploit this fragmentation to forge commands that conform to communication protocols but violate physical logic. Therefore, in the technical solution of this application, the original request data stream and the original state data stream are acquired to construct a full-dimensional data view containing communication behavior trajectories and physical environment feedback. This provides a complete and temporally aligned data foundation for subsequent mining of causal consistency in physical information, eliminating detection blind spots caused by missing data sources. In specific implementations, data acquisition can focus solely on recording technical data generated at the equipment and network layers of the industrial control system, avoiding the collection, storage, and processing of personal privacy information related to natural person identification, thus ensuring that the application of this method complies with relevant laws, regulations, and social ethics.

[0018] More specifically, in a particular example of this application, the data acquisition process first accesses the industrial Ethernet switch and fieldbus network via bypass mirroring or gateway interception. For the raw request data stream, deep packet inspection technology is used to capture industrial protocol data packets such as Modbus TCP or DNP3 flowing through the network in real time, and protocol parsing is performed to extract key fields. These fields include the precise microsecond-level timestamp of the instruction issuance, the source IP address of the host computer initiating control, the target IP address of the remote terminal unit receiving the instruction, the core function code indicating the operation type, and the specific register addresses involved. Simultaneously, for the raw status data stream, physical operation snapshots of the field equipment are frequently collected by synchronizing with a historical database or directly polling the programmable logic controller. The collected content includes pipeline pressure values, pump speed, valve opening percentage, and equipment start / stop status indicators. Based on this, to address the asynchronous nature of the two data streams, data slicing and alignment operations based on time windows are performed. The continuously flowing request data and status data are truncated at preset fixed time intervals, and all communication logs and physical status readings falling within the same time window are correlated and aggregated. This operation ensures that each control command establishes a clear temporal correspondence with the physical environment parameters at that time, thereby outputting structured, aligned window data pairs, which prepares the data for subsequent multimodal feature extraction.

[0019] Specifically, in step S200, the original request data stream and the original state data stream are subjected to multimodal serialization and feature embedding to obtain the request sequence and the state sequence. It is understandable that, due to the strong heterogeneity and multi-source nature of the original data in industrial control scenarios, communication request logs are filled with discrete symbolic information such as function codes and register addresses, while the physical process state is represented by continuously changing analog numerical values ​​such as pressure and temperature. This huge gap in data attributes makes it difficult for deep learning models to directly perform effective joint operations and pattern mining on the original information. Therefore, in the technical solution of this application, the original request data stream and the original state data stream are further subjected to multimodal serialization and feature embedding to obtain the request sequence and the state sequence. Specifically, discrete features within the request event are mapped to dense vectors and concatenated with normalized continuous features to construct a request feature vector. Simultaneously, the physical state snapshot aligned with the request time sequence is numerically normalized. This eliminates the differences in dimensions and distribution between different modal data, unifying the heterogeneous industrial data into a high-dimensional, dense feature space with consistent mathematical expression. This ensures that subsequent models can understand the intent of communication behavior and the feedback from the physical environment on the same semantic plane, laying a solid data representation foundation for capturing fine-grained cross-modal correlation features.

[0020] Figure 3 This is a flowchart illustrating the process of multimodal serialization and feature embedding of the original request data stream and original state data stream to obtain the request sequence and state sequence in the AI-based SCADA data request behavior anomaly detection method according to embodiments of this application. Figure 3 As shown, step S200 includes: S210, performing feature separation and extraction on each request event in the original request data stream to obtain discrete features and continuous features; S220, performing discrete feature embedding on the discrete features and feature normalization on the continuous features to obtain discrete feature embedding vectors and normalized continuous features, and concatenating the discrete feature embedding vectors and normalized continuous features to obtain a request comprehensive feature vector; S230, normalizing the physical state snapshots of each timestamp in the original state data stream to obtain a state vector.

[0021] In step S210, feature separation and extraction are performed on each request event in the original request data stream to obtain discrete and continuous features. It is understandable that the original request data in the SCADA communication protocol naturally contains a mixture of information types with vastly different properties. This includes categorical data such as function codes and register addresses, which only have symbolic meaning, as well as measurement data such as load length and request interval, which have actual numerical significance. Directly inputting these into the model without differentiation would lead to confusion in the feature semantic space and mutual interference of information. Therefore, in the technical solution of this application, feature separation and extraction are further performed on each request event in the original request data stream to obtain discrete and continuous features, thereby implementing differentiated preprocessing strategies based on the mathematical attributes of the data fields. This ensures that categorical information is accurately mapped to a high-dimensional semantic space, while measurement information retains the physical meaning of its numerical intensity, maximizing the preservation of multidimensional feature details of communication behavior.

[0022] More specifically, in a concrete example of this application, the feature extraction process first performs field traversal and attribute discrimination on each structured request log based on a predefined industrial protocol parsing template. For fields such as source IP address, destination IP address, Modbus function code, and the starting address of the target register of the operation, they are identified as attributes representing finite sets or symbolic identifiers, and are categorized and extracted as discrete features. These features are used to subsequently construct the semantic identity of the request. Simultaneously, for fields such as the effective payload byte length of the data packet and the request-response time difference, they are identified as attributes with continuous numerical distributions reflecting traffic intensity, and are categorized and extracted as continuous features. These features are used to quantify the load and frequency patterns of communication. Through this deterministic field mapping and classification extraction, the originally mixed single log record is decomposed into two independent feature sets with single attributes, providing a structured foundation for subsequent heterogeneous feature encoding.

[0023] In step S220, discrete features are embedded using discrete features, and continuous features are normalized to obtain discrete feature embedding vectors and normalized continuous features. The discrete feature embedding vectors and normalized continuous features are then concatenated to obtain the requested comprehensive feature vector. It is understood that since discrete features in SCADA requests only possess symbolic indexing meaning and lack distance measurement capabilities in vector space, and continuous features exhibit significant differences in numerical magnitude, direct mixing can easily lead to gradient oscillations during model training or undue dominance of gradients by large numerical features. Therefore, in the technical solution of this application, discrete features are further embedded using discrete features, and continuous features are normalized to obtain discrete feature embedding vectors and normalized continuous features. The discrete feature embedding vectors and normalized continuous features are then concatenated to obtain the requested comprehensive feature vector, thereby constructing a unified feature representation space that combines semantic density and numerical stability. This eliminates the dimensional barriers between heterogeneous features, ensuring that the neural network can extract high-order correlation features from both symbolic control intentions and numerical flow attributes in a balanced manner.

[0024] More specifically, in a concrete example of this application, the feature vectorization process first constructs an independent embedding matrix for each discrete feature. The number of rows in this matrix corresponds to the dictionary size of the feature values, and the number of columns corresponds to the preset embedding dimension. For discrete inputs such as function codes or register address indices, a lookup table operation is used to map them to corresponding low-dimensional dense floating-point vectors, thereby capturing the similarity of different control instructions in the latent semantic space. Simultaneously, a numerical scaling operation is performed on continuous features, using a max-min normalization algorithm to linearly map values ​​such as data packet payload length or communication delay to a closed interval between zero and one, eliminating the influence of the physical units of the original data. Subsequently, a vector fusion operation is performed, sequentially concatenating the generated multiple discrete feature embedding vectors with the normalized continuous feature scalars along the feature channel dimension to form a single high-dimensional comprehensive feature vector containing all the key information of the request. This vector serves as the basic input unit for subsequent time-series modeling, fully preserving the identity and intensity attributes of the communication event.

[0025] In step S230, the physical state snapshots at each timestamp in the original state data stream are normalized to obtain a state vector. It is understandable that the original physical state data in the SCADA system originates from a wide variety of field sensors and actuators, covering heterogeneous parameters such as pipeline pressure, motor speed, transformer oil temperature, and valve opening. These parameters naturally have completely different physical dimensions and numerical magnitudes. Directly inputting raw values ​​spanning several orders of magnitude into a deep neural network would lead to gradient explosion or failure to converge during model training, and the model would incorrectly assign excessive weights to large numerical features. Therefore, in the technical solution of this application, the physical state snapshots at each timestamp in the original state data stream are further normalized to obtain a state vector, thereby eliminating the dimensional differences between different physical quantities and uniformly mapping multidimensional physical parameters to a dimensionless standard numerical range. This ensures that the model treats each physical state variable equally, thus accurately capturing the dynamic evolution of the system state based on a unified numerical distribution characteristic.

[0026] More specifically, in a concrete example of this application, the state vector construction process first extracts a corresponding physical state snapshot from the original state data stream based on a timestamp strictly aligned with the communication request. This snapshot consists of real-time readings from all monitoring points at the current moment, such as the water tank level, the instantaneous current of the centrifugal pump, and the feedback opening of the regulating valve at a certain moment. Subsequently, a numerical scaling operation is performed independently for each physical quantity dimension in the snapshot. Using the maximum and minimum values ​​of each sensor obtained from the historical training set, the max-min normalization algorithm is applied to linearly transform all physical readings to a closed interval between zero and one, or Z-score normalization is applied to convert them into standard normal distribution values ​​with a mean of zero and a variance of one. Finally, the processed normalized values ​​are arranged according to a predetermined sensor index order and combined to form a high-dimensional dense state vector. This vector is immediately used as the input to the state tower in the subsequent dual-tower Transformer model, providing clean and standardized physical context information for anomaly detection.

[0027] Specifically, in step S300, the request sequence and state sequence are subjected to dual-tower Transformer encoding to obtain context request embedding and context state embedding. It is understood that, since the request vector or state vector of a single time step in a SCADA system only reflects instantaneous static characteristics and lacks awareness of the temporal correlation between historical operation sequences and state evolution trajectories, and the discrete jump characteristics of communication behavior differ significantly from the continuous gradual changes of physical states, direct simple fusion is insufficient to capture long-range dependencies and complex attack patterns. Therefore, in the technical solution of this application, the request sequence and state sequence are further subjected to dual-tower Transformer encoding to obtain context request embedding and context state embedding. This includes inputting the request sequence into a communication tower encoder to obtain context request embedding, and inputting the state sequence into a state tower encoder to obtain context state embedding. This utilizes a self-attention mechanism to mine the deep temporal logic and context dependencies within each mode in parallel. In this way, deep feature representations containing rich historical context information can be generated, ensuring that subsequent cross-modal fusion is based on a full understanding of the evolution laws of each modality, thereby improving the model's sensitivity to low-frequency slow attacks or complex sequence anomalies.

[0028] More specifically, in a specific example of this application, dual-tower Transformer encoding of the request sequence and the state sequence to obtain a context request embedding and a context state embedding includes: inputting the request sequence into a communication tower encoder to obtain a context request embedding; and inputting the state sequence into a state tower encoder to obtain a context state embedding.

[0029] More specifically, the encoding process first constructs two structurally independent but architecturally similar Transformer encoder networks, defined as the communication tower and the state tower, respectively. For the request sequence, positional encoding information is first superimposed to preserve the sequential attributes of the time series, and then it is input into the communication tower encoder. Inside the communication tower, a multi-head self-attention mechanism is used to calculate the correlation weight between each discrete request event in the request sequence and all other historical request events, dynamically focusing on the key historical operations that have the greatest influence on the current judgment, and performing a nonlinear transformation through a feedforward neural network to output a contextual request embedding with a shape consistent with the input but with deeper feature dimensions. Simultaneously, for the state sequence, it is input into the state tower encoder, which uses the same self-attention mechanism to capture the dynamic evolution and inertial trends of physical parameters on the time axis, such as identifying a continuous process of gradually increasing pressure or a periodic switching pattern of valve states, and finally outputting a contextual state embedding that reflects the dynamic characteristics of the physical system. This process achieves decoupled feature extraction of the communication intent flow and the physical state flow, providing high-purity semantic input for subsequent cross-modal interactions.

[0030] Specifically, in step S400, the context request embedding and the context state embedding are fused across modally to obtain a joint context encoding vector of communication behavior-physical state information. It is understandable that common cross-modal fusion mechanisms in existing technologies, such as simple feature concatenation of the context request embedding and the context state embedding or the application of general cross-modal attention, have a technical flaw: these methods fail to explicitly model a crucial special relationship in SCADA scenarios, namely, physical-information causal consistency. Specifically, simple feature concatenation merely juxtaposes two information sources, completely delegating the burden of learning the inherent causal relationship between physical laws and legitimate operations to subsequent network layers. This implicit learning method is inefficient and unreliable. Furthermore, while general cross-modal attention mechanisms can capture correlations between information, they learn a soft statistical association rather than a rigid logical constraint derived from the laws of the physical world. The fundamental problem is that these mechanisms treat the communication request modality and the physical state modality as two equal data sources for fusion, ignoring the core fact that the physical state is a decisive constraint on the set of legitimate communication requests.

[0031] Therefore, in the technical solution of this application, cross-modal fusion of context request embedding and context state embedding is further performed to obtain a joint context encoding vector of communication behavior-physical state information. This improved mechanism introduces a consistency decoupling gating fusion method, which aims to reconstruct the original fusion process into the identification, decoupling, and enhancement fusion of consistent and inconsistent information, thereby achieving explicit modeling of causal consistency between physical and informational information. In this way, the model can overcome the problem of false negatives that are easily generated due to the lack of direct measurement ability for logical contradictions or causal inconsistencies. When facing attacks that violate physical logic but may be statistically similar to normal behavior, such as when the pressure sensor reading of an oil tank already shows critical high pressure, an attacker maliciously sends a control command to open a pressurization valve. This command may be no different from normal operation in terms of communication protocol format and frequency, which is a deep disguise threat. This solution can accurately capture the communication behavior that directly violates the rigid constraints of the physical state by explicitly separating the inconsistency features, thereby effectively identifying such deep disguise threats and significantly improving the logical defense capability under complex working conditions.

[0032] Figure 4 This is a flowchart illustrating the cross-modal fusion of context request embedding and context state embedding to obtain a joint context encoding vector of communication behavior-physical state information in the AI-based SCADA data request behavior anomaly detection method according to embodiments of this application. Figure 4As shown, step S400 includes: S410, performing cross-modal gating interaction on the context request embedding and the context state embedding to obtain a gating vector; S420, based on the gating vector, decoupling the consistency and inconsistency features of the context request embedding to obtain consistent features and inconsistency features; S430, performing multimodal enhancement fusion on the context state embedding, consistent features, and inconsistency features to obtain a joint context encoding vector of communication behavior-physical state information.

[0033] In step S410, cross-modal gating interaction is performed on the context request embedding and the context state embedding to obtain a gating vector. It is understandable that simple multimodal feature concatenation or general attention mechanisms can only capture the statistical correlation of data, and cannot substantially examine the logical compliance of operational instructions based on physical conditions like human experts can. This makes it difficult for the model to identify malicious requests that appear statistically normal but violate current physical constraints. Therefore, in the technical solution of this application, cross-modal gating interaction is further performed on the context request embedding and the context state embedding to obtain a gating vector, thereby first creating a quantified signal that can dynamically evaluate the rationality of a communication request under a specific physical state. This simulates the judgment logic of a domain expert, that is, when observing a data request and the current physical state, an immediate judgment is formed in the mind regarding whether the request is reasonable under the current state, and this qualitative expert judgment is quantified into a differentiable gating signal that can guide subsequent information processing, laying the foundation for explicitly separating consistent and inconsistent information.

[0034] More specifically, in a particular example of this application, the interaction process aims to construct a neural component with logical discriminative capabilities. Specifically, through a learnable nonlinear transformation, the physical state context embedding is used as prior knowledge to examine the communication request context embedding, thereby generating an interactive gating vector. For example, in a water SCADA scenario, when the physical state embedding represents the prior fact that the water tank level has reached a critical high level, the model uses this prior to weight and evaluate the request embedding to start the water pump.

[0035] In step S420, based on the gating vector, the consistency and inconsistency features of the context request embedding are decoupled to obtain consistent and inconsistency features. It is understandable that, before processing, the original communication request features are in a mixed state, containing both normal operational semantics consistent with the current operating logic and potential abnormal behavior patterns that may violate physical constraints. This information entanglement makes it difficult for subsequent models to directly measure the degree of violation of physical rules by communication behavior. Therefore, in the technical solution of this application, the consistency and inconsistency features of the context request embedding are further decoupled based on the gating vector to obtain consistent and inconsistency features. This gating signal is used to explicitly decompose the original communication request features, which mix normal and abnormal information, into two independent components with clear physical interpretations. In this way, like a sophisticated information filter, a high signal-to-noise ratio abnormal indication feature can be accurately separated, thus directly and explicitly characterizing the degree of violation of physical constraints by communication behavior, greatly enhancing the model's sensitivity to logically contradictory attacks.

[0036] More specifically, in a concrete example of this application, the implementation of feature decoupling relies strictly on the interactive gating vector generated in the preceding steps. Specifically, the gating vector g and its complement (1-g) are applied to filter and reconstruct the context request embedding C_req through a Hadamard product. This mathematical operation achieves soft weighting and splitting of information along the feature channel dimension.

[0037] The formula for calculating the consistency feature is as follows:

[0038] The formula for calculating inconsistency features is as follows:

[0039] in, Represents consistency characteristics. Represents inconsistency characteristics. This is the gate vector calculated in the previous step. Embedded for context request, Represents the Hadamard product operation. This represents a vector where all elements are 1. In this embodiment, the calculation process for consistency features retains all request information that conforms to the current physical logic. For example, when the water pump is operating normally and its speed is stable, the speed reading command issued by the host computer will be recognized as highly reasonable by the gating vector, and its feature energy will be mainly retained in the consistency features. The calculation of inconsistency features, on the other hand, specifically captures and amplifies contradictory signals that contradict physical reality. For example, in a state where a critical valve has been confirmed closed, a high-frequency communication requesting valve flow will have most of its feature energy allocated to the inconsistency features in this step. Through this mechanism, even if an attacker forges a read message conforming to the Modbus protocol specification, as long as the content of their request is logically mutually exclusive with the physical state (valve closed), the model can pass the test. The component captures this significant logical conflict, thereby effectively identifying the hidden attack intent.

[0040] In step S430, the context state embedding, consistent features, and inconsistent features are subjected to multimodal enhanced fusion to obtain a joint context encoding vector of communication behavior-physical state information. It is understood that after successfully decoupling consistent and inconsistent features, a final fusion representation with higher information density and a better structure than the original fusion mechanism needs to be constructed. This final fusion representation is used for multimodal enhanced fusion of the state embedding, consistent features, and inconsistent features to obtain the joint context encoding vector of communication behavior-physical state information. This integrates the objective state of the physical scene, the logical communication intent, and potential violation / conflict signals into a single, enhanced, multidimensional vector that characterizes the current system state. By injecting inconsistent features as an independent, explicit dimension into the final representation, the learning difficulty of downstream tasks is greatly reduced, allowing the model to directly utilize this strong signal to more accurately and robustly identify anomalies, especially sophisticated attacks designed to exploit physical-information logic vulnerabilities. For example, it can effectively identify heating rod activation commands issued under high temperature and pressure in a reactor, preventing catastrophic accidents.

[0041] More specifically, in a particular example of this application, step three of the preferred embodiment is enhanced multimodal representation fusion. The fusion operation is implemented through vector concatenation. Specifically, the original physical state context embedding, the decoupled consistency request features, and the inconsistency request features are first concatenated along the channel dimension to form a long vector. Then, a fully connected layer maps the concatenated long vector back to the preset hidden layer dimension to achieve full feature mixing and dimensionality reduction.

[0042] Specifically, in step S500, the joint context encoding vector of communication behavior and physical state information is jointly reconstructed to obtain a reconstruction request sequence and a reconstruction state sequence. It is understood that, under normal operating conditions, SCADA systems follow strict physical-information interaction rules, and there is a stable spatiotemporal correlation and causal consistency between their communication commands and physical states. Malicious attacks or abnormal behaviors will inevitably disrupt this inherent joint distribution pattern, making it difficult for models trained based on normal patterns to accurately reconstruct the original data from potentially conflicting representations. Therefore, in the technical solution of this application, the joint context encoding vector of communication behavior and physical state information is further jointly reconstructed to obtain a reconstruction request sequence and a reconstruction state sequence. This utilizes the memory capability of deep neural networks for normal joint distributions to reverse-verify the cross-modal consistency and rationality of the current input. This ensures that any abnormal disturbance that violates the physical control logic will be transformed into a significant reconstruction error, thereby quantifying hidden logical attacks into measurable numerical differences and providing solid data support for subsequent anomaly scoring.

[0043] More specifically, in a concrete example of this application, the joint reconstruction process employs a parallel dual-tower decoding architecture symmetrical to the encoding stage structure. This process first uses the joint context encoding vector of communication behavior and physical state information generated in the preceding steps as a shared latent semantic input, feeding it into both the communication decoder and the state decoder. For the reconstruction of the communication mode, the highly compressed joint features are progressively demapped back to the original request feature space through a multi-layered back-attention mechanism and feedforward network within the communication decoder. This predicts the most likely Modbus function code category, register address index, and communication traffic load value at each time step, thereby generating a reconstruction request sequence consistent with the original input dimension. Simultaneously, for the reconstruction of the physical state, the same joint encoding vector is mapped back to the physical signal space through the state decoder. Regression logic is used to inversely deduce the expected readings of each sensor within the time window, such as reconstructing the corresponding pump voltage value or valve opening percentage, thus generating a time-aligned reconstruction state sequence. This dual-parallel reconstruction mechanism forces the model to simultaneously consider the accuracy of communication semantics and the fidelity of the physical state, ensuring that the reconstruction result faithfully reflects the physical-information joint logic. In one optional embodiment, to enable those skilled in the art to clearly implement the AI ​​model in this application, the training process of the joint reconstruction network can adopt an unsupervised learning approach: First, a training set is constructed by selecting historical SCADA raw request data streams and raw state data streams containing only normal operating conditions; then, following the preprocessing and feature extraction process in steps S100-S500, the request sequence and state sequence are input into an end-to-end neural network composed of a dual-tower Transformer encoder, a cross-modal fusion module, and a parallel dual-tower decoder; the weighted sum of the reconstruction errors between the request sequence and the reconstructed request sequence, and between the state sequence and the reconstructed state sequence, is used as the loss function, and the network parameters are iteratively updated through backpropagation and gradient descent algorithms. In the loss function, the weight coefficients of the request modality reconstruction loss and the state modality reconstruction loss can be configured according to the safety concerns of different industrial scenarios, for example, increasing the weight of the state modality reconstruction loss in scenarios with higher physical safety requirements. Through the above training process, the model learns the joint distribution between communication behavior and physical state based only on normal samples, thereby enabling effective detection of abnormal behavior using reconstruction errors during the inference phase.

[0044] Specifically, in step S600, an anomaly score is calculated based on the request sequence, the reconstructed request sequence, the state sequence, and the reconstructed state sequence. It is understood that since the deep neural network model trained based on normal historical operating conditions has internalized the standard spatiotemporal mapping logic between communication commands and physical states in the SCADA system, when the system faces anomalies such as man-in-the-middle attacks tampering with commands or malicious injection of illegal operations, the heterogeneous data patterns input will not be compatible with the inherent decoding rules within the model. This inevitably leads to the model-generated reconstructed data being difficult to restore the original input, resulting in significant residuals. Therefore, in the technical solution of this application, an anomaly score is further calculated based on the request sequence, the reconstructed request sequence, the state sequence, and the reconstructed state sequence. Specifically, the difference between the request sequence and the reconstructed request sequence is calculated to obtain the request mode anomaly sub-score, and the difference between the state sequence and the reconstructed state sequence is calculated to obtain the state mode anomaly sub-score. The weighted sum of these two sub-scores is then calculated as the final result, thereby comprehensively quantifying the degree to which the current system behavior deviates from the normal baseline from both the information domain fidelity and physical domain consistency dimensions. In this way, complex cross-modal logic violations can be compressed into an intuitive and sensitive scalar indicator, ensuring that the model can not only identify statistical anomalies within a single modality, but also keenly capture the hidden threat of mismatch between communication intent and physical state through the surge in reconstruction error, providing reliable numerical basis for subsequent accurate alarms.

[0045] Figure 5 This is a flowchart illustrating the calculation of anomaly scores based on request sequences, reconstructed request sequences, state sequences, and reconstructed state sequences in an AI-based SCADA data request behavior anomaly detection method according to embodiments of this application. Figure 5 As shown, step S600 further includes: S610, calculating the reconstruction error between the request sequence and the reconstruction request sequence to obtain the request modality anomaly sub-segment; S620, calculating the reconstruction error between the state sequence and the reconstruction state sequence to obtain the state modality anomaly sub-segment; S630, calculating the weighted sum between the request modality anomaly sub-segment and the state modality anomaly sub-segment to obtain the anomaly score.

[0046] In step S610, the reconstruction error between the request sequence and the reconstructed request sequence is calculated to obtain the request modality anomaly sub-fraction. It is understood that, since legitimate communication behaviors in SCADA systems strictly adhere to predefined protocol specifications and periodic business operation patterns, any malicious network intrusion or abnormal behavior, such as unauthorized port scanning, function code fuzzing, or illegal high-frequency instruction injection, will inevitably cause the feature distribution of the current request sequence to deviate significantly from the low-dimensional manifold learned by the model on normal training data. Therefore, in the technical solution of this application, the reconstruction error between the request sequence and the reconstructed request sequence is further calculated to obtain the request modality anomaly sub-fraction, thereby quantifying the degree of distortion of the current communication behavior in the feature reconstruction process at the numerical level. This allows for the keen detection of abnormal fluctuations within the information domain, transforming abstract protocol violations or traffic mutations into computable scalar indicators, thus providing direct data criteria for identifying attacks at the pure network layer.

[0047] More specifically, in a concrete example of this application, the calculation process of the request modality anomaly sub-fraction employs an element-wise distance metric strategy based on vector space. First, the original request sequence tensor, which serves as input, and the reconstructed request sequence tensor, output by the decoder, are strictly aligned in the time dimension. Then, for continuous feature components in the feature vector, such as the normalized Modbus packet payload length or communication time interval, a mean squared error algorithm is applied to calculate the squared Euclidean distance between the original and reconstructed values ​​to capture abnormal deviations in traffic intensity. Simultaneously, for discrete feature components in the feature vector, such as embedding vectors representing function codes or register addresses, the vector norm distance between the original and reconstructed embedding vectors is calculated to capture logical tampering of control semantics. Finally, the error values ​​of all time steps and all feature dimensions within the current time window are accumulated or averaged to generate a single non-negative real number as the request modality anomaly sub-fraction. This value directly represents the probability confidence that the current communication sequence does not belong to the set of normal communication behaviors.

[0048] In step S620, the reconstruction error between the state sequence and the reconstructed state sequence is calculated to obtain the state mode anomaly sub-fraction. It is understood that because the physical processes in SCADA systems strictly follow natural laws such as the law of inertia and thermodynamic mechanisms, sensor readings exhibit highly stable continuity and multi-variable collaborative change patterns within a normal production cycle. However, malicious tampering with physical equipment, sensor spoofing attacks, or mechanical failures of the equipment itself often lead to abrupt changes or statistical distribution shifts in physical parameters that violate the logic of physical evolution. This makes it impossible for deep learning models trained based on normal physical laws to accurately reproduce these unlearned abnormal states. Therefore, in the technical solution of this application, the reconstruction error between the state sequence and the reconstructed state sequence is further calculated to obtain the state mode anomaly sub-fraction, thereby accurately quantifying the deviation between the current operating state and the normal baseline predicted by the model from the perspective of physical signals. This ensures that the model has a keen ability to perceive anomalies in the physical domain, transforming complex equipment failures or false data injection behaviors that are difficult to define through rules into significant numerical residuals, thus completing a key piece of the physical side puzzle for constructing a full-dimensional anomaly detection index system.

[0049] More specifically, in a concrete example of this application, the calculation process of the state mode anomaly sub-fraction is performed within a multidimensional physical feature space using a difference measure based on the Frobenius norm or mean square error. First, the original state sequence collected by field sensors and normalized within this time window is locked. This sequence contains a series of high-dimensional state vectors strictly arranged according to time steps, where each dimension directly corresponds to a specific physical monitoring indicator, such as the real-time pressure value of a water pipeline, the motor speed value of a centrifugal pump, and the feedback opening degree of a regulating valve. Simultaneously, a reconstructed state sequence output by the state tower decoder is acquired, representing the ideal physical state trajectory inferred by the model based on the current context information. Subsequently, a time-step, dimension-by-dimensional numerical comparison is performed on these two sequences, calculating the squared difference between the normalized observation value and the model reconstructed value. For example, if at a certain moment the actual reading of the water pressure sensor shows an abnormally sharp drop due to an attack, while the model predicts that the water pressure should remain stable based on the previously stable physical inertia, the huge numerical difference between the two will immediately generate a high squared error. Finally, the error values ​​of all time steps and all physical dimensions within the window are accumulated or averaged to output a single non-negative real number as the state mode anomaly sub-component. The magnitude of this value directly reflects the severity of the current physical process violating the normal operating rules.

[0050] In step S630, a weighted sum between the request modality anomaly subset and the state modality anomaly subset is calculated to obtain the anomaly score. It is understood that complex attacks against industrial control systems often exhibit asymmetric anomaly characteristics in the information and physical domains. For example, slow and covert logic attacks may cause extremely small disturbances at the communication traffic level, but can lead to significant cumulative deviations in the physical state. Conversely, network scanning attacks may only cause communication anomalies without immediate physical consequences. Relying solely on a single-dimensional anomaly metric is insufficient to comprehensively assess the overall threat level of the system. Therefore, in the technical solution of this application, a weighted sum between the request modality anomaly subset and the state modality anomaly subset is further calculated to obtain the anomaly score. This integrates evidence of violations from the communication behavior dimension with evidence of logical conflicts from the physical state dimension into a unified quantitative indicator. This ensures that the final anomaly score dynamically reflects the comprehensive risk level of heterogeneous data sources, avoids underreporting high-risk threats that are significant only in a single aspect, and provides an adjustable and standardized scalar basis for subsequent threshold determination mechanisms.

[0051] More specifically, in a concrete example of this application, the anomaly score synthesis logic employs a linear weighting mechanism based on a preset sensitivity coefficient. First, the request modality anomaly sub-segment, representing the degree of communication protocol violation, and the state modality anomaly sub-segment, representing the degree of physical logic violation, are read from the preceding steps. Then, a weight coefficient ranging from zero to one is introduced, configured according to the security requirements of the specific industrial scenario. For example, in a petrochemical production scenario with extremely high physical safety requirements, the state modality anomaly sub-segment is configured to have a higher weight proportion to improve the model's sensitivity to physical parameter anomalies. Finally, the two sub-segments are summed according to the linear weighting formula: the product of the request modality anomaly sub-segment and the weight coefficient is added to the product of the state modality anomaly sub-segment and the complement of the weight coefficient, generating the final comprehensive anomaly score. This score serves as the final decision variable for the current time window and is directly input into the alarm module for subsequent processing.

[0052] Specifically, in step S700, dynamic threshold judgment and alarm are performed based on the anomaly score to obtain an alarm signal. It is understood that due to the highly dynamic and time-varying operating environment of industrial control systems, normal production cycles, load fluctuations, or operating condition switching can cause natural drift in the system's behavioral baseline. If a fixed static threshold is used for judgment, false alarms are easily generated during legitimate high-load periods or missed alarms during covert attacks. Therefore, in the technical solution of this application, dynamic threshold judgment and alarm are further performed based on the anomaly score to obtain an alarm signal. This includes comparing the anomaly score with a dynamic threshold, and generating the alarm signal in response to the anomaly score being greater than the dynamic threshold. This establishes a flexible decision boundary that can adaptively adjust to follow the historical statistical distribution of the system. This effectively distinguishes normal system state drift from genuine malicious attack disturbances, significantly reducing the false alarm rate caused by changes in operating conditions, while ensuring that the alarm signal has extremely high confidence and operability.

[0053] More specifically, in a concrete example of this application, the alarm determination process first relies on a sliding window mechanism that maintains recent historical anomaly scores. The moving average and moving standard deviation of the historical scores within this window are calculated in real time, and a dynamic threshold reflecting the upper limit of the current system's normal fluctuation range is constructed based on statistical principles (such as the 3-sigma criterion). Subsequently, a numerical comparison operation is performed, comparing the comprehensive anomaly score calculated for the current time window with this real-time dynamic threshold. Once the current anomaly score is detected to strictly exceed the dynamic threshold, it is determined that there is an anomaly in the communication behavior or physical state within the current time window, and alarm generation logic is immediately triggered. This logic constructs and outputs a structured alarm signal containing rich contextual information. This signal not only marks the precise timestamp of the anomaly occurrence and the anomaly score value, but also further encapsulates the specific request instruction ID and physical sensor channel identifier that caused the largest reconstruction error, thereby providing security operations personnel with direct evidence for fault location or attack tracing.

[0054] In summary, the AI-based SCADA data request behavior anomaly detection method according to the embodiments of this application is explained. First, the original request data stream and physical state data stream are multimodally serialized and temporally aligned. Then, a dual-tower Transformer structure is used to extract deep contextual features of communication behavior and physical state in parallel. Next, through a cross-modal gating interaction mechanism, the consistency and inconsistency features between communication behavior and physical state are explicitly decoupled and enhanced, generating a joint context code containing physical-information causal logic. Finally, based on joint reconstruction error analysis and dynamic threshold determination of the communication and state sequences, accurate identification of abnormal behavior is achieved. This method effectively improves the detection accuracy and robustness of industrial control systems facing deep camouflage threats by constructing a logical constraint model of physical state on communication requests.

[0055] Furthermore, an AI-based SCADA data request behavior anomaly detection system is also provided.

[0056] Figure 6 This is a block diagram of an AI-based SCADA data request behavior anomaly detection system according to an embodiment of this application. Figure 6 As shown, the AI-based SCADA data request behavior anomaly detection system 100 according to an embodiment of this application includes: a data acquisition module 110, used to acquire the original request data stream and the original state data stream; a multimodal serialization and feature embedding module 120, used to perform multimodal serialization and feature embedding on the original request data stream and the original state data stream to obtain a request sequence and a state sequence; a dual-tower Transformer encoding module 130, used to perform dual-tower Transformer encoding on the request sequence and the state sequence to obtain a context request embedding and a context state embedding; a cross-modal fusion module 140, used to perform cross-modal fusion on the context request embedding and the context state embedding to obtain a joint context encoding vector of communication behavior-physical state information; a joint reconstruction module 150, used to perform joint reconstruction on the joint context encoding vector of communication behavior-physical state information to obtain a reconstructed request sequence and a reconstructed state sequence; an anomaly score calculation module 160, used to calculate an anomaly score based on the request sequence and the reconstructed request sequence, as well as the state sequence and the reconstructed state sequence; and an alarm signal acquisition module 170, used to perform dynamic threshold judgment and alarm based on the anomaly score to obtain an alarm signal.

[0057] As described above, the AI-based SCADA data request behavior anomaly detection system 100 according to the embodiments of this application can be implemented in various types of computing devices or control units. For example, it can be deployed in industrial control host computers in industrial sites, industrial security audit gateways directly connected to programmable logic controllers, or core switch bypass monitoring servers integrated into the SCADA network of a dispatch center. In one possible implementation, the AI-based SCADA data request behavior anomaly detection system 100 according to the embodiments of this application can be integrated into the computing device as a software module and / or hardware module. For example, the AI-based SCADA data request behavior anomaly detection system 100 can be an intelligent security monitoring module in the operating system of the computing device or edge node. This software module is configured to perform multimodal serialization alignment of original requests and state data, communication behavior and physical state context encoding based on dual-tower Transformer, decoupling of consistency and inconsistency features based on gating mechanisms, and anomaly scoring calculation based on joint reconstruction error. Alternatively, it can be a dedicated industrial control system intrusion detection algorithm program developed for the computing device. Of course, the AI-based SCADA data request behavior anomaly detection system 100 can also be one of the many hardware modules of the computing device or control unit, or it can be embedded in a field-programmable gate array circuit to accelerate the self-attention mechanism operation and cross-modal feature fusion process of the dual-tower Transformer model in parallel, or it can be used as an AI security coprocessor for a specific application.

[0058] The various embodiments of this disclosure have been described above. These descriptions are exemplary and not exhaustive, nor are they limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles, practical application, or improvement of the technology in the market, or to enable others skilled in the art to understand the embodiments disclosed herein.

Claims

1. An AI-based method for detecting abnormal SCADA data request behavior, characterized in that, include: Obtain the raw request data stream and the raw state data stream; Multimodal serialization and feature embedding are performed on the original request data stream and the original state data stream to obtain the request sequence and the state sequence; Dual-tower Transformer encoding is performed on the request sequence and state sequence to obtain the context request embedding and the context state embedding; Cross-modal fusion of context request embedding and context state embedding is performed to obtain a joint context encoding vector of communication behavior-physical state information; The joint context encoding vector of communication behavior and physical state information is jointly reconstructed to obtain the reconstruction request sequence and the reconstruction state sequence; Calculate the anomaly score based on the request sequence and the reconstructed request sequence, as well as the state sequence and the reconstructed state sequence. Dynamic threshold judgment and alarm are performed based on abnormal scores to obtain alarm signals.

2. The AI-based SCADA data request behavior anomaly detection method according to claim 1, characterized in that, Multimodal serialization and feature embedding are performed on the original request data stream and the original state data stream to obtain the request sequence and state sequence, including: Feature separation and extraction are performed on each request event in the original request data stream to obtain discrete and continuous features; Discrete features are embedded into discrete features and continuous features are normalized to obtain discrete feature embedding vectors and normalized continuous features. The discrete feature embedding vectors and normalized continuous features are then concatenated to obtain the requested comprehensive feature vector. The physical state snapshots at each timestamp in the original state data stream are normalized to obtain the state vector.

3. The AI-based SCADA data request behavior anomaly detection method according to claim 1, characterized in that, Dual-Tower Transformer encoding is performed on the request sequence and state sequence to obtain the context request embedding and context state embedding, including: Input the request sequence into the communication tower encoder to obtain the context request embedding; The state sequence is input into the state tower encoder to obtain the context state embedding.

4. The AI-based SCADA data request behavior anomaly detection method according to claim 1, characterized in that, Cross-modal fusion of the context request embedding and the context state embedding yields a joint context encoding vector of communication behavior-physical state information, including: Perform cross-modal gating interaction between context request embeddings and context state embeddings to obtain gating vectors; Based on the gated vector, the consistent and inconsistent features of the context request embedding are decoupled to obtain consistent and inconsistent features. Multimodal enhancement fusion of context state embedding, consistent features, and inconsistent features is performed to obtain a joint context encoding vector of communication behavior-physical state information.

5. The AI-based SCADA data request behavior anomaly detection method according to claim 4, characterized in that, Based on the gated vector, the context request embedding is decoupled from consistency and inconsistency features to obtain consistent and inconsistency features, including: decoupling the context request embedding from consistency and inconsistency features using the following formula: in, Represents consistency characteristics; Represents inconsistency; This is the gate vector; Embedded for context request; Represents the Hadamard product operation; A vector representing all elements equal to 1.

6. The AI-based SCADA data request behavior anomaly detection method according to claim 1, characterized in that, Based on the request sequence and the reconstructed request sequence, as well as the state sequence and the reconstructed state sequence, anomaly scores are calculated, including: Calculate the reconstruction error between the request sequence and the reconstructed request sequence to obtain the request modality anomaly sub-segment; The reconstruction error between the state sequence and the reconstructed state sequence is calculated to obtain the state mode anomaly sub-fraction; The anomaly score is obtained by calculating a weighted sum between the request modality anomaly sub-segment and the state modality anomaly sub-segment.

7. The AI-based SCADA data request behavior anomaly detection method according to claim 1, characterized in that, Dynamic threshold judgment and alarm based on anomaly scores to obtain alarm signals, including: Compare outlier scores with dynamic thresholds; The alarm signal is generated in response to an abnormal score exceeding a dynamic threshold.

8. An AI-based SCADA data request behavior anomaly detection system, characterized in that, include: The data acquisition module is used to acquire the original request data stream and the original status data stream; The multimodal serialization and feature embedding module is used to perform multimodal serialization and feature embedding on the original request data stream and the original state data stream to obtain the request sequence and the state sequence; The dual-tower Transformer encoding module is used to perform dual-tower Transformer encoding on request sequences and state sequences to obtain context request embeddings and context state embeddings. The cross-modal fusion module is used to perform cross-modal fusion of context request embedding and context state embedding to obtain a joint context encoding vector of communication behavior-physical state information; The joint reconstruction module is used to jointly reconstruct the joint context encoding vector of communication behavior-physical state information to obtain the reconstruction request sequence and the reconstruction state sequence. The anomaly score calculation module is used to calculate the anomaly score based on the request sequence and the reconstructed request sequence, as well as the state sequence and the reconstructed state sequence. The alarm signal acquisition module is used to perform dynamic threshold judgment and alarm based on the anomaly score to obtain alarm signals.

9. The AI-based SCADA data request behavior anomaly detection system according to claim 8, characterized in that, The multimodal serialization and feature embedding module includes: The feature separation and extraction unit is used to separate and extract features from each request event in the original request data stream to obtain discrete features and continuous features; The module for requesting the comprehensive feature vector acquisition is used to perform discrete feature embedding on discrete features and feature normalization on continuous features to obtain discrete feature embedding vectors and normalized continuous features, and to concatenate the discrete feature embedding vectors and normalized continuous features to obtain the requested comprehensive feature vector. The snapshot normalization unit is used to normalize the physical state snapshots of each timestamp in the original state data stream to obtain the state vector.

10. The AI-based SCADA data request behavior anomaly detection system according to claim 8, characterized in that, The cross-modal fusion module includes: A cross-modal gating interaction unit is used to perform cross-modal gating interaction on context request embedding and context state embedding to obtain gating vectors; The feature decoupling unit is used to decouple consistent and inconsistent features from the context request embedding based on the gating vector to obtain consistent and inconsistent features; The multimodal enhancement fusion unit is used to perform multimodal enhancement fusion on context state embedding, consistent features and inconsistent features to obtain a joint context encoding vector of communication behavior-physical state information.