Add: README.md for latex compiling

Update main.tex
2026-02-05 17:06:27 +08:00 · 2026-02-04 23:02:58 +08:00 · 2026-02-04 22:48:59 +08:00 · 2026-02-04 22:45:41 +08:00 · 2026-02-04 22:37:35 +08:00 · 2026-02-04 22:21:42 +08:00
5 changed files with 375 additions and 105 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -5,3 +5,4 @@ arxiv-style/*.log
 arxiv-style/*.blg
 arxiv-style/*.bbl
 arxiv-style/*.out
 .DS_Store
--- a/arxiv-style/README.md
+++ b/arxiv-style/README.md
@@ -0,0 +1,27 @@
 ## Files layout
 - `arxiv.sty` and `template.tex`: The arxiv template we are using.
 - `equations.tex`: **Duplicated**, contains equations in methodology section
 - `main.tex` and `references.bib`:This prints out our paper, currently using arxiv template. Note that references are template independent.
 ## How to compile
 It's recommanded to use `MiKTeX` as compiler on windows.
 To compile latex into pdf, follow these steps:
 ```bash
 pdflatex ./main.tex
 # Build reference DB, run once unless references.bib updated
 bibtex main
 # Always running compiling command twice
 pdflatex ./main.tex
 pdflatex ./main.tex
 ```
 ## Troubleshooting
 If you encounter warnings during the compiling process, simply press `Enter`.
 If you find the reference in pdf is like `[??]`, compile twice.
--- a/arxiv-style/fig-overall-benchmark-v1.png
+++ b/arxiv-style/fig-overall-benchmark-v1.png
--- a/arxiv-style/main.tex
+++ b/arxiv-style/main.tex
@@ -14,41 +14,49 @@
 \usepackage{cleveref}       % smart cross-referencing
 \usepackage{lipsum}         % Can be removed after putting your text content
 \usepackage{graphicx}
-\usepackage{natbib}
+\usepackage[numbers]{natbib}
 \usepackage{doi}
 % Packages for equations
 \usepackage{amssymb}
 \usepackage{bm}
 \usepackage{array}       % For column formatting
 \usepackage{caption}     % Better caption spacing
 % 标题
-\title{Your Paper Title: A Deep Learning Approach for Something}
+\title{Mask-DDPM: Transformer-Conditioned Mixed-Type Diffusion for Semantically Valid ICS Telemetry Synthesis}
 % 若不需要日期，取消下面一行的注释
-%\date{}
+\date{}
 \newif\ifuniqueAffiliation
 \uniqueAffiliationtrue
 \ifuniqueAffiliation % 标准作者块
 \author{
-    David S.~Hippocampus \\
+    Zhenglan Chen \\
-	Department of Computer Science\\
+	Aberdeen Institute of Data Science and Artificial Intelligence\\
-	Cranberry-Lemon University\\
+	South China Normal University\\
-	Pittsburgh, PA 15213 \\
+	Guangzhou, Guangdong 510631, China \\
-	\texttt{hippo@cs.cranberry-lemon.edu} \\
+	\texttt{20223803054@m.scnu.edu.cn} \\
 	\And
-	Elias D.~Striatum \\
+	Mingzhe Yang \\
-	Department of Electrical Engineering\\
+	Aberdeen Institute of Data Science and Artificial Intelligence\\
-	Mount-Sheikh University\\
+	South China Normal University\\
-	Santa Narimana, Levand \\
+	Guangzhou, Guangdong 510631, China \\
-	\texttt{stariate@ee.mount-sheikh.edu} \\
+	\texttt{20223803063@m.scnu.edu.cn} \\
 	\And
-	John Q.~Doe \\
+	Hongyu Yan \\
-	Department of Mathematics\\
+	Aberdeen Institute of Data Science and Artificial Intelligence\\
-	University of California, Berkeley\\
+	South China Normal University\\
-	Berkeley, CA 94720 \\
+	Guangzhou, Guangdong 510631, China \\
-	\texttt{johndoe@math.berkeley.edu}
+	\texttt{20223803065@m.scnu.edu.cn}
 	\And
 	Huan Yang \\
    foo\\
    South China Normal University\\
    Guangzhou, Guangdong 510631, China \\
    \texttt{foo@bar.com} \\
 }
 \fi
@@ -67,16 +75,22 @@ pdfkeywords={Keyword1, Keyword2, Keyword3},
 \maketitle
 \begin{abstract}
-	Here is the abstract of your paper.
+Industrial control systems (ICS) security research is increasingly constrained by the scarcity and non-shareability of realistic traffic and telemetry, especially for attack scenarios. To mitigate this bottleneck, we study synthetic generation at the protocol feature/telemetry level, where samples must simultaneously preserve temporal coherence, match continuous marginal distributions, and keep discrete supervisory variables strictly within valid vocabularies. We propose Mask-DDPM, a hybrid framework tailored to mixed-type, multi-scale ICS sequences. Mask-DDPM factorizes generation into (i) a causal Transformer trend module that rolls out a stable long-horizon temporal scaffold for continuous channels, (ii) a trend-conditioned residual DDPM that refines local stochastic structure and heavy-tailed fluctuations without degrading global dynamics, (iii) a masked (absorbing) diffusion branch for discrete variables that guarantees categorical legality by construction, and (iv) a type-aware decomposition/routing layer that aligns modeling mechanisms with heterogeneous ICS variable origins and enforces deterministic reconstruction where appropriate. Evaluated on fixed-length windows (L=96) derived from the HAI Security Dataset, Mask-DDPM achieves stable fidelity across seeds with mean KS = 0.3311 ± 0.0079 (continuous), mean JSD = 0.0284 ± 0.0073 (discrete), and mean absolute lag-1 autocorrelation difference = 0.2684 ± 0.0027, indicating faithful marginals, preserved short-horizon dynamics, and valid discrete semantics. The resulting generator provides a reproducible basis for data augmentation, benchmarking, and downstream ICS protocol reconstruction workflows.
 \end{abstract}
 % 关键词
-\keywords{Machine Learning \and Cyber Defense \and Benchmark \and Methodology}
+\keywords{Machine Learning \and Cyber Defense \and ICS}
 % 1. Introduction
 \section{Introduction}
 \label{sec:intro}
-Here introduces the background, problem statement, and contribution.
+Industrial control systems (ICS) form the backbone of modern critical infrastructure, which includes power grids, water treatment, manufacturing, and transportation, among others. These systems monitor, regulate, and automate the physical processes through sensors, actuators, programmable logic controllers (PLCs), and monitoring software. Unlike conventional IT systems, ICS operate in real time, closely coupled with physical processes and safety‑critical constraints, using heterogeneous and legacy communication protocols such as Modbus/TCP and DNP3 that were not originally designed with robust security in mind. This architectural complexity and operational criticality make ICS high‑impact targets for cyber attacks, where disruptions can result in physical damage, environmental harm, and even loss of life. Recent reviews of ICS security highlight the expanding attack surface due to increased connectivity, legacy systems’ vulnerabilities, and the inadequacy of traditional security controls in capturing the nuances of ICS networks and protocols \citep{10.1007/s10844-022-00753-1, Nankya2023-gp}
 While machine learning (ML) techniques have shown promise for anomaly detection and automated cybersecurity within ICS, they rely heavily on labeled datasets that capture both benign operations and diverse attack patterns. In practice, real ICS traffic data, especially attack‑triggered captures, are scarce due to confidentiality, safety, and legal restrictions, and available public ICS datasets are few, limited in scope, or fail to reflect current threat modalities. For instance, the HAI Security Dataset provides operational telemetry and anomaly flags from a realistic control system setup for research purposes, but must be carefully preprocessed to derive protocol‑relevant features for ML tasks \citep{shin}. Data scarcity directly undermines model generalization, evaluation reproducibility, and the robustness of intrusion detection research, especially when training or testing ML models on realistic ICS behavior remains confined to small or outdated collections of examples \citep{info16100910}.
 Synthetic data generation offers a practical pathway to mitigate these challenges. By programmatically generating feature‑level sequences that mimic the statistical and temporal structure of real ICS telemetry, researchers can augment scarce training sets, standardize benchmarking, and preserve operational confidentiality. Relative to raw packet captures, feature‑level synthesis abstracts critical protocol semantics and statistical patterns without exposing sensitive fields, making it more compatible with safety constraints and compliance requirements in ICS environments. Modern generative modeling, including diffusion models, has advanced significantly in producing high‑fidelity synthetic data across domains. Diffusion approaches, such as denoising diffusion probabilistic models, learn to transform noise into coherent structured samples and have been successfully applied to tabular or time series data synthesis with better stability and data coverage compared to adversarial methods \citep{pmlr-v202-kotelnikov23a, rasul2021autoregressivedenoisingdiffusionmodels}
 Despite these advances, most existing work either focuses on packet‑level generation \citep{jiang2023netdiffusionnetworkdataaugmentation} or is limited to generic tabular data \citep{pmlr-v202-kotelnikov23a}, rather than domain‑specific control sequence synthesis tailored for ICS protocols where temporal coherence, multi‑channel dependencies, and discrete protocol legality are jointly required. This gap motivates our focus on protocol feature-level generation for ICS, which involves synthesizing sequences of protocol-relevant fields conditioned on their temporal and cross-channel structure. In this work, we formulate a hybrid modeling pipeline that decouples long‑horizon trends and local statistical detail while preserving discrete semantics of protocol tokens. By combining causal Transformers with diffusion‑based refiners, and enforcing deterministic validity constraints during sampling, our framework generates semantically coherent, temporally consistent, and distributionally faithful ICS feature sequences. We evaluate features derived from the HAI Security Dataset and demonstrate that our approach produces high‑quality synthetic sequences suitable for downstream augmentation, benchmarking, and integration into packet‑construction workflows that respect realistic ICS constraints.
 % 2. Related Work
 \section{Related Work}
@@ -237,18 +251,62 @@ At inference time, generation follows the same structured order: (i) trend $\hat
 % 4. Benchmark
 \section{Benchmark}
 \label{sec:benchmark}
-In this section, we present the experimental setup and results.
+We evaluate the proposed pipeline on feature sequences derived from the HAI Security Dataset, using fixed-length windows (L=96) that preserve the mixed-type structure of ICS telemetry. The goal of this benchmark is not only to report “overall similarity”, but to justify why the proposed factorization is a better fit for protocol feature synthesis: continuous channels must match physical marginals \citep{coletta2023constrained}, discrete channels must remain semantically legal, and both must retain short-horizon dynamics that underpin state transitions and interlocks \citep{yang2001interlock}.
 This emphasis reflects evaluation practice in time-series generation, where strong results are typically supported by multiple complementary views (marginal fidelity, dependency/temporal structure, and downstream plausibility), rather than a single aggregate score \citep{stenger2024survey}. In the ICS setting, this multi-view requirement is sharper: a generator that matches continuous marginals while emitting out-of-vocabulary supervisory tokens is unusable for protocol reconstruction, and a generator that matches marginals but breaks lag structure can produce temporally implausible command/response sequences.
 Recent ICS time-series generators often emphasize aggregate similarity scores and utility-driven evaluations (e.g., anomaly-detection performance) to demonstrate realism, which is valuable but can under-specify mixed-type protocol constraints. Our benchmark complements these practices by making mixed-type legality and per-feature distributional alignment explicit: discrete outputs are evaluated as categorical distributions (JSD) and are constrained to remain within the legal vocabulary by construction, while continuous channels are evaluated with nonparametric distribution tests (KS) \citep{yoon2019timegan}. This combination provides a direct, protocol-relevant justification for the hybrid design, rather than relying on a single composite score that may mask discrete failures.
 For continuous channels, we measure distributional alignment using the Kolmogorov–Smirnov (KS) statistic computed per feature between the empirical distributions of real and synthetic samples, and then averaged across features. For discrete channels, we quantify marginal fidelity with Jensen–Shannon divergence (JSD) \citep{lin1991divergence,yoon2019timegan} between categorical distributions per feature, averaged across discrete variables. To assess temporal realism, we compare lag-1 autocorrelation at the feature level and report the mean absolute difference between real and synthetic lag-1 autocorrelation, averaged across features. In addition, to avoid degenerate comparisons driven by near-constant tags, features whose empirical standard deviation falls below a small threshold are excluded from continuous KS aggregation; such channels carry limited distributional information and can distort summary statistics.
 \subsection{Quantitative results}
 \label{sec:benchmark-quant}
 Across all runs, the mean continuous KS is 0.3311 (std 0.0079) and the mean discrete JSD is 0.0284 (std 0.0073), indicating that the generator preserves both continuous marginals and discrete semantic distributions at the feature level. Temporal consistency is similarly stable across runs, with a mean lag-1 autocorrelation difference of 0.2684 (std 0.0027), suggesting that the synthesized windows retain short-horizon dynamical structure \citep{ni2021sigwasserstein} instead of collapsing to marginal matching alone. The best-performing instance (by mean KS) attains 0.3224, and the small inter-seed variance shows that the reported fidelity is reproducible rather than driven by a single favorable initialization.
 \begin{figure}[htbp]
  \centering
  \includegraphics[width=0.8\textwidth]{fig-overall-benchmark-v1.png}
  % \caption{Description of the figure.}
  \label{fig:benchmark}
 \end{figure}
 \begin{table}[htbp]
 \centering
 \caption{Summary of benchmark metrics. Lower values indicate better performance.}
 \label{tab:metrics}
 \begin{tabular}{@{}l l c c@{}}
 \toprule
 \textbf{Metric} & \textbf{Aggregation} & \textbf{Lower is better} & \textbf{Mean $\pm$ Std} \\
 \midrule
 KS (continuous) & mean over continuous features & \checkmark & 0.3311 $\pm$ 0.0079 \\
 JSD (discrete)  & mean over discrete features   & \checkmark & 0.0284 $\pm$ 0.0073 \\
 Abs $\Delta$ lag-1 autocorr & mean over features & \checkmark & 0.2684 $\pm$ 0.0027 \\
 \bottomrule
 \end{tabular}
 \end{table}
 To make the benchmark actionable (and comparable to prior work), we report type-appropriate, interpretable statistics instead of collapsing everything into a single similarity score. This matters in mixed-type ICS telemetry: continuous fidelity can be high while discrete semantics fail, and vice versa. By separating continuous (KS), discrete (JSD), and temporal (lag-1) views, the evaluation directly matches the design goals of the hybrid generator: distributional refinement for continuous residuals, vocabulary-valid reconstruction for discrete supervision, and trend-induced short-horizon coherence.
 In addition, the seed-averaged reporting mirrors evaluation conventions in recent diffusion-based time-series generation studies, where robustness across runs is increasingly treated as a first-class signal rather than an afterthought. In this sense, the small inter-seed variance is itself evidence that the factorized training and typed routing reduce instability and localized error concentration, which is frequently observed when heterogeneous channels compete for the same modeling capacity.
 % 5. Future Work
 \section{Future Work}
 \label{sec:future}
-In this section, we present the future work.
+Future work will further expand from "generating legal ICS feature sequences" to "data construction and adversarial evaluation for security tasks". The core contribution of this paper focuses on generating feature sequences that are temporally consistent, have credible distributions, and have legal discrete values under mixed types and multi-scale dynamics. However, in the actual research of intrusion detection and anomaly detection, the more critical bottleneck is often the lack of "illegal data/anomaly data" with clear attack semantics and sufficient coverage. Therefore, a direct and important extension direction is to use the legal sequences generated in this paper as a controllable and reproducible "base line operation flow", and then, on the premise of maintaining sequence-level legality and engineering constraints, inject or mix illegal behaviors according to specified attack patterns, thereby systematically constructing a dataset for training and evaluating the recognition of illegal data packets.
 Specifically, attack injection can be upgraded from "simple perturbation" to "semantically consistent patterned rewriting": on continuous channels, implement bias injection, covert manipulation near thresholds, instantaneous mutations, and intermittent bursts, etc., so that it can both mimic the temporal characteristics pursued by attackers for concealment and not violate the basic boundary conditions of process dynamics; on discrete channels, implement illegal state transitions, alarm suppression/delayed triggering, pattern camouflage, etc., so that it reflects the trajectory morphology of "unreachable but forcibly created" under real control logic. Furthermore, the attack injection process itself can be coordinated with the type routing and constraint layer in this paper: for deterministically derived variables, illegal behaviors should be transmitted through the modification of upstream variables to maintain consistency; for supervised variables constrained by finite-state machines, interpretable illegal transitions should be generated through the "minimum violation path" or "controlled violation intensity", and violation points and violation types should be explicitly marked to facilitate downstream detection tasks to learn more fine-grained discrimination criteria.
 In terms of method morphology, this direction also naturally supports stronger controllability and measurability: attack patterns can be regarded as conditional variables to uniformly conditionally orchestrate legitimate generation and illegal injection, generating control samples of "different attack strategies under the same legitimate framework", thereby transforming dataset construction into a repeatable scenario generation process; meanwhile, by controlling the injection location, duration, amplitude, and coupling range, the performance degradation curves of detectors under different threat intensities and different operating condition stages can be systematically scanned, forming a more stable benchmark than "single acquisition/single script". Ultimately, this approach will transform the legitimate data generation capabilities presented in this paper into the infrastructure for security research: first providing a shareable and reproducible legitimate operation distribution, then injecting illegal patterns with clear semantics in a controllable manner, producing a dataset with sufficient coverage and consistent annotation for training and evaluating models that identify illegal packets/abnormal sequences, and promoting the improvement of reproducibility and engineering credibility in this direction.
 % 6. Conclusion
 \section{Conclusion}
 \label{sec:conclusion}
-In this section, we summarize our contributions and future directions.
+This paper addresses the data scarcity and shareability barriers that limit machine-learning research for industrial control system (ICS) security by proposing a practical synthetic telemetry generation framework at the protocol feature level. We introduced Mask-DDPM, a hybrid generator designed explicitly for the mixed-type and multi-scale nature of ICS data, where continuous process dynamics must remain temporally coherent while discrete supervisory variables must remain categorically legal by construction.
 Our main contributions are: (i) a causal Transformer trend module that provides a stable long-horizon temporal scaffold for continuous channels; (ii) a trend-conditioned residual DDPM that focuses modeling capacity on local stochastic detail and marginal fidelity without destabilizing global structure; (iii) a masked (absorbing) diffusion branch for discrete variables that guarantees in-vocabulary outputs and supports semantics-aware conditioning on continuous context; and (iv) a type-aware decomposition/routing layer that aligns model mechanisms with heterogeneous ICS variable origins (e.g., process inertia, step-and-dwell setpoints, deterministic derived tags), enabling deterministic enforcement where appropriate and improving capacity allocation.
 We evaluated the approach on windows derived from the HAI Security Dataset and reported mixed-type, protocol-relevant metrics rather than a single aggregate score. Across seeds, the model achieves stable fidelity with mean KS = 0.3311 ± 0.0079 on continuous features, mean JSD = 0.0284 ± 0.0073 on discrete features, and mean absolute lag-1 autocorrelation difference 0.2684 ± 0.0027, indicating that Mask-DDPM preserves both marginal distributions and short-horizon dynamics while maintaining discrete legality.
 Overall, Mask-DDPM provides a reproducible foundation for generating shareable, semantically valid ICS feature sequences suitable for data augmentation, benchmarking, and downstream packet/trace reconstruction workflows. Building on this capability, a natural next step is to move from purely legal synthesis toward controllable scenario construction, including structured attack/violation injection under engineering constraints to support adversarial evaluation and more comprehensive security benchmarks.
 % 参考文献
 \bibliographystyle{unsrtnat}
 \bibliography{references}
--- a/arxiv-style/references.bib
+++ b/arxiv-style/references.bib
@@ -1,3 +1,4 @@
 Reference for Methodology Part
@inproceedings{vaswani2017attention,
  title={Attention Is All You Need},
  author={Vaswani, Ashish and Shazeer, Noam and Parmar, Niki and Uszkoreit, Jakob and Jones, Llion and Gomez, Aidan N and Kaiser, {\L}ukasz and Polosukhin, Illia},
@@ -116,6 +117,135 @@
  url={https://csrc.nist.gov/pubs/sp/800/82/r3/final}
 }
 Reference for Introduction Part
@article{10.1007/s10844-022-00753-1,
 author = {Koay, Abigail M. Y. and Ko, Ryan K. L and Hettema, Hinne and Radke, Kenneth},
 title = {Machine learning in industrial control system (ICS) security: current landscape, opportunities and challenges},
 year = {2022},
 issue_date = {Apr 2023},
 publisher = {Kluwer Academic Publishers},
 address = {USA},
 volume = {60},
 number = {2},
 issn = {0925-9902},
 url = {https://doi.org/10.1007/s10844-022-00753-1},
 doi = {10.1007/s10844-022-00753-1},
 abstract = {The advent of Industry 4.0 has led to a rapid increase in cyber attacks on industrial systems and processes, particularly on Industrial Control Systems (ICS). These systems are increasingly becoming prime targets for cyber criminals and nation-states looking to extort large ransoms or cause disruptions due to their ability to cause devastating impact whenever they cease working or malfunction. Although myriads of cyber attack detection systems have been proposed and developed, these detection systems still face many challenges that are typically not found in traditional detection systems. Motivated by the need to better understand these challenges to improve current approaches, this paper aims to (1) understand the current vulnerability landscape in ICS, (2) survey current advancements of Machine Learning (ML) based methods with respect to the usage of ML base classifiers (3) provide insights to benefits and limitations of recent advancement with respect to two performance vectors; detection accuracy and attack variety. Based on our findings, we present key open challenges which will represent exciting research opportunities for the research community.},
 journal = {J. Intell. Inf. Syst.},
 month = oct,
 pages = {377–405},
 numpages = {29},
 keywords = {Operational technology, Cyber security, Dataset, Industrial control systems, Machine learning, Critical infrastructure}
 }
@ARTICLE{Nankya2023-gp,
  title     = "Securing industrial Control Systems: Components, cyber threats,
               and machine learning-driven defense strategies",
  author    = "Nankya, Mary and Chataut, Robin and Akl, Robert",
  abstract  = "Industrial Control Systems (ICS), which include Supervisory
               Control and Data Acquisition (SCADA) systems, Distributed
               Control Systems (DCS), and Programmable Logic Controllers (PLC),
               play a crucial role in managing and regulating industrial
               processes. However, ensuring the security of these systems is of
               utmost importance due to the potentially severe consequences of
               cyber attacks. This article presents an overview of ICS
               security, covering its components, protocols, industrial
               applications, and performance aspects. It also highlights the
               typical threats and vulnerabilities faced by these systems.
               Moreover, the article identifies key factors that influence the
               design decisions concerning control, communication, reliability,
               and redundancy properties of ICS, as these are critical in
               determining the security needs of the system. The article
               outlines existing security countermeasures, including network
               segmentation, access control, patch management, and security
               monitoring. Furthermore, the article explores the integration of
               machine learning techniques to enhance the cybersecurity of ICS.
               Machine learning offers several advantages, such as anomaly
               detection, threat intelligence analysis, and predictive
               maintenance. However, combining machine learning with other
               security measures is essential to establish a comprehensive
               defense strategy for ICS. The article also addresses the
               challenges associated with existing measures and provides
               recommendations for improving ICS security. This paper becomes a
               valuable reference for researchers aiming to make meaningful
               contributions within the constantly evolving ICS domain by
               providing an in-depth examination of the present state,
               challenges, and potential future advancements.",
  journal   = "Sensors (Basel)",
  publisher = "MDPI AG",
  volume    =  23,
  number    =  21,
  pages     = "8840",
  month     =  oct,
  year      =  2023,
  keywords  = "SCADA; anomaly detection; artificial intelligence; attacks;
               cyber defense; cyber threats; industrial control systems;
               security; vulnerabilities",
  copyright = "https://creativecommons.org/licenses/by/4.0/",
  language  = "en"
 }
@misc{shin,
  title = {HAI Security Dataset},
  url = {https://www.kaggle.com/dsv/5821622},
  doi = {10.34740/kaggle/dsv/5821622},
  publisher = {Kaggle},
  author = {Shin, Hyeok-Ki and Lee, Woomyo and Choi, Seungoh and Yun, Jeong-Han and Min, Byung Gil and Kim, HyoungChun},
  year = {2023}
 }
@Article{info16100910,
 AUTHOR = {Ali, Jokha and Ali, Saqib and Al Balushi, Taiseera and Nadir, Zia},
 TITLE = {Intrusion Detection in Industrial Control Systems Using Transfer Learning Guided by Reinforcement Learning},
 JOURNAL = {Information},
 VOLUME = {16},
 YEAR = {2025},
 NUMBER = {10},
 ARTICLE-NUMBER = {910},
 URL = {https://www.mdpi.com/2078-2489/16/10/910},
 ISSN = {2078-2489},
 ABSTRACT = {Securing Industrial Control Systems (ICSs) is critical, but it is made challenging by the constant evolution of cyber threats and the scarcity of labeled attack data in these specialized environments. Standard intrusion detection systems (IDSs) often fail to adapt when transferred to new networks with limited data. To address this, this paper introduces an adaptive intrusion detection framework that combines a hybrid Convolutional Neural Network and Long Short-Term Memory (CNN-LSTM) model with a novel transfer learning strategy. We employ a Reinforcement Learning (RL) agent to intelligently guide the fine-tuning process, which allows the IDS to dynamically adjust its parameters such as layer freezing and learning rates in real-time based on performance feedback. We evaluated our system in a realistic data-scarce scenario using only 50 labeled training samples. Our RL-Guided model achieved a final F1-score of 0.9825, significantly outperforming a standard neural fine-tuning model (0.861) and a target baseline model (0.759). Analysis of the RL agent’s behavior confirmed that it learned a balanced and effective policy for adapting the model to the target domain. We conclude that the proposed RL-guided approach creates a highly accurate and adaptive IDS that overcomes the limitations of static transfer learning methods. This dynamic fine-tuning strategy is a powerful and promising direction for building resilient cybersecurity defenses for critical infrastructure.},
 DOI = {10.3390/info16100910}
 }
@InProceedings{pmlr-v202-kotelnikov23a,
  title =          {{T}ab{DDPM}: Modelling Tabular Data with Diffusion Models},
  author =       {Kotelnikov, Akim and Baranchuk, Dmitry and Rubachev, Ivan and Babenko, Artem},
  booktitle =          {Proceedings of the 40th International Conference on Machine Learning},
  pages =          {17564--17579},
  year =          {2023},
  editor =          {Krause, Andreas and Brunskill, Emma and Cho, Kyunghyun and Engelhardt, Barbara and Sabato, Sivan and Scarlett, Jonathan},
  volume =          {202},
  series =          {Proceedings of Machine Learning Research},
  month =          {23--29 Jul},
  publisher =    {PMLR},
  pdf =          {https://proceedings.mlr.press/v202/kotelnikov23a/kotelnikov23a.pdf},
  url =          {https://proceedings.mlr.press/v202/kotelnikov23a.html},
  abstract =          {Denoising diffusion probabilistic models are becoming the leading generative modeling paradigm for many important data modalities. Being the most prevalent in the computer vision community, diffusion models have recently gained some attention in other domains, including speech, NLP, and graph-like data. In this work, we investigate if the framework of diffusion models can be advantageous for general tabular problems, where data points are typically represented by vectors of heterogeneous features. The inherent heterogeneity of tabular data makes it quite challenging for accurate modeling since the individual features can be of a completely different nature, i.e., some of them can be continuous and some can be discrete. To address such data types, we introduce TabDDPM — a diffusion model that can be universally applied to any tabular dataset and handles any feature types. We extensively evaluate TabDDPM on a wide set of benchmarks and demonstrate its superiority over existing GAN/VAE alternatives, which is consistent with the advantage of diffusion models in other fields.}
 }
@misc{rasul2021autoregressivedenoisingdiffusionmodels,
      title={Autoregressive Denoising Diffusion Models for Multivariate Probabilistic Time Series Forecasting},
      author={Kashif Rasul and Calvin Seward and Ingmar Schuster and Roland Vollgraf},
      year={2021},
      eprint={2101.12072},
      archivePrefix={arXiv},
      primaryClass={cs.LG},
      url={https://arxiv.org/abs/2101.12072},
 }
@misc{jiang2023netdiffusionnetworkdataaugmentation,
      title={NetDiffusion: Network Data Augmentation Through Protocol-Constrained Traffic Generation},
      author={Xi Jiang and Shinan Liu and Aaron Gember-Jacobson and Arjun Nitin Bhagoji and Paul Schmitt and Francesco Bronzino and Nick Feamster},
      year={2023},
      eprint={2310.08543},
      archivePrefix={arXiv},
      primaryClass={cs.NI},
      url={https://arxiv.org/abs/2310.08543},
 }
 Reference for Related Work
@article{10.1145/1151659.1159928,
 author = {Vishwanath, Kashi Venkatesh and Vahdat, Amin},
 title = {Realistic and responsive network traffic generation},
@@ -164,47 +294,50 @@ series = {SIGCOMM '06}
   publisher={Elsevier BV},
   author={Ring, Markus and Schlör, Daniel and Landes, Dieter and Hotho, Andreas},
   year={2019},
-   month=may, pages={156–172} }
+   month=may, pages={156–172}
 }
-   @inproceedings{10.1145/3544216.3544251,
+@inproceedings{10.1145/3544216.3544251,
-   author = {Yin, Yucheng and Lin, Zinan and Jin, Minhao and Fanti, Giulia and Sekar, Vyas},
+author = {Yin, Yucheng and Lin, Zinan and Jin, Minhao and Fanti, Giulia and Sekar, Vyas},
-   title = {Practical GAN-based synthetic IP header trace generation using NetShare},
+title = {Practical GAN-based synthetic IP header trace generation using NetShare},
-   year = {2022},
+year = {2022},
-   isbn = {9781450394208},
+isbn = {9781450394208},
-   publisher = {Association for Computing Machinery},
+publisher = {Association for Computing Machinery},
-   address = {New York, NY, USA},
+address = {New York, NY, USA},
-   url = {https://doi.org/10.1145/3544216.3544251},
+url = {https://doi.org/10.1145/3544216.3544251},
-   doi = {10.1145/3544216.3544251},
+doi = {10.1145/3544216.3544251},
-   abstract = {We explore the feasibility of using Generative Adversarial Networks (GANs) to automatically learn generative models to generate synthetic packet- and flow header traces for networking tasks (e.g., telemetry, anomaly detection, provisioning). We identify key fidelity, scalability, and privacy challenges and tradeoffs in existing GAN-based approaches. By synthesizing domain-specific insights with recent advances in machine learning and privacy, we identify design choices to tackle these challenges. Building on these insights, we develop an end-to-end framework, NetShare. We evaluate NetShare on six diverse packet header traces and find that: (1) across all distributional metrics and traces, it achieves 46\% more accuracy than baselines and (2) it meets users' requirements of downstream tasks in evaluating accuracy and rank ordering of candidate approaches.},
+abstract = {We explore the feasibility of using Generative Adversarial Networks (GANs) to automatically learn generative models to generate synthetic packet- and flow header traces for networking tasks (e.g., telemetry, anomaly detection, provisioning). We identify key fidelity, scalability, and privacy challenges and tradeoffs in existing GAN-based approaches. By synthesizing domain-specific insights with recent advances in machine learning and privacy, we identify design choices to tackle these challenges. Building on these insights, we develop an end-to-end framework, NetShare. We evaluate NetShare on six diverse packet header traces and find that: (1) across all distributional metrics and traces, it achieves 46\% more accuracy than baselines and (2) it meets users' requirements of downstream tasks in evaluating accuracy and rank ordering of candidate approaches.},
-   booktitle = {Proceedings of the ACM SIGCOMM 2022 Conference},
+booktitle = {Proceedings of the ACM SIGCOMM 2022 Conference},
-   pages = {458–472},
+pages = {458–472},
-   numpages = {15},
+numpages = {15},
-   keywords = {synthetic data generation, privacy, network packets, network flows, generative adversarial networks},
+keywords = {synthetic data generation, privacy, network packets, network flows, generative adversarial networks},
-   location = {Amsterdam, Netherlands},
+location = {Amsterdam, Netherlands},
-   series = {SIGCOMM '22}
+series = {SIGCOMM '22}
-   }
+}
@inproceedings{Lin_2020, series={IMC ’20},
-    title={Using GANs for Sharing Networked Time Series Data: Challenges, Initial Promise, and Open Questions},
+   title={Using GANs for Sharing Networked Time Series Data: Challenges, Initial Promise, and Open Questions},
-    url={http://dx.doi.org/10.1145/3419394.3423643},
+   url={http://dx.doi.org/10.1145/3419394.3423643},
-    DOI={10.1145/3419394.3423643},
+   DOI={10.1145/3419394.3423643},
-    booktitle={Proceedings of the ACM Internet Measurement Conference},
+   booktitle={Proceedings of the ACM Internet Measurement Conference},
-    publisher={ACM},
+   publisher={ACM},
-    author={Lin, Zinan and Jain, Alankar and Wang, Chen and Fanti, Giulia and Sekar, Vyas},
+   author={Lin, Zinan and Jain, Alankar and Wang, Chen and Fanti, Giulia and Sekar, Vyas},
-    year={2020},
+   year={2020},
-    month=oct, pages={464–483},
+   month=oct, pages={464–483},
-    collection={IMC ’20} }
+   collection={IMC ’20}
 }
@INPROCEEDINGS{7469060,
-    author={Mathur, Aditya P. and Tippenhauer, Nils Ole},
+  author={Mathur, Aditya P. and Tippenhauer, Nils Ole},
-    booktitle={2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater)},
+  booktitle={2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater)},
-    title={SWaT: a water treatment testbed for research and training on ICS security},
+  title={SWaT: a water treatment testbed for research and training on ICS security},
-    year={2016},
+  year={2016},
-    volume={},
+  volume={},
-    number={},
+  number={},
-    pages={31-36},
+  pages={31-36},
-    keywords={Sensors;Actuators;Feeds;Process control;Chemicals;Chemical sensors;Security;Cyber Physical Systems;Industrial Control Systems;Cyber Attacks;Cyber Defense;Water Testbed},
+  keywords={Sensors;Actuators;Feeds;Process control;Chemicals;Chemical sensors;Security;Cyber Physical Systems;Industrial Control Systems;Cyber Attacks;Cyber Defense;Water Testbed},
-    doi={10.1109/CySWater.2016.7469060}}
+  doi={10.1109/CySWater.2016.7469060}
 }
@inproceedings{10.1145/3055366.3055375,
 author = {Ahmed, Chuadhry Mujeeb and Palleti, Venkata Reddy and Mathur, Aditya P.},
@@ -225,15 +358,15 @@ series = {CySWATER '17}
 }
@inproceedings{NEURIPS2020_4c5bcfec,
-author = {Ho, Jonathan and Jain, Ajay and Abbeel, Pieter},
+ author = {Ho, Jonathan and Jain, Ajay and Abbeel, Pieter},
-booktitle = {Advances in Neural Information Processing Systems},
+ booktitle = {Advances in Neural Information Processing Systems},
-editor = {H. Larochelle and M. Ranzato and R. Hadsell and M.F. Balcan and H. Lin},
+ editor = {H. Larochelle and M. Ranzato and R. Hadsell and M.F. Balcan and H. Lin},
-pages = {6840--6851},
+ pages = {6840--6851},
-publisher = {Curran Associates, Inc.},
+ publisher = {Curran Associates, Inc.},
-title = {Denoising Diffusion Probabilistic Models},
+ title = {Denoising Diffusion Probabilistic Models},
-url = {https://proceedings.neurips.cc/paper_files/paper/2020/file/4c5bcfec8584af0d967f1ab10179ca4b-Paper.pdf},
+ url = {https://proceedings.neurips.cc/paper_files/paper/2020/file/4c5bcfec8584af0d967f1ab10179ca4b-Paper.pdf},
-volume = {33},
+ volume = {33},
-year = {2020}
+ year = {2020}
 }
@misc{song2021scorebasedgenerativemodelingstochastic,
@@ -246,16 +379,6 @@ year = {2020}
      url={https://arxiv.org/abs/2011.13456},
 }
@misc{rasul2021autoregressivedenoisingdiffusionmodels,
      title={Autoregressive Denoising Diffusion Models for Multivariate Probabilistic Time Series Forecasting},
      author={Kashif Rasul and Calvin Seward and Ingmar Schuster and Roland Vollgraf},
      year={2021},
      eprint={2101.12072},
      archivePrefix={arXiv},
      primaryClass={cs.LG},
      url={https://arxiv.org/abs/2101.12072},
 }
@misc{tashiro2021csdiconditionalscorebaseddiffusion,
      title={CSDI Conditional Score-based Diffusion Models for Probabilistic Time Series Imputation},
      author={Yusuke Tashiro and Jiaming Song and Yang Song and Stefano Ermon},
@@ -305,7 +428,8 @@ year = {2020}
  number={1},
  pages={257-271},
  keywords={Base stations;Diffusion models;Data models;Uncertainty;Predictive models;Generative adversarial networks;Knowledge graphs;Mobile computing;Telecommunication traffic;Semantics;Cellular traffic;data generation;diffusion model;spatio-temporal graph},
-  doi={10.1109/TMC.2025.3591183}}
+  doi={10.1109/TMC.2025.3591183}
 }
@misc{austin2023structureddenoisingdiffusionmodels,
    title={Structured Denoising Diffusion Models in Discrete State-Spaces},
@@ -317,6 +441,16 @@ year = {2020}
    url={https://arxiv.org/abs/2107.03006},
 }
@misc{hoogeboom2021argmaxflowsmultinomialdiffusion,
      title={Argmax Flows and Multinomial Diffusion: Learning Categorical Distributions},
      author={Emiel Hoogeboom and Didrik Nielsen and Priyank Jaini and Patrick Forré and Max Welling},
      year={2021},
      eprint={2102.05379},
      archivePrefix={arXiv},
      primaryClass={stat.ML},
      url={https://arxiv.org/abs/2102.05379},
 }
@misc{li2022diffusionlmimprovescontrollabletext,
      title={Diffusion-LM Improves Controllable Text Generation},
      author={Xiang Lisa Li and John Thickstun and Ishaan Gulrajani and Percy Liang and Tatsunori B. Hashimoto},
@@ -357,16 +491,6 @@ year = {2020}
      url={https://arxiv.org/abs/1807.05620},
 }
@misc{hoogeboom2021argmaxflowsmultinomialdiffusion,
      title={Argmax Flows and Multinomial Diffusion: Learning Categorical Distributions},
      author={Emiel Hoogeboom and Didrik Nielsen and Priyank Jaini and Patrick Forré and Max Welling},
      year={2021},
      eprint={2102.05379},
      archivePrefix={arXiv},
      primaryClass={stat.ML},
      url={https://arxiv.org/abs/2102.05379},
 }
@misc{dai2019transformerxlattentivelanguagemodels,
      title={Transformer-XL: Attentive Language Models Beyond a Fixed-Length Context},
      author={Zihang Dai and Zhilin Yang and Yiming Yang and Jaime Carbonell and Quoc V. Le and Ruslan Salakhutdinov},
@@ -418,4 +542,64 @@ year = {2020}
   publisher={University Library in Kragujevac},
   author={Damjanović, Ivan and Milošević, Marko and Stevanović, Dragan},
   year={2023},
-   pages={197–202} }
+   pages={197–202}
 }
 Reference for Benchmark
@article{stenger2024survey,
  title={Evaluation is key: a survey on evaluation measures for synthetic time series},
  author={Stenger, Michael and Leppich, Robert and Foster, Ian T and Kounev, Samuel and Bauer, Andre},
  journal={Journal of Big Data},
  volume={11},
  number={1},
  pages={66},
  year={2024},
  publisher={Springer}
 }
@article{lin1991divergence,
  title={Divergence measures based on the Shannon entropy},
  author={Lin, Jianhua},
  journal={IEEE Transactions on Information Theory},
  volume={37},
  number={1},
  pages={145--151},
  year={1991}
 }
@inproceedings{yoon2019timegan,
  title={Time-series generative adversarial networks},
  author={Yoon, Jinsung and Jarrett, Daniel and van der Schaar, Mihaela},
  booktitle={Advances in Neural Information Processing Systems},
  volume={32},
  year={2019}
 }
@article{ni2021sigwasserstein,
  title={Sig-Wasserstein GANs for time series generation},
  author={Ni, Hao and Szpruch, Lukasz and Wiese, Magnus and Liao, Shujian and Xiao, Baoren},
  journal={Proceedings of the ACM on Measurement and Analysis of Computing Systems},
  volume={5},
  number={3},
  pages={1--25},
  year={2021}
 }
@inproceedings{coletta2023constrained,
  title={On the constrained time-series generation problem},
  author={Coletta, Alessandro and Rossi, Roberto and others},
  booktitle={Advances in Neural Information Processing Systems},
  volume={36},
  year={2023}
 }
@article{yang2001interlock,
  title={Automatic verification of safety interlock systems for industrial processes},
  author={Yang, Sheng-Hong and Hsieh, Min-Chi},
  journal={Journal of Loss Prevention in the Process Industries},
  volume={14},
  number={6},
  pages={473--483},
  year={2001},
  publisher={Elsevier}
 }
Author	SHA1	Message	Date
DaZuo0122	250428b176	Add: README.md for latex compiling	2026-02-05 17:06:27 +08:00
Hongyu Yan	6f1e7a9994	Update main.tex	2026-02-04 23:02:58 +08:00
Hongyu Yan	b3280dcc19	Update main.tex	2026-02-04 22:48:59 +08:00
Hongyu Yan	de445963b5	Update main.tex	2026-02-04 22:45:41 +08:00
Hongyu Yan	5ede1a11f1	The first draft is completed.	2026-02-04 22:37:35 +08:00
Hongyu Yan	21053b4f13	Future Work Part Complete	2026-02-04 22:21:42 +08:00
Hongyu Yan	a7c8250d1a	Reapply "Update references.bib" This reverts commit `03640302db`.	2026-02-04 22:18:35 +08:00
Hongyu Yan	03640302db	Revert "Update references.bib" This reverts commit `3a9836d15d`.	2026-02-04 22:16:52 +08:00
Hongyu Yan	3a9836d15d	Update references.bib Solve the ref problem of HAI dataset	2026-02-04 22:16:18 +08:00
DaZuo0122	1e3eb39dea	Add: benchmark, bibtex shows error in line 377, should be reference for other section than benchmark/method	2026-02-04 22:13:46 +08:00
DaZuo0122	9f8af2c67c	Add: reference for benchmark	2026-02-04 21:46:53 +08:00
Hongyu Yan	272e159df1	Intro and Related Work Completed - The reference of HAI dataset still have problems.	2026-02-04 19:39:36 +08:00
Hongyu Yan	81625b5c4e	Update .gitignore	2026-02-04 18:19:30 +08:00
DaZuo0122	4815d05127	Change: citations are now presented in numbers	2026-02-04 17:14:03 +08:00
DaZuo0122	5fbfd1068f	Add: figure for benchmark section	2026-02-04 17:08:45 +08:00