Industrial control systems (ICS) form the backbone of modern critical infrastructure, which includes power grids, water treatment, manufacturing, and transportation, among others. These systems monitor, regulate, and automate the physical processes through sensors, actuators, programmable logic controllers (PLCs), and monitoring software. Unlike conventional IT systems, ICS operate in real time, closely coupled with physical processes and safety‑critical constraints, using heterogeneous and legacy communication protocols such as Modbus/TCP and DNP3 that were not originally designed with robust security in mind. This architectural complexity and operational criticality make ICS high‑impact targets for cyber attacks, where disruptions can result in physical damage, environmental harm, and even loss of life. Recent reviews of ICS security highlight the expanding attack surface due to increased connectivity, legacy systems’ vulnerabilities, and the inadequacy of traditional security controls in capturing the nuances of ICS networks and protocols [1, 2].
While machine learning (ML) techniques have shown promise for anomaly detection and automated cybersecurity within ICS, they rely heavily on labeled datasets that capture both benign operations and diverse attack patterns. In practice, real ICS traffic data — especially attack‑triggered captures — are scarce due to confidentiality, safety, and legal restrictions, and available public ICS datasets are few, limited in scope, or fail to reflect current threat modalities. For instance, the HAI Security Dataset provides operational telemetry and anomaly flags from a realistic control system setup for research purposes, but must be carefully preprocessed to derive protocol‑relevant features for ML tasks [3]. Data scarcity directly undermines model generalization, evaluation reproducibility, and the robustness of intrusion detection research, especially when training or testing ML models on realistic ICS behavior remains confined to small or outdated collections of examples [4].
Synthetic data generation offers a practical pathway to mitigate these challenges. By programmatically generating feature‑level sequences that mimic the statistical and temporal structure of real ICS telemetry, researchers can augment scarce training sets, standardize benchmarking, and preserve operational confidentiality. Relative to raw packet captures, feature‑level synthesis abstracts critical protocol semantics and statistical patterns without exposing sensitive fields, making it more compatible with safety constraints and compliance requirements in ICS environments. Modern generative modeling — including diffusion models — has advanced significantly in producing high‑fidelity synthetic data across domains. Diffusion approaches, such as denoising diffusion probabilistic models, learn to transform noise into coherent structured samples and have been successfully applied to tabular or time series data synthesis with better stability and data coverage compared to adversarial methods [5, 6].
Despite these advances, most existing work either focuses on packet‑level generation [7] or is limited to generic tabular data [5], rather than domain‑specific control sequence synthesis tailored for ICS protocols where temporal coherence, multi‑channel dependencies, and discrete protocol legality are jointly required. This gap motivates our focus on protocol feature‑level generation for ICS — synthesizing sequences of protocol‑relevant fields conditioned on their temporal and cross‑channel structure. In this work, we formulate a hybrid modeling pipeline that decouples long‑horizon trends and local statistical detail while preserving discrete semantics of protocol tokens. By combining causal Transformers with diffusion‑based refiners, and enforcing deterministic validity constraints during sampling, our framework generates semantically coherent, temporally consistent, and distributionally faithful ICS feature sequences. We evaluate features derived from the HAI Security Dataset and demonstrate that our approach produces high‑quality synthetic sequences suitable for downstream augmentation, benchmarking, and integration into packet‑construction workflows that respect realistic ICS constraints.
[1] Machine learning in industrial control system (ICS) security: current landscape, opportunities and challenges https://dl.acm.org/doi/abs/10.1007/s10844-022-00753-1
@article{10.1007/s10844-022-00753-1,
author = {Koay, Abigail M. Y. and Ko, Ryan K. L and Hettema, Hinne and Radke, Kenneth},
title = {Machine learning in industrial control system (ICS) security: current landscape, opportunities and challenges},
abstract = {The advent of Industry 4.0 has led to a rapid increase in cyber attacks on industrial systems and processes, particularly on Industrial Control Systems (ICS). These systems are increasingly becoming prime targets for cyber criminals and nation-states looking to extort large ransoms or cause disruptions due to their ability to cause devastating impact whenever they cease working or malfunction. Although myriads of cyber attack detection systems have been proposed and developed, these detection systems still face many challenges that are typically not found in traditional detection systems. Motivated by the need to better understand these challenges to improve current approaches, this paper aims to (1) understand the current vulnerability landscape in ICS, (2) survey current advancements of Machine Learning (ML) based methods with respect to the usage of ML base classifiers (3) provide insights to benefits and limitations of recent advancement with respect to two performance vectors; detection accuracy and attack variety. Based on our findings, we present key open challenges which will represent exciting research opportunities for the research community.},
[3] HAI Security Dataset https://www.kaggle.com/datasets/icsdataset/hai-security-dataset
@misc{shin,
hyeok-ki_lee,
woomyo_choi,
seungoh_yun,
jeong-han_min,
byung gil_kim,
hyoungchun_2023,
title={HAI Security Dataset},
url={https://www.kaggle.com/dsv/5821622},
DOI={10.34740/KAGGLE/DSV/5821622},
publisher={Kaggle},
author={Shin,
Hyeok-Ki and Lee,
Woomyo and Choi,
Seungoh and Yun,
Jeong-Han and Min,
Byung Gil and Kim,
HyoungChun},
year={2023}
}
[4] Intrusion Detection in Industrial Control Systems Using Transfer Learning Guided by Reinforcement Learning https://doi.org/10.3390/info16100910
@Article{info16100910,
AUTHOR = {Ali, Jokha and Ali, Saqib and Al Balushi, Taiseera and Nadir, Zia},
TITLE = {Intrusion Detection in Industrial Control Systems Using Transfer Learning Guided by Reinforcement Learning},
JOURNAL = {Information},
VOLUME = {16},
YEAR = {2025},
NUMBER = {10},
ARTICLE-NUMBER = {910},
URL = {https://www.mdpi.com/2078-2489/16/10/910},
ISSN = {2078-2489},
ABSTRACT = {Securing Industrial Control Systems (ICSs) is critical, but it is made challenging by the constant evolution of cyber threats and the scarcity of labeled attack data in these specialized environments. Standard intrusion detection systems (IDSs) often fail to adapt when transferred to new networks with limited data. To address this, this paper introduces an adaptive intrusion detection framework that combines a hybrid Convolutional Neural Network and Long Short-Term Memory (CNN-LSTM) model with a novel transfer learning strategy. We employ a Reinforcement Learning (RL) agent to intelligently guide the fine-tuning process, which allows the IDS to dynamically adjust its parameters such as layer freezing and learning rates in real-time based on performance feedback. We evaluated our system in a realistic data-scarce scenario using only 50 labeled training samples. Our RL-Guided model achieved a final F1-score of 0.9825, significantly outperforming a standard neural fine-tuning model (0.861) and a target baseline model (0.759). Analysis of the RL agent’s behavior confirmed that it learned a balanced and effective policy for adapting the model to the target domain. We conclude that the proposed RL-guided approach creates a highly accurate and adaptive IDS that overcomes the limitations of static transfer learning methods. This dynamic fine-tuning strategy is a powerful and promising direction for building resilient cybersecurity defenses for critical infrastructure.},
DOI = {10.3390/info16100910}
}
[5] TabDDPM: Modelling Tabular Data with Diffusion Models https://arxiv.org/abs/2209.15421
@InProceedings{pmlr-v202-kotelnikov23a,
title = {{T}ab{DDPM}: Modelling Tabular Data with Diffusion Models},
author = {Kotelnikov, Akim and Baranchuk, Dmitry and Rubachev, Ivan and Babenko, Artem},
booktitle = {Proceedings of the 40th International Conference on Machine Learning},
pages = {17564--17579},
year = {2023},
editor = {Krause, Andreas and Brunskill, Emma and Cho, Kyunghyun and Engelhardt, Barbara and Sabato, Sivan and Scarlett, Jonathan},
volume = {202},
series = {Proceedings of Machine Learning Research},
month = {23--29 Jul},
publisher = {PMLR},
pdf = {https://proceedings.mlr.press/v202/kotelnikov23a/kotelnikov23a.pdf},
abstract = {Denoising diffusion probabilistic models are becoming the leading generative modeling paradigm for many important data modalities. Being the most prevalent in the computer vision community, diffusion models have recently gained some attention in other domains, including speech, NLP, and graph-like data. In this work, we investigate if the framework of diffusion models can be advantageous for general tabular problems, where data points are typically represented by vectors of heterogeneous features. The inherent heterogeneity of tabular data makes it quite challenging for accurate modeling since the individual features can be of a completely different nature, i.e., some of them can be continuous and some can be discrete. To address such data types, we introduce TabDDPM — a diffusion model that can be universally applied to any tabular dataset and handles any feature types. We extensively evaluate TabDDPM on a wide set of benchmarks and demonstrate its superiority over existing GAN/VAE alternatives, which is consistent with the advantage of diffusion models in other fields.}
}
[6] Autoregressive Denoising Diffusion Models for Multivariate Probabilistic Time Series Forecasting https://arxiv.org/abs/2101.12072
title={NetDiffusion: Network Data Augmentation Through Protocol-Constrained Traffic Generation},
author={Xi Jiang and Shinan Liu and Aaron Gember-Jacobson and Arjun Nitin Bhagoji and Paul Schmitt and Francesco Bronzino and Nick Feamster},
year={2023},
eprint={2310.08543},
archivePrefix={arXiv},
primaryClass={cs.NI},
url={https://arxiv.org/abs/2310.08543},
}
Related Work
Early generation of network data oriented towards "realism" mostly remained at the packet/flow header level, either through replay or statistical synthesis based on single-point observations. Swing, in a closed-loop, network-responsive manner, extracts user/application/network distributions from single-point observations to reproduce burstiness and correlation across multiple time scales [1]. Subsequently, a series of works advanced header synthesis to learning-based generation: the WGAN-based method added explicit verification of protocol field consistency to NetFlow/IPFIX [2], NetShare reconstructed header modeling as flow-level time series and improved fidelity and scalability through domain encoding and parallel fine-tuning [3], and DoppelGANger preserved the long-range structure and downstream sorting consistency of networked time series by decoupling attributes from sequences [4]. However, in industrial control system (ICS) scenarios, the original PCAP is usually not shareable, and public testbeds (such as SWaT, WADI) mostly provide process/monitoring telemetry and protocol interactions for security assessment, but public datasets emphasize operational variables rather than packet-level traces [5, 6]. This makes "synthesis at the feature/telemetry level, aware of protocol and semantics" more feasible and necessary in practice: we are more concerned with reproducing high-level distributions and multi-scale temporal patterns according to operational semantics and physical constraints without relying on the original packets. From this perspective, the generation paradigm naturally shifts from "packet syntax reproduction" to "modeling of high-level spatio-temporal distributions and uncertainties", requiring stable training, strong distribution fitting, and interpretable uncertainty characterization.
Diffusion models exhibit good fit along this path: DDPM achieves high-quality sampling and stable optimization through efficient ε parameterization and weighted variational objectives [7], the SDE perspective unifies score-based and diffusion, providing likelihood evaluation and prediction-correction sampling strategies based on probability flow ODEs [8]. For time series, TimeGrad replaces the constrained output distribution with conditional denoising, capturing high-dimensional correlations at each step [9]; CSDI explicitly performs conditional diffusion and uses two-dimensional attention to simultaneously leverage temporal and cross-feature dependencies, suitable for conditioning and filling in missing values [10]; in a more general spatio-temporal structure, DiffSTG generalizes diffusion to spatio-temporal graphs, combining TCN/GCN with denoising U-Net to improve CRPS and inference efficiency in a non-autoregressive manner [11], and PriSTI further enhances conditional features and geographical relationships, maintaining robustness under high missing rates and sensor failures [12]; in long sequences and continuous domains, DiffWave verifies that diffusion can also match the quality of strong vocoders under non-autoregressive fast synthesis [13]; studies on cellular communication traffic show that diffusion can recover spatio-temporal patterns and provide uncertainty characterization at the urban scale [14]. These results overall point to a conclusion: when the research focus is on "telemetry/high-level features" rather than raw messages, diffusion models provide stable and fine-grained distribution fitting and uncertainty quantification, which is exactly in line with the requirements of ICS telemetry synthesis. Meanwhile, directly entrusting all structures to a "monolithic diffusion" is not advisable: long-range temporal skeletons and fine-grained marginal distributions often have optimization tensions, requiring explicit decoupling in modeling.
Looking further into the mechanism complexity of ICS: its channel types are inherently mixed, containing both continuous process trajectories and discrete supervision/status variables, and discrete channels must be "legal" under operational constraints. The aforementioned progress in time series diffusion has mainly occurred in continuous spaces, but discrete diffusion has also developed systematic methods: D3PM improves sampling quality and likelihood through absorption/masking and structured transitions in discrete state spaces [15], subsequent masked diffusion provides stable reconstruction on categorical data in a more simplified form [4], multinomial diffusion directly defines diffusion on a finite vocabulary through mechanisms such as argmax flows [20], and Diffusion-LM demonstrates an effective path for controllable text generation by imposing gradient constraints in continuous latent spaces [16]. From the perspectives of protocols and finite-state machines, coverage-guided fuzz testing emphasizes the criticality of "sequence legality and state coverage" [17–19], echoing the concept of "legality by construction" in discrete diffusion: preferentially adopting absorption/masking diffusion on discrete channels, supplemented by type-aware conditioning and sampling constraints, to avoid semantic invalidity and marginal distortion caused by post hoc thresholding.
From the perspective of high-level synthesis, the temporal structure is equally indispensable: ICS control often involves delay effects, phased operating conditions, and cross-channel coupling, requiring models to be able to characterize low-frequency, long-range dependencies while also overlaying multi-modal fine-grained fluctuations on them. The Transformer series has provided sufficient evidence in long-sequence time series tasks: Transformer-XL breaks through the fixed-length context limitation through a reusable memory mechanism and significantly enhances long-range dependency expression [21]; Informer uses ProbSparse attention and efficient decoding to balance span and efficiency in long-sequence prediction [22]; Autoformer robustly models long-term seasonality and trends through autocorrelation and decomposition mechanisms [23]; FEDformer further improves long-period prediction performance in frequency domain enhancement and decomposition [24]; PatchTST enhances the stability and generalization of long-sequence multivariate prediction through local patch-based representation and channel-independent modeling [25]. Combining our previous positioning of diffusion, this chain of evidence points to a natural division of labor: using attention-based sequence models to first extract stable low-frequency trends/conditions (long-range skeletons), and then allowing diffusion to focus on margins and details in the residual space; meanwhile, discrete masking/absorbing diffusion is applied to supervised/pattern variables to ensure vocabulary legality by construction. This design not only inherits the advantages of time series diffusion in distribution fitting and uncertainty characterization [9–14], but also stabilizes the macroscopic temporal support through the long-range attention of Transformer, enabling the formation of an operational integrated generation pipeline under the mixed types and multi-scale dynamics of ICS.
[1] Realistic and responsive network traffic generation https://dl.acm.org/doi/10.1145/1159913.1159928
@article{10.1145/1151659.1159928,
author = {Vishwanath, Kashi Venkatesh and Vahdat, Amin},
title = {Realistic and responsive network traffic generation},
year = {2006},
issue_date = {October 2006},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
volume = {36},
number = {4},
issn = {0146-4833},
url = {https://doi.org/10.1145/1151659.1159928},
doi = {10.1145/1151659.1159928},
abstract = {This paper presents Swing, a closed-loop, network-responsive traffic generator that accurately captures the packet interactions of a range of applications using a simple structural model. Starting from observed traffic at a single point in the network, Swing automatically extracts distributions for user, application, and network behavior. It then generates live traffic corresponding to the underlying models in a network emulation environment running commodity network protocol stacks. We find that the generated traces are statistically similar to the original traces. Further, to the best of our knowledge, we are the first to reproduce burstiness in traffic across a range of timescales using a model applicable to a variety of network settings. An initial sensitivity analysis reveals the importance of capturing and recreating user, application, and network characteristics to accurately reproduce such burstiness. Finally, we explore Swing's ability to vary user characteristics, application properties, and wide-area network conditions to project traffic characteristics into alternate scenarios.},
author = {Vishwanath, Kashi Venkatesh and Vahdat, Amin},
title = {Realistic and responsive network traffic generation},
year = {2006},
isbn = {1595933085},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/1159913.1159928},
doi = {10.1145/1159913.1159928},
abstract = {This paper presents Swing, a closed-loop, network-responsive traffic generator that accurately captures the packet interactions of a range of applications using a simple structural model. Starting from observed traffic at a single point in the network, Swing automatically extracts distributions for user, application, and network behavior. It then generates live traffic corresponding to the underlying models in a network emulation environment running commodity network protocol stacks. We find that the generated traces are statistically similar to the original traces. Further, to the best of our knowledge, we are the first to reproduce burstiness in traffic across a range of timescales using a model applicable to a variety of network settings. An initial sensitivity analysis reveals the importance of capturing and recreating user, application, and network characteristics to accurately reproduce such burstiness. Finally, we explore Swing's ability to vary user characteristics, application properties, and wide-area network conditions to project traffic characteristics into alternate scenarios.},
booktitle = {Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications},
author={Ring, Markus and Schlör, Daniel and Landes, Dieter and Hotho, Andreas},
year={2019},
month=may, pages={156–172} }
[3] Practical GAN-based synthetic IP header trace generation using NetShare https://dl.acm.org/doi/abs/10.1145/3544216.3544251?download=true
@inproceedings{10.1145/3544216.3544251,
author = {Yin, Yucheng and Lin, Zinan and Jin, Minhao and Fanti, Giulia and Sekar, Vyas},
title = {Practical GAN-based synthetic IP header trace generation using NetShare},
year = {2022},
isbn = {9781450394208},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3544216.3544251},
doi = {10.1145/3544216.3544251},
abstract = {We explore the feasibility of using Generative Adversarial Networks (GANs) to automatically learn generative models to generate synthetic packet- and flow header traces for networking tasks (e.g., telemetry, anomaly detection, provisioning). We identify key fidelity, scalability, and privacy challenges and tradeoffs in existing GAN-based approaches. By synthesizing domain-specific insights with recent advances in machine learning and privacy, we identify design choices to tackle these challenges. Building on these insights, we develop an end-to-end framework, NetShare. We evaluate NetShare on six diverse packet header traces and find that: (1) across all distributional metrics and traces, it achieves 46\% more accuracy than baselines and (2) it meets users' requirements of downstream tasks in evaluating accuracy and rank ordering of candidate approaches.},
booktitle = {Proceedings of the ACM SIGCOMM 2022 Conference},
[4] Using GANs for Sharing Networked Time Series Data: Challenges, Initial Promise, and Open Questions https://arxiv.org/abs/1909.13403
@inproceedings{Lin_2020, series={IMC ’20},
title={Using GANs for Sharing Networked Time Series Data: Challenges, Initial Promise, and Open Questions},
url={http://dx.doi.org/10.1145/3419394.3423643},
DOI={10.1145/3419394.3423643},
booktitle={Proceedings of the ACM Internet Measurement Conference},
publisher={ACM},
author={Lin, Zinan and Jain, Alankar and Wang, Chen and Fanti, Giulia and Sekar, Vyas},
year={2020},
month=oct, pages={464–483},
collection={IMC ’20} }
[5] SWaT: a water treatment testbed for research and training on ICS security https://ieeexplore.ieee.org/document/7469060
@INPROCEEDINGS{7469060,
author={Mathur, Aditya P. and Tippenhauer, Nils Ole},
booktitle={2016 International Workshop on Cyber-physical Systems for Smart Water Networks (CySWater)},
title={SWaT: a water treatment testbed for research and training on ICS security},
year={2016},
volume={},
number={},
pages={31-36},
keywords={Sensors;Actuators;Feeds;Process control;Chemicals;Chemical sensors;Security;Cyber Physical Systems;Industrial Control Systems;Cyber Attacks;Cyber Defense;Water Testbed},
doi={10.1109/CySWater.2016.7469060}}
[6] WADI: a water distribution testbed for research in the design of secure cyber physical systems https://www.researchgate.net/publication/315849116_WADI_a_water_distribution_testbed_for_research_in_the_design_of_secure_cyber_physical_systems
@inproceedings{10.1145/3055366.3055375,
author = {Ahmed, Chuadhry Mujeeb and Palleti, Venkata Reddy and Mathur, Aditya P.},
title = {WADI: a water distribution testbed for research in the design of secure cyber physical systems},
year = {2017},
isbn = {9781450349758},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3055366.3055375},
doi = {10.1145/3055366.3055375},
abstract = {The architecture of a water distribution testbed (WADI), and on-going research in the design of secure water distribution system is presented. WADI consists of three stages controlled by Programmable Logic Controllers (PLCs) and two stages controlled via Remote Terminal Units (RTUs). Each PLC and RTU uses sensors to estimate the system state and the actuators to effect control. WADI is currently used to (a) conduct security analysis for water distribution networks, (b) experimentally assess detection mechanisms for potential cyber and physical attacks, and (c) understand how the impact of an attack on one CPS could cascade to other connected CPSs. The cascading effects of attacks can be studied in WADI through its connection to two other testbeds, namely for water treatment and power generation and distribution.},
booktitle = {Proceedings of the 3rd International Workshop on Cyber-Physical Systems for Smart Water Networks},
pages = {25–28},
numpages = {4},
keywords = {attack detection, cyber physical systems, cyber security, industrial control systems, water distribution testbed},
title={FEDformer: Frequency Enhanced Decomposed Transformer for Long-term Series Forecasting},
author={Tian Zhou and Ziqing Ma and Qingsong Wen and Xue Wang and Liang Sun and Rong Jin},
year={2022},
eprint={2201.12740},
archivePrefix={arXiv},
primaryClass={cs.LG},
url={https://arxiv.org/abs/2201.12740},
}
[25] A Note on Extremal Sombor Indices of Trees with a Given Degree Sequence https://arxiv.org/abs/2211.11920
@article{2023,
title={A Note on Extremal Sombor Indices of Trees with a Given Degree Sequence},
volume={90},
ISSN={0340-6253},
url={http://dx.doi.org/10.46793/match.90-1.197D},
DOI={10.46793/match.90-1.197d},
number={1},
journal={Match Communications in Mathematical and in Computer Chemistry},
publisher={University Library in Kragujevac},
author={Damjanović, Ivan and Milošević, Marko and Stevanović, Dragan},
year={2023},
pages={197–202} }
Methodology
Industrial control system (ICS) telemetry is intrinsically mixed-type and mechanistically heterogeneous: continuous process trajectories (e.g., sensor and actuator signals) coexist with discrete supervisory states (e.g., modes, alarms, interlocks), and the underlying generating mechanisms range from physical inertia to program-driven step logic. This heterogeneity is not cosmetic—it directly affects what “realistic” synthesis means, because a generator must jointly satisfy (i) temporal coherence, (ii) distributional fidelity, and (iii) discrete semantic validity (i.e., every discrete output must belong to its legal vocabulary by construction). These properties are emphasized broadly in operational-technology security guidance and ICS engineering practice, where state logic and physical dynamics are tightly coupled. [12]
We formalize each training instance as a fixed-length window of length We model each training instance as a fixed-length window of length $$L$$, consisting of (i) continuous channels $$X\in\mathbb{R}^{L\times d_c}$$ and (ii) discrete channels $$Y=\{{y^{(j)}_{1:L}}\}_{j=1}^{d_d}$$, where each discrete variable $$y^{(j)}_t\in\mathcal{V}_j$$ belongs to a finite vocabulary $$\mathcal{V}_j$$. Our objective is to learn a generator that produces synthetic $$(\hat{X},\hat{Y})$$ that are simultaneously coherent and distributionally faithful, while also ensuring $$\hat{y}^{(j)}_t\in\mathcal{V}_j$$ for all $$j, t$$ by construction (rather than via post-hoc rounding or thresholding).
A key empirical and methodological tension in ICS synthesis is that temporal realism and marginal/distributional realism can compete when optimized monolithically: sequence models trained primarily for regression often over-smooth heavy tails and intermittent bursts, while purely distribution-matching objectives can erode long-range structure. Diffusion models provide a principled route to rich distribution modeling through iterative denoising, but they do not, by themselves, resolve (i) the need for a stable low-frequency temporal scaffold, nor (ii) the discrete legality constraints for supervisory variables. [2,8] Recent time-series diffusion work further suggests that separating coarse structure from stochastic refinement can be an effective inductive bias for long-horizon realism. [6,7]
[图片]
**PLACEHOLDER_ONLY_DO_NOT_USE_IN_REAL_PAPER**
Motivated by these considerations, we propose Mask-DDPM, organized in the following order:
1. Transformer trend module: learns the dominant temporal backbone of continuous dynamics via attention-based sequence modeling [1].
2. Residual DDPM for continuous variables: models distributional detail as stochastic residual structure conditioned on the learned trend [2, 6].
3. Masked diffusion for discrete variables: generates discrete ICS states with an absorbing/masking corruption process and categorical reconstruction [3,4].
4. Type-aware decomposition: a type-aware factorization and routing layer that assigns variables to the most appropriate modeling mechanism and enforces deterministic constraints where warranted.
This ordering is intentional. The trend module establishes a macro-temporal scaffold; residual diffusion then concentrates capacity on micro-structure and marginal fidelity; masked diffusion provides a native mechanism for discrete legality; and the type-aware layer operationalizes the observation that not all ICS variables should be modeled with the same stochastic mechanism. Importantly, while diffusion-based generation for ICS telemetry has begun to emerge, existing approaches remain limited and typically emphasize continuous synthesis or augmentation; in contrast, our pipeline integrates (i) a Transformer-conditioned residual diffusion backbone, (ii) a discrete masked-diffusion branch, and (iii) explicit type-aware routing for heterogeneous variable mechanisms within a single coherent generator. [10,11]
---
Transformer trend module for continuous dynamics
We instantiate the temporal backbone as a causal Transformer trend extractor, leveraging self-attention’s ability to represent long-range dependencies and cross-channel interactions without recurrence. [1] Compared with recurrent trend extractors (e.g., GRU-style backbones), a Transformer trend module offers a direct mechanism to model delayed effects and multivariate coupling—common in ICS, where control actions may influence downstream sensors with nontrivial lags and regime-dependent propagation. [1,12] Crucially, in our design the Transformer is not asked to be the entire generator; instead, it serves a deliberately restricted role: providing a stable, temporally coherent conditioning signal that later stochastic components refine.
For continuous channels $$X$$, we posit an additive decomposition
$$X = S + R$$ ,
where $$S\in\mathbb{R}^{L\times d_c}$$ is a smooth trend capturing predictable temporal evolution, and $$R\in\mathbb{R}^{L\times d_c}$$ is a residual capturing distributional detail (e.g., bursts, heavy tails, local fluctuations) that is difficult to represent robustly with a purely regression-based temporal objective. This separation reflects an explicit division of labor: the trend module prioritizes temporal coherence, while diffusion (introduced next) targets distributional realism at the residual level—a strategy aligned with “predict-then-refine” perspectives in time-series diffusion modeling. [6,7]
We parameterize the trend $$S$$ using a causal Transformer $$f_\phi$$ . With teacher forcing, we train $$f_\phi$$to predict the next-step trend from past observations:
At inference, we roll out the Transformer autoregressively to obtain $$\hat{S}$$ , and then define the residual target for diffusion as $$R = X - \hat{S}$$. This setup intentionally “locks in” a coherent low-frequency scaffold before any stochastic refinement is applied, thereby reducing the burden on downstream diffusion modules to simultaneously learn both long-range structure and marginal detail. In this sense, our use of Transformers is distinctive: it is a conditioning-first temporal backbone designed to stabilize mixed-type diffusion synthesis in ICS, rather than an end-to-end monolithic generator. [1,6,10]
DDPM for continuous residual generation
We model the residual RRR with a denoising diffusion probabilistic model (DDPM) conditioned on the trend $$\hat{S}$$. [2] Diffusion models learn complex data distributions by inverting a tractable noising process through iterative denoising, and have proven effective at capturing multimodality and heavy-tailed structure that is often attenuated by purely regression-based sequence models. [2,8] Conditioning the diffusion model on $$\hat{S}$$ is central: it prevents the denoiser from re-learning the low-frequency scaffold and focuses capacity on residual micro-structure, mirroring the broader principle that diffusion excels as a distributional corrector when a reasonable coarse structure is available. [6,7]
Let $$K$$ denote the number of diffusion steps, with a noise schedule $$\{\beta_k\}_{k=1}^K$$, $$\alpha_k = 1-\beta_k$$, and $$\bar{\alpha}_k=\prod_{i=1}^k \alpha_i$$ . The forward corruption process is:
where $$\mu_\theta$$ is implemented by a Transformer denoiser that consumes (i) the noised residual $$r_k$$, (ii) a timestep embedding for $$k$$, and (iii) conditioning features derived from $$\hat{S}$$. This denoiser architecture is consistent with the growing use of attention-based denoisers for long-context time-series diffusion, while our key methodological emphasis is the trend-conditioned residual factorization as the object of diffusion learning. [2,7]
We train the denoiser using the standard DDPM $$\epsilon$$-prediction objective:
$$\mathcal{L}_{\text{cont}}(\theta)
=
\mathbb{E}_{k,r_0,\epsilon}
\left[
\left \|
\epsilon - \epsilon_{\theta}(r_k,k,\hat{S})
\right \|_2^2
\right]$$
Because diffusion optimization can exhibit timestep imbalance (i.e., some timesteps dominate gradients), we optionally apply an SNR-based reweighting consistent with Min-SNR training:
where $$\mathrm{SNR}_k=\bar{\alpha}_k/(1-\bar{\alpha}_k)$$ and $$\gamma>0$$ is a cap parameter. [5]
After sampling $$\hat{R}$$ by reverse diffusion, we reconstruct the continuous output as
$$\hat{X} = \hat{S} + \hat{R}$$ .
Overall, the DDPM component serves as a distributional corrector on top of a temporally coherent backbone, which is particularly suited to ICS where low-frequency dynamics are strong and persistent but fine-scale variability (including bursts and regime-conditioned noise) remains important for realism. Relative to prior ICS diffusion efforts that primarily focus on continuous augmentation, our formulation elevates trend-conditioned residual diffusion as a modular mechanism for disentangling temporal structure from distributional refinement. [10,11]
Masked diffusion for discrete ICS variables
Discrete ICS variables must remain categorical, making Gaussian diffusion inappropriate for supervisory states and mode-like channels. While one can attempt continuous relaxations or post-hoc discretization, such strategies risk producing semantically invalid intermediate states (e.g., “in-between” modes) and can distort the discrete marginal distribution. Discrete-state diffusion provides a principled alternative by defining a valid corruption process directly on categorical variables. [3,4] In the ICS setting, this is not a secondary detail: supervisory tags often encode control logic boundaries (modes, alarms, interlocks) that must remain within a finite vocabulary to preserve semantic correctness. [12]
We therefore adopt masked (absorbing) diffusion for discrete channels, where corruption replaces tokens with a special $$\texttt{[MASK]}$$ symbol according to a schedule. [4] For each variable $$j$$, define a masking schedule $${m_k}_{k=1}^K$$ (with $$m_k\in[0,1]$$) increasing in $$k$$. The forward corruption process is
$$q(y^{(j)}_k \mid y^{(j)}_0)=
\begin{cases}
y^{(j)}, & \text{with probability } 1-m_k,\\
\texttt{[MASK]}, & \text{with probability } m_k,
\end{cases}$$
applied independently across $$j$$ and $$t$$. Let $$\mathcal{M}$$ denote the set of masked positions at step $$k$$. The denoiser $$h_{\psi}$$ predicts a categorical distribution over $$\mathcal{V}_j$$ for each masked token, conditioned on (i) the corrupted discrete sequence, (ii) the diffusion step $$k$$, and (iii) continuous context. Concretely, we condition on $$\hat{S}$$ and $$\hat{X}$$to couple supervisory reconstruction to the underlying continuous dynamics:
This conditioning choice is motivated by the fact that many discrete ICS states are not standalone, they are functions of regimes, thresholds, and procedural phases that manifest in continuous channels. [12]
Where $$\mathrm{CE}(\cdot,\cdot)$$is cross-entropy. At sampling time, we initialize all discrete tokens as $$\texttt{[MASK]}$$and iteratively unmask them using the learned conditionals, ensuring that every output token lies in its legal vocabulary by construction. This discrete branch is a key differentiator of our pipeline: unlike typical continuous-only diffusion augmentation in ICS, we integrate masked diffusion as a first-class mechanism for supervisory-variable legality within the same end-to-end synthesis workflow. [4,10]
Type-aware decomposition as factorization and routing layer
Even with a trend-conditioned residual DDPM and a discrete masked-diffusion branch, a single uniform modeling treatment can remain suboptimal because ICS variables are generated by qualitatively different mechanisms. For example, program-driven setpoints exhibit step-and-dwell dynamics; controller outputs follow control laws conditioned on process feedback; actuator positions may show saturation and dwell; and some “derived tags” are deterministic functions of other channels. Treating all channels as if they were exchangeable stochastic processes can misallocate model capacity and induce systematic error concentration on a small subset of mechanistically distinct variables. [12]
We therefore introduce a type-aware decomposition that formalizes this heterogeneity as a routing and constraint layer. Let $$\tau(i)\in{1,\dots,6}$$ assign each variable (i) to a type class. The type assignment can be initialized from domain semantics (tag metadata, value domains, and engineering meaning), and subsequently refined via an error-attribution workflow described in the Benchmark section. Importantly, this refinement does not change the core diffusion backbone; it changes which mechanism is responsible for which variable, thereby aligning inductive bias with variable-generating mechanism while preserving overall coherence.
We use the following taxonomy:
- Type 1 (program-driven / setpoint-like): externally commanded, step-and-dwell variables. These variables can be treated as exogenous drivers (conditioning signals) or routed to specialized change-point / dwell-time models, rather than being forced into a smooth denoiser that may over-regularize step structure.
- Type 2 (controller outputs): continuous variables tightly coupled to feedback loops; these benefit from conditional modeling where the conditioning includes relevant process variables and commanded setpoints.
- Type 3 (actuator states/positions): often exhibit saturation, dwell, and rate limits; these may require stateful dynamics beyond generic residual diffusion, motivating either specialized conditional modules or additional inductive constraints.
- Type 4 (process variables): inertia-dominated continuous dynamics; these are the primary beneficiaries of the Transformer trend + residual DDPM pipeline.
- Type 5 (derived/deterministic variables): algebraic or rule-based functions of other variables; we enforce deterministic reconstruction $$\hat{x}^{(i)} = g_i(\hat{X},\hat{Y})$$ rather than learning a stochastic generator, improving logical consistency and sample efficiency.
- Type 6 (auxiliary/low-impact variables): weakly coupled or sparse signals; we allow simplified modeling (e.g., calibrated marginals or lightweight temporal models) to avoid allocating diffusion capacity where it is not warranted.
Type-aware decomposition improves synthesis quality through three mechanisms. First, it improves capacity allocation by preventing a small set of mechanistically atypical variables from dominating gradients and distorting the learned distribution for the majority class (typically Type 4). Second, it enables constraint enforcement by deterministically reconstructing Type 5 variables, preventing logically inconsistent samples that purely learned generators can produce. Third, it improves mechanism alignment by attaching inductive biases consistent with step/dwell or saturation behaviors where generic denoisers may implicitly favor smoothness.
From a novelty standpoint, this layer is not merely an engineering “patch”; it is an explicit methodological statement that ICS synthesis benefits from typed factorization—a principle that has analogues in mixed-type generative modeling more broadly, but that remains underexplored in diffusion-based ICS telemetry synthesis. [9,10,12]
Joint optimization and end-to-end sampling
We train the model in a staged manner consistent with the above factorization, which improves optimization stability and encourages each component to specialize in its intended role. Specifically: (i) we train the trend Transformer $$f_{\phi}$$ to obtain $$\hat{S}$$; (ii) we compute residual targets $$R=X-\hat{S}$$ for the continuous variables routed to residual diffusion; (iii) we train the residual DDPM $$p_{\theta}(R\mid \hat{S})$$ and masked diffusion model $$p_{\psi}(Y\mid \text{masked}(Y), \hat{S}, \hat{X})$$; and (iv) we apply type-aware routing and deterministic reconstruction during sampling. This staged strategy is aligned with the design goal of separating temporal scaffolding from distributional refinement, and it mirrors the broader intuition in time-series diffusion that decoupling coarse structure and stochastic detail can mitigate “structure vs. realism” conflicts. [6,7]
with $$\lambda\in[0,1]$$controlling the balance between continuous and discrete learning. Type-aware routing determines which channels contribute to which loss and which are excluded in favor of deterministic reconstruction. In practice, this routing acts as a principled guardrail against negative transfer across variable mechanisms: channels that are best handled deterministically (Type 5) or by specialized drivers (Type 1/3, depending on configuration) are prevented from forcing the diffusion models into statistically incoherent compromises.
At inference time, generation follows the same structured order: (i) trend $$\hat{S}$$via the Transformer, (ii) residual $$\hat{R}$$ via DDPM, (iii) discrete $$\hat{Y}$$ via masked diffusion, and (iv) type-aware assembly with deterministic reconstruction for routed variables. This pipeline produces $$(\hat{X},\hat{Y})$$ that are temporally coherent by construction (through $$\hat{S}$$), distributionally expressive (through $$\hat{R}$$ denoising), and discretely valid (through masked diffusion), while explicitly accounting for heterogeneous variable-generating mechanisms through type-aware routing. In combination, these choices constitute our central methodological contribution: a unified Transformer + mixed diffusion generator for ICS telemetry, augmented by typed factorization to align model capacity with domain mechanism. [2,4,10,12]
References for Methodology Part
[1] Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., Kaiser, Ł., & Polosukhin, I. Attention Is All You Need. Advances in Neural Information Processing Systems (NeurIPS), 30, 2017.
[3] Austin, J., Johnson, D. D., Ho, J., Tarlow, D., & van den Berg, R. Structured Denoising Diffusion Models in Discrete State-Spaces. Advances in Neural Information Processing Systems (NeurIPS), 34, 2021.
[4] Shi, J., Han, K., Wang, Z., Doucet, A., & Titsias, M. K. Simplified and Generalized Masked Diffusion for Discrete Data. arXiv preprint arXiv:2406.04329, 2024.
🔗 https://arxiv.org/abs/2406.04329
[5] Hang, T., Gu, S., Li, C., Bao, J., Chen, D., Hu, H., Geng, X., & Guo, B. Efficient Diffusion Training via Min-SNR Weighting Strategy. IEEE/CVF International Conference on Computer Vision (ICCV), pp. 7407–7417, 2023.
[6] Kollovieh, M., Ansari, A. F., Bohlke-Schneider, M., Fatir Ansari, A., & Salinas, D. Predict, Refine, Synthesize: Self-Guiding Diffusion Models for Probabilistic Time Series Forecasting. Advances in Neural Information Processing Systems (NeurIPS), 36, 2023.
[7] Sikder, M. F., Ramachandranpillai, R., & Heintz, F. TransFusion: Generating Long, High Fidelity Time Series using Diffusion Models with Transformers. arXiv preprint arXiv:2307.12667, 2023.
🔗 https://arxiv.org/abs/2307.12667
[8] Song, Y., Sohl-Dickstein, J., Kingma, D. P., Kumar, A., Ermon, S., & Poole, B. Score-Based Generative Modeling through Stochastic Differential Equations. International Conference on Learning Representations (ICLR), 2021.
[9] Shi, J., Xu, M., Hua, H., Zhang, H., Ermon, S., & Leskovec, J. TabDiff: a Mixed-type Diffusion Model for Tabular Data Generation. International Conference on Learning Representations (ICLR), 2025.
Note: First author is Juntong Shi (not Zhang); title uses "Mixed-type" (v3+ of arXiv preprint)
[10] Yuan, Y., Sha, Y., Zhao, W., & Zhang, K. CTU-DDPM: Generating Industrial Control System Time-Series Data with a CNN-Transformer Hybrid Diffusion Model. Proceedings of the 2025 International Symposium on Artificial Intelligence and Computational Social Sciences (ACM AICSS '25), pp. 123–132, 2025. DOI:10.1145/3776759.3776845.
🔗 https://dl.acm.org/doi/10.1145/3776759.3776845
Note: Correct title does not contain "Conditional Transformer U-net"; authors include Yusong Yuan and Yun Sha
[11] Sha, Y., Yuan, Y., Wu, Y., & Zhao, H. DDPM Fusing Mamba and Adaptive Attention: An Augmentation Method for Industrial Control Systems Anomaly Data. SSRN Electronic Journal, posted January 10, 2026. SSRN ID: 6055903. DOI:10.2139/ssrn.6055903.
Note: This is a preprint (not peer-reviewed); SSRN entry exists with Jan 10, 2026 posting date
[12] Stouffer, K., Lightman, S., Pillitteri, L., Abrams, M., Hahn, A., & Smith, J. Guide to Operational Technology (OT) Security (NIST Special Publication 800-82 Rev. 3). National Institute of Standards and Technology, September 2023.
🔗 https://csrc.nist.gov/pubs/sp/800/82/r3/final
Benchmark
Future works
Conclusion
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Mingzhe Yang