[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"doc-detail-84043-en":3,"doc-seo-84043-105":29,"detail-sidebar-cat-0-en-105":91},{"code":4,"msg":5,"data":6},0,"success",{"doc_id":7,"user_id":8,"nickname":9,"user_avatar":10,"doc_module":4,"category_id":11,"category_name":12,"doc_title":13,"doc_description":14,"doc_content":15,"file_id":16,"file_url":17,"file_type":18,"file_size":19,"view_count":20,"is_deleted":4,"is_public":20,"is_downloadable":20,"audit_status":20,"page_count":21,"language":22,"language_code":23,"site_id":24,"html_lang":23,"table_of_contents":25,"faqs":26,"seo_title":13,"seo_description":14,"update_tm":27,"read_time":28},84043,13056703019404,"Miles","https://ap-avatar.wpscdn.com/davatar_29158cc5080c5b710cf443261637dec0",8,"Research & Report","ProvICS: A Provenance-based Intrusion Detection for Industrial Control Systems","Industrial Control Systems (ICS) are now targeted by multi-stage cyberattacks that span software, network, and physical process layers simultaneously. While provenance-based intrusion detection works well in IT, its adoption in industrial cyber-physical systems (CPS) is limited by the lack of datasets linking host causal behavior, industrial network semantics, and physical state. ProvICS addresses this gap with an open-source HIL CPS testbed and a multimodal provenance dataset synchronously capturing provenance graphs, decoded Modbus records, and physical telemetry across 48-hour benign and 22-hour attack phases.","ProvICS: A Provenance-based Intrusion Detection for Industrial Control Systems  \nMd Neyamul Islam Shibbir  \nDepartment of Computer Science The University of Texas at El Paso[mshibbir@miners.utep.edu](mshibbir@miners.utep.edu)  \nDeepak K Tosh  \nDepartment of Computer Science The University of Texas at El Paso [dktosh@utep.edu](dktosh@utep.edu)  \narXiv :2607 .05989v 1 [ cs .CR] 7 Jul 2026  \nAbstract—The convergence of Information Technology and Operational Technology has exposed Industrial Control Systems (ICS) to multi-stage cyberattacks that traverse software, network, and physical process layers simultaneously. Although Provenance-based Intrusion Detection Systems (PIDS) are effective in Information Technology (IT) environments, their applicability to Industrial Cyber-Physical Systems (CPS) remains largely unexplored because of the absence of datasets that jointly capture host-level causal behavior, industrial network semantics, and physical process state. To address this gap, we design an open-source, Hardware-in-the-Loop (HIL) CPS testbed that replicates an industrial chemical reactor control architecture across the Purdue model layers. Using this testbed, we propose ProvICS, a multimodal provenance dataset purpose-built for CPS intrusion detection, which synchronously captures four streams: whole-system provenance graphs from the supervisory host and the resource-constrained PLC, decoded Modbus deeppacket inspection records, and physical process telemetry. The collection comprises a 48-hour benign phase and a 22-hour attack phase across four campaigns covering 20 ICS ATT&CK techniques over 32 attack events, ranging from reconnaissance to physical process manipulation. Comparative analysis shows that ProvICS is among the few existing ICS/CPS benchmarks with multi-host kernel-level provenance, real PLC hardware-inthe-loop execution, decoded Modbus traffic, physical processstate measurements, and auxiliary raw PCAP traces in a timesynchronized collection. Baseline detection further confirms that cross-modal fusion can detect all 32 labeled attack events (F1 = 0.913, false-positive rate (FPR) = 1.40%), demonstrating the dataset’s ability to expose complementary attack signals across modalities and addressing a gap not covered by prior benchmarks.  \nIndex Terms—Operational Technology, Provenance-based Intrusion Detection, Multimodal Dataset, Hardware-in-the-Loop Testbed, ICS Security  \nI. INTRODUCTION  \nCritical infrastructures including power grids, industrial manufacturing, water systems, healthcare, and transportation networks have increasingly adopted computational and digital technologies. While these advancements have substantially improved operational efficiency, they simultaneously expand the attack surface of systems whose compromise can carry catastrophic consequences. A successful cyberattack against such infrastructure can trigger significant physical incidents, threaten national security, endanger public safety, and cause  \nThis work is supported by the National Science Foundation, Award \\# 2239609.  \nsevere disruptions to essential services [1] . Modern Industrial Control System (ICS) attacks span host, network, and physical layers, making them impossible to reconstruct from a single viewpoint. Data provenance solves this by tracking kernellevel causal relationships, linking seemingly benign events across the entire control stack to reveal full, cross-layer attack paths that isolated monitoring misses [2] . Intrusion Detection Systems (IDSs) have been extensively studied in IT environments, yet they exhibit fundamental limitations against modern, multi-stage threats [2] . These limitations are further compounded in OT contexts, where conventional IDS solutions are designed predominantly for IT-layer monitoring which can lack the visibility necessary to account for process-based behaviors and physical state dynamics central to Industrial Control System (ICS) security [3], [4] .  \nA fundamental barrier to IDS resear","cbCaiqerNLAztj5u","https://ap.wps.com/l/cbCaiqerNLAztj5u","pdf",364934,1,7,"English","en",105,"# Abstract\n# Introduction\n## Research Gaps and Motivation","[{\"question\":\"为什么传统基于 IT 的入侵检测在工业控制系统（ICS）中效果有限？\",\"answer\":\"ICS 攻击同时覆盖主机、网络与物理层，而传统 IDS 多以 IT 层监测为主，缺少对过程行为与物理状态动态的可见性，导致难以重建跨层攻击路径。\"},{\"question\":\"ProvICS 通过什么方式补足 ICS/CPS 研究中缺少数据集的问题？\",\"answer\":\"ProvICS 使用开源硬件在环（HIL）CPS 测试床，并构建多模态溯源数据集，协同采集监督主机与 PLC 的系统级溯源图、解码的 Modbus 深包检测记录以及物理过程遥测。\"},{\"question\":\"数据集的采集包含哪些阶段与覆盖范围？\",\"answer\":\"采集包括 48 小时良性阶段与 22 小时攻击阶段，覆盖四个活动（campaign），涉及 20 种 ICS ATT\\u0026CK 技术与 32 个攻击事件，从侦察到对物理过程的操控。\"}]",1784192202,18,{"code":4,"msg":30,"data":31},"ok",{"site_id":24,"language":23,"slug":32,"title":13,"keywords":33,"description":14,"schema_data":34,"social_meta":86,"head_meta":88,"extra_data":90,"updated_unix":27},"provics-a-provenance-based-intrusion-detection-for-industrial-control-systems","",{"@graph":35,"@context":85},[36,53,68],{"@type":37,"itemListElement":38},"BreadcrumbList",[39,43,47,50],{"item":40,"name":41,"@type":42,"position":20},"https://docshare.wps.com","Home","ListItem",{"item":44,"name":45,"@type":42,"position":46},"https://docshare.wps.com/document/","Document",2,{"item":48,"name":12,"@type":42,"position":49},"https://docshare.wps.com/document/research-report/",3,{"item":51,"name":13,"@type":42,"position":52},"https://docshare.wps.com/document/provics-a-provenance-based-intrusion-detection-for-industrial-control-systems/84043/",4,{"url":51,"name":13,"@type":54,"author":55,"headline":13,"publisher":57,"fileFormat":60,"inLanguage":23,"description":14,"dateModified":61,"datePublished":62,"encodingFormat":60,"isAccessibleForFree":63,"interactionStatistic":64},"DigitalDocument",{"name":9,"@type":56},"Person",{"url":40,"name":58,"@type":59},"DocShare","Organization","application/pdf","2026-07-17","2026-07-16",true,{"@type":65,"interactionType":66,"userInteractionCount":20},"InteractionCounter",{"@type":67},"ViewAction",{"@type":69,"mainEntity":70},"FAQPage",[71,77,81],{"name":72,"@type":73,"acceptedAnswer":74},"为什么传统基于 IT 的入侵检测在工业控制系统（ICS）中效果有限？","Question",{"text":75,"@type":76},"ICS 攻击同时覆盖主机、网络与物理层，而传统 IDS 多以 IT 层监测为主，缺少对过程行为与物理状态动态的可见性，导致难以重建跨层攻击路径。","Answer",{"name":78,"@type":73,"acceptedAnswer":79},"ProvICS 通过什么方式补足 ICS/CPS 研究中缺少数据集的问题？",{"text":80,"@type":76},"ProvICS 使用开源硬件在环（HIL）CPS 测试床，并构建多模态溯源数据集，协同采集监督主机与 PLC 的系统级溯源图、解码的 Modbus 深包检测记录以及物理过程遥测。",{"name":82,"@type":73,"acceptedAnswer":83},"数据集的采集包含哪些阶段与覆盖范围？",{"text":84,"@type":76},"采集包括 48 小时良性阶段与 22 小时攻击阶段，覆盖四个活动（campaign），涉及 20 种 ICS ATT&CK 技术与 32 个攻击事件，从侦察到对物理过程的操控。","https://schema.org",{"og:url":51,"og:type":87,"og:title":13,"og:site_name":58,"og:description":14},"article",{"robots":89,"canonical":51},"index,follow",{"doc_id":7,"site_id":24},{"code":4,"msg":5,"data":92},[93,97,101,105,110,115,119,122,127,130,134],{"id":20,"doc_module":4,"doc_module_name":45,"category_name":94,"show_sort_weight":95,"slug":96},"Story & Novel",90,"story-novel",{"id":46,"doc_module":4,"doc_module_name":45,"category_name":98,"show_sort_weight":99,"slug":100},"Literature",80,"literature",{"id":52,"doc_module":4,"doc_module_name":45,"category_name":102,"show_sort_weight":103,"slug":104},"Exam",70,"exam",{"id":106,"doc_module":4,"doc_module_name":45,"category_name":107,"show_sort_weight":108,"slug":109},5,"Comic",60,"comic",{"id":111,"doc_module":4,"doc_module_name":45,"category_name":112,"show_sort_weight":113,"slug":114},6,"Technology",50,"technology",{"id":21,"doc_module":4,"doc_module_name":45,"category_name":116,"show_sort_weight":117,"slug":118},"Healthcare",40,"healthcare",{"id":11,"doc_module":4,"doc_module_name":45,"category_name":12,"show_sort_weight":120,"slug":121},30,"research-report",{"id":123,"doc_module":4,"doc_module_name":45,"category_name":124,"show_sort_weight":125,"slug":126},9,"Religion & Spirituality",20,"religion-spirituality",{"id":125,"doc_module":4,"doc_module_name":45,"category_name":128,"show_sort_weight":125,"slug":129},"World Cup","world-cup",{"id":131,"doc_module":4,"doc_module_name":45,"category_name":132,"show_sort_weight":131,"slug":133},10,"Lifestyle","lifestyle",{"id":135,"doc_module":4,"doc_module_name":45,"category_name":136,"show_sort_weight":106,"slug":137},19,"General","general"]