Cross-Modal Geometric Regularization for Multivariate Cybersecurity Anomaly Detection
摘要
Critical infrastructure faces escalating cyberattacks that can cascade from digital compromise to physical disruption, making robust anomaly detection in cyber-physical systems essential. Existing multivariate time-series detectors focus on temporal sensor patterns but rarely incorporate structured priors that could regularize learning and improve generalization. We introduce CRAFT, a cross-modal time–text framework that adapts CALF [13] to cybersecurity by combining temporal anomaly detection with cross-modal regularization. CRAFT couples a temporal sensor branch with a textual embedding branch, both built on pre-trained GPT-2 weights, fuses their reconstruction errors through multi-view scoring, and applies a percentile-based adaptive thresholding scheme to obtain anomaly labels. Experiments on SMD, SWaT, and WADI yield F1-scores of 0.9480, 0.8843, and 0.7634 respectively, outperforming strong baselines. To understand why cross–modal learning helps, we disentangle token–level semantics from embedding geometry across different embedding spaces. We find that embedding geometry, rather than semantics, drives most gains: synthetic embeddings that match only cosine statistics, effective dimensionality, and semantic clustering of a pre–trained space—and even high-dimensional random embeddings—match or surpass the performance of pre-trained semantic embeddings. Effective detection coincides with uniform, high–entropy attention over the vocabulary, with the text branch acting as a global geometric regularizer for temporal representations. Finally, we release Owlyshield, a large-scale ransomware behavior dataset derived from 337,100 samples and adjusted to realistic 5% anomaly rates as a challenging benchmark for cybersecurity anomaly detection.