AI-Driven Anomaly Detection Frameworks in Critical Infrastructure Networks for Proactive Threat Mitigation
Oma Nlerum *
School of Information Technology, Illinois State University, IL 61761, USA.
Fisayo Fakinlede
Information Systems and Business Analytics, College of Business, Iowa State University, Ames, Iowa, United States.
Bashiru Ibrahim
Lally School of Management, Rensselaer Polytechnic Institute, Troy, New York, USA.
*Author to whom correspondence should be addressed.
Abstract
Background: Critical infrastructure networks are increasingly interconnected cyber-physical systems, making them more vulnerable to sophisticated cyberattacks that traditional detection methods struggle to address. AI-driven approaches using machine learning and deep learning enable real-time anomaly detection, adaptive response, and predictive resilience, improving security and reliability in these systems.
Aim: This study aimed to systematically to map and synthesize the available AI-based anomaly detection frameworks, which are implemented in a critical infrastructure (CI) network, with an emphasis on typologies of models, data sources and system layers, evaluation practices, and trade-offs in operations that impact the proactive threat mitigation.
Method: A systematic literature review was carried out in accordance with PRISMA framework. Across major academic databases, peer-reviewed research published between 2020 and 2026 was identified. Qualified articles covered the AI/ML-based anomaly detection in the CI setting, such as SCADA, ICS, cyber-physical system, and IT/OT-integrated networks. The types of models, threats, data used, evaluation methods, and constraints in implementation were analyzed using a qualitative comparative synthesis approach.
Findings: The review indicates that supervised statistical machine learning is the most prevalent, and mainly it focuses on network based cyber intrusions, including denial-of-service and malware attacks. Deep hybrid schemes also exhibit greater abilities to model complex and distributed settings but have issues with latency, explanations, and can be deployed in safety-important systems. The data sources are strongly biased towards the telemetry and logs of the IT-layers, and the integration of the SCADA and process-level information is relatively limited. Practices in evaluation are based on benchmark datasets and simulations, and little real-world deployment evidence. Some of the trade-offs that are important are the accuracy versus false alarm rate, latency versus model complexity, and predictive performance versus explainability.
Conclusion and Recommendations: AI-based anomaly detection systems have good technical promise, even though there are few studies that have validated them in high-consequence CI settings. Future applications must focus on deploying in layers, edge aware architecture, human in the loop monitoring, and CI specific evaluation benchmark as well as constant model re-alignment to provide operational resilience and safety assurance.
Keywords: AI-driven anomaly detection, ; critical infrastructure security, cyber-physical systems, machine learning, deep learning, proactive threat mitigation, evaluation trade-offs