Bi-NLSTM: A Multi-Stage Attack Detection Approach for Industrial Internet

Industrial internet faces sophisticated multi-stage attacks where existing machine learning approaches fail to capture inter-stage dependencies, detecting only isolated anomalies without recovering attack associations. Therefore, this paper proposes a Bidirectional Nested Long Short-Term Memory model (Bi-NLSTM) incorporating causal gating control and a sequential violation loss penalty. This model employs a novel unit update mechanism to enhance large-range time series processing capability while dynamically filtering phase dependencies that violate causality laws, thereby significantly improving the detection performance for multi-stage complex attacks. Firstly, the approach enforces causal constraints between attack stages through causal gating and sequential violation penalties, eliminating the acquisition and processing of invalid reverse information. Secondly, the Bi-NLSTM with constrained embedded update cell units is used as the detection model to improve the operational efficiency of the model and analyze the detection and delay analysis of multi-stage complex attacks. Finally, analyze the dependency correlations among each stage to obtain the milestone characteristics; Furthermore, adversarial data is constructed to verify model robustness against out-of-order attack stages. Evaluations on the SWaT and CTU-13 datasets demonstrate that the proposed constrained model achieves an F1-Score of up to 99%, reduces detection time by 1221 seconds compared to the baseline Bi-NLSTM (representing a 2x speed increase and significant latency reduction), and exhibits strong robustness—its F1 rate decreases by only 2% during out-of-order attack robustness testing. These results confirm the model’s robustness, generalizability, and suitability for anomaly detection and analysis in real-world industrial production environments